Behavioral task
behavioral1
Sample
25dfef26bd479ca39236e5424a1c223d6c227f30ecd2ab1b608296ba2ea640c0.pdf
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
25dfef26bd479ca39236e5424a1c223d6c227f30ecd2ab1b608296ba2ea640c0.pdf
Resource
win10v2004-20240226-en
General
-
Target
25dfef26bd479ca39236e5424a1c223d6c227f30ecd2ab1b608296ba2ea640c0
-
Size
20.1MB
-
MD5
dbac2feb78012c1f2903e1f1ee6e3cde
-
SHA1
90288c76a681ccfb504c33f9843e132d57154c3f
-
SHA256
25dfef26bd479ca39236e5424a1c223d6c227f30ecd2ab1b608296ba2ea640c0
-
SHA512
012263931fea427c466b3169aa74aa4438bc4340d998d576d2bbd1ae150a04ef19ca035973b5b52e73684310f28734ddbcb14882e523f6de2526c2ab7a8b831b
-
SSDEEP
393216:W2w6rA8Wi56KJ7rOAiYU9Zt0fWQIOfCaZTJm2O2KaPvgtI1:W2wb8WijnSYWofWkZTzCw
Malware Config
Signatures
Files
-
25dfef26bd479ca39236e5424a1c223d6c227f30ecd2ab1b608296ba2ea640c0.pdf
-
http://www.packtpub.com/
-
https://mapt.io/
-
http://authors.packtpub.com/
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_82
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_368
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_522
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_584
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_676
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_885
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_894
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_985
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_1061
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_1143
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1200&action=edit#post_1250
-
https://www.packtpub.com/sites/default/files/downloads/LearningMalwareAnalysis_ColorImages.pdf
-
http://www.packtpub.com/submit-errata
-
https://www.packtpub.com/
-
https://blog.malwarebytes.com/glossary/
-
https://www.vmware.com/products/workstation/workstation-evaluation.html
-
https://www.vmware.com/products/fusion/fusion-evaluation.html
-
https://www.virtualbox.org/wiki/Downloads
-
http://releases.ubuntu.com/16.04/
-
http://pubs.vmware.com/workstation-12/topic/com.vmware.ICbase/PDF/workstation-pro-12-user-guide.pdf
-
https://www.virtualbox.org/manual/UserManual.html
-
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1022525
-
https://youtu.be/ueM1dCk3o58
-
http://www.inetsim.org/index.html
-
http://www.inetsim.org/packages.html
-
https://www.virtualbox.org/manual/ch04.html#sharedfolders
-
https://docs.vmware.com/en/VMware-Workstation-Pro/14.0/com.vmware.ws.using.doc/GUID-AACE0935-4B43-43BA-A935-FC71ABA17803.html
-
https://www.python.org/downloads/
-
https://www.hybrid-analysis.com/
-
http://www.kernelmode.info/forum/viewforum.php?f=16
-
https://beta.virusbay.io/
-
http://contagiodump.blogspot.com/
-
https://avcaesar.malware.lu/
-
https://malwr.com/
-
https://virusshare.com/
-
http://thezoo.morirt.com/
-
https://zeltser.com/malware-sample-sources/
-
http://www.filesignatures.net/
-
https://mh-nexus.de/en/hxd/
-
https://en.wikipedia.org/wiki/Comparison_of_hex_editors
-
http://www.ntcore.com/exsuite.php
-
https://github.com/ahupp/python-magic
-
http://www.nirsoft.net/utils/hash_my_files.html
-
https://en.wikipedia.org/wiki/Comparison_of_file_verification_software#Program_hash_function_support
-
http://www.virustotal.com/
-
https://support.virustotal.com/hc/en-us/articles/115005002585-VirusTotal-Graph
-
https://support.virustotal.com/hc/en-us/articles/115003886005-Private-Services
-
https://www.virustotal.com/en/documentation/public-api/
-
https://www.python.org/dev/peps/pep-0008/
-
https://www.winitor.com/
-
https://www.mzrst.com/
-
http://www.virscan.org/
-
https://virusscan.jotti.org/
-
https://www.metadefender.com/#!/scan-file
-
https://technet.microsoft.com/en-us/sysinternals/strings.aspx
-
https://github.com/fireeye/flare-floss
-
