Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Malware samples: broken vs tool detection

This forum focuses on analyzing malware and any aspects of dealing with packer protections.

Malware samples: broken vs tool detection

Post by Theory5 »

How do you figure out the difference between a broken sample or a sample that is advanced enough to detect VMware or malware analysis tools?

I have this 16-bit sample (at least i think its 16-bit, but PE still says "this program cannot be run in DOS mode" I took it off of a system infected with the FBI moneypak malware. it was the only malicious program I could find.) and since I am new to debugging I haven't exactly cultivated a working knowledge of assembly. But it doesn't run. I've tried to run it in both a virtualbox guest OS and on a native OS (both win7), but it never appeared to do anything that I could find with sysinternals.

So how do I determine what this is and if it is an actual working sample or if it is broken? MSE detected it and I "allowed" it then simply copied the file from the path provided (the drive was wiped afterwards). I assumed it might be obfuscated but PEiD didn't seem to detect any of the common packing algorithms.

Any help would be great! Also, the sample is available upon request, I just didn't want to toss it up on the thread without someone looking for it.
User avatar
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

Hi, welcome to the board. You're welcome to attach the file if you wish and I'm sure someone will take a look at it. Just zip and password protect the attachment (i.e. password "malware" or something).