██████╗ ██╗ █████╗ ██████╗██╗ ██╗██╗ ██╗ █████╗ ████████╗ ██████╗ ██████╗ ██████╗ ███████╗ ██╔══██╗██║ ██╔══██╗██╔════╝██║ ██╔