https://www.fireeye.com/blog/threat-research/2016/06/automatically-extracting-obfuscated-strings.html
-
https://upx.github.io/
-
http://exeinfo.atwebpages.com/
-
http://mark0.net/soft-trid-e.html
-
http://mark0.net/soft-tridnet-e.html
-
http://ntinfo.biz/
-
http://www.rdgsoft.net/
-
https://github.com/sooshie/packerid
-
http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml
-
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1
-
http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2
-
http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf
-
https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf
-
http://www.andreybazhan.com/pe-internals.html
-
http://www.smidgeonsoft.prohosting.com/pebrowse-pro-file-viewer.html
-
https://msdn.microsoft.com/en-us/default.aspx
-
https://github.com/erocarrera/pefile
-
https://github.com/hiddenillusion/AnalyzePE/blob/master/pescanner.py
-
http://www.hexacorn.com/blog/2014/12/05/the-not-so-boring-land-of-borland-executables-part-1/
-
http://www.angusj.com/resourcehacker/
-
http://ssdeep.sourceforge.net/
-
https://pypi.python.org/pypi/ssdeep/3.2
-
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
-
http://blog.jpcert.or.jp/2016/05/classifying-mal-a988.html
-
http://virustotal.github.io/yara/
-
http://yara.readthedocs.io/en/v3.7.0/writingrules.html
-
http://yara.readthedocs.io/en/v3.3.0/gettingstarted.html
-
https://blog.cylance.com/another-9002-trojan-variant
-
https://github.com/DidierStevens/DidierStevensSuite/blob/master/peid-userdb-to-yara-rules.py
-
https://www.bsk-consulting.de/2015/02/16/write-simple-sound-yara-rules/
-
https://github.com/Neo23x0/yarGen
-
https://www.yara-generator.net/
-
http://processhacker.sourceforge.net/
-
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
-
https://github.com/Rurik/Noriben
-
https://www.wireshark.org/
-
https://github.com/fireeye/flare-fakenet-ng
-
https://support.microsoft.com/en-us/help/815065/what-is-a-dll
-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms681914(v=vs.85).aspx
-
https://support.microsoft.com/en-in/help/164787/info-windows-rundll-and-rundll32-interface
-
https://github.com/Neo23x0/DLLRunner
-
https://securingtomorrow.mcafee.com/mcafee-labs/threat-actors-use-encrypted-office-binary-format-evade-detection/
-
http://securityxploded.com/remotedll.php
-
https://en.wikipedia.org/wiki/Bitwise_operations_in_C
-
https://www.programiz.com/c-programming/bitwise-operators
-
https://software.intel.com/en-us/articles/intel-sdm
-
https://software.intel.com/sites/default/files/managed/a4/60/325383-sdm-vol-2abcd.pdf
-
http://www.cert.at/static/downloads/papers/cert.at-the_wow_effect.pdf
-
https://www.programiz.com/c-programming
-
https://www.tutorialspoint.com/assembly_programming/
-
http://pacman128.github.io/pcasm/
-
http://opensecuritytraining.info/IntroX86.html
-
https://en.wikibooks.org/wiki/X86_Disassembly
-
https://www.hex-rays.com/products/ida/index.shtml
-
https://www.hex-rays.com/products/ida/support/download_freeware.shtml
-
https://out7.hex-rays.com/demo/request
-
https://msdn.microsoft.com/
-
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
-
https://msdn.microsoft.com/en-us/library/windows/desktop/aa383751(v=vs.85).aspx
-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897(v=vs.85).aspx
-
https://leanpub.com/IDAPython-Book
-
https://www.hex-rays.com/products/ida/support/idapython_docs/
-
https://www.hex-rays.com/products/decompiler/
-
https://www.hex-rays.com/contests/index.shtml
-
https://github.com/onethawt/idaplugins-list
-
https://github.com/0xd4d/dnSpy
-
http://rada.re/r/index.html
-
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/
-
http://www.ollydbg.de/version2.html
-
https://www.immunityinc.com/products/debugger/
-
https://www.hopperapp.com/
-
https://binary.ninja/
-
https://x64dbg.com/
-
https://x64dbg.com/#features
-
http://x64dbg.readthedocs.io/en/latest/index.html
-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms724923(v=vs.85).aspx
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=885&action=edit#post_522
-
https://securityxploded.com/remotedll.php
-
http://x64dbg.readthedocs.io/en/latest/introduction/Expressions.html
-
http://help.x64dbg.com/en/latest/introduction/Formatting.html
-
https://www.hex-rays.com/products/ida/support/idadoc/1488.shtml
-
https://www.hex-rays.com/products/ida/support/idapython_docs/idc-module.html
-
http://magiclantern.wikia.com/wiki/IDAPython
-
https://www.hex-rays.com/products/ida/debugger/scriptable.shtml
-
https://researchcenter.paloaltonetworks.com/2015/12/using-idapython-to-make-your-life-easier-part-1/
-
https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials/
-
https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx
-
https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/
-
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
-
https://cysinfo.com/8th-meetup-understanding-apt1-malware-techniques-using-malware-analysis-reverse-engineering/
-
https://cysinfo.com/sx-2nd-meetup-reversing-and-decrypting-the-communications-of-apt-malware/
-
https://threatpost.com/attackers-moving-social-networks-command-and-control-071910/74225/
-
https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embassies-and-indian-mea/
-
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
-
http://www.trendmicro.it/media/wp/the-heartbeat-apt-campaign-whitepaper-en.pdf
-
https://cysinfo.com/session-11-part-2-dissecting-the-heartbeat-apt-rat-features/
-
https://social.technet.microsoft.com/wiki/contents/articles/4307.powershell-for-beginners.aspx
-
https://cysinfo.com/cyber-attack-targeting-indian-navys-submarine-warship-manufacturer/
-
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
-
https://www.youtube.com/watch?v=P1lkflnWb0I
-
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
-
https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
-
https://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/
-
http://msdn.microsoft.com/en-us/library/ms682586(VS.85).aspx
-
http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf
-
https://msdn.microsoft.com/en-us/library/ms694363(v=vs.85).aspx
-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682450(v=vs.85).aspx
-
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-service?view=powershell-5.1
-
https://msdn.microsoft.com/en-us/library/aa394418(v=vs.85).aspx
-
https://cysinfo.com/blackout-memory-analysis-of-blackenergy-big-dropper/
-
http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/
-
https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
-
https://attack.mitre.org/wiki/Persistence
-
https://processhacker.sourceforge.io/
-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms681951(v=vs.85).aspx
-
http://www.alex-ionescu.com/?p=39
-
https://www.microsoft.com/en-us/download/details.aspx?id=7352
-
https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
-
https://github.com/hasherezade/persistence_demos/tree/master/shim_persist
-
https://sdb.tools/talks.html
-
https://github.com/evil-e/sdb-explorer
-
https://github.com/williballenthin/python-sdb
-
http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html
-
https://github.com/stephenfewer/ReflectiveDLLInjection
-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684280(v=vs.85).aspx
-
https://www.youtube.com/watch?v=9L9I1T5QDg4
-
https://cysinfo.com/detecting-deceptive-hollowing-techniques/
-
http://www.blackhat.com/docs/asia-14/materials/Erickson/WP-Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
-
http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
-
https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows
-
http://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/
-
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
-
https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
-
https://www.cyberark.com/threat-research-blog/ghosthook-bypassing-patchguard-processor-trace-based-hooking/
-
https://gchq.github.io/CyberChef/
-
https://github.com/gchq/CyberChef
-
http://www.kahusecurity.com/tools/
-
https://cysinfo.com/session-10-part-1-reversing-decrypting-communications-of-heartbeat-rat/
-
https://blog.didierstevens.com/programs/xorsearch/
-
https://bitbucket.org/decalage/balbuzard/wiki/Home
-
https://github.com/tomchop/unxor/#unxor
-
https://github.com/REMnux/distro/blob/v6/brxor.py
-
https://github.com/hiddenillusion/NoMoreXOR
-
http://aluigi.altervista.org/mytoolz.htm
-
http://www.hexblog.com/ida_pro/files/findcrypt2.zip
-
https://github.com/x64dbg/yarasigs/blob/master/crypto_signatures.yara
-
http://blog.talosintelligence.com/2014/06/an-introduction-to-recognizing-and.html
-
https://www.dlitz.net/software/pycrypto/
-
https://www.arbornetworks.com/blog/asert/illuminating-the-etumbot-apt-backdoor/
-
https://cysinfo.com/12th-meetup-reversing-decrypting-malware-communications/
-
https://github.com/NtQuery/Scylla
-
https://www.reversinglabs.com/open-source/titanmist.html
-
https://www.hex-rays.com/products/ida/support/tutorials/unpack_pe/unpacking.pdf
-
https://github.com/x64dbg/Scripts
-
http://ether.gtisc.gatech.edu/web_unpack/
-
https://github.com/crackinglandia/fuu
-
https://my.comae.io/
-
https://belkasoft.com/ram-capturer
-
https://accessdata.com/product-download
-
https://www.fireeye.com/services/freeware/memoryze.html
-
https://www.volexity.com/products-overview/surge/
-
https://www.osforensics.com/osforensics.html
-
http://blog.rekall-forensic.com/search?q=winpmem
-
https://blog.comae.io/rethinking-logging-for-critical-assets-685c65423dc0
-
http://www.volatilityfoundation.org/releases
-
https://github.com/volatilityfoundation/volatility/wiki/Installation#recommended-packages
-
https://docs.microsoft.com/en-us/sysinternals/downloads/winobj
-
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index
-
https://docs.microsoft.com/en-us/sysinternals/downloads/livekd
-
http://windbg.info/doc/1-common-cmds.html
-
http://windbg.info/doc/2-windbg-a-z.html
-
https://www.graphviz.org/
-
https://github.com/gentilkiwi/mimikatz
-
https://github.com/PowerShellMafia/PowerSploit
-
https://github.com/EmpireProject/Empire
-
http://www.dfrws.org/2010/proceedings/2010-307.pdf
-
https://adsecurity.org/?page_id=1821
-
http://mnin.blogspot.in/2008/11/recovering-coreflood-binaries-with.html
-
https://cysinfo.com/7th-meetup-reversing-and-investigating-malware-evasive-tactics-hollow-process-injection/
-
http://mnin.blogspot.in/2011/06/examining-stuxnets-footprint-in-memory.html
-
https://youtu.be/9L9I1T5QDg4
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1250&action=edit#post_1143
-
http://www.osronline.com/article.cfm?article=97
-
https://www.osronline.com/article.cfm?article=199
-
https://cdp.packtpub.com/learning_malware_analysis/wp-admin/post.php?post=1250&action=edit#post_985
-
https://en.wikipedia.org/wiki/Kernel_Patch_Protection
-
https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg
-
https://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf
-
https://www.codemachine.com/article_kernel_callback_functions.html
-
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/callback-objects
-
https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/timer-objects-and-dpcs
-
https://www.packtpub.com/networking-and-servers/cybersecurity-attack-and-defense-strategies
-
https://www.packtpub.com/networking-and-servers/learn-social-engineering
- Show all
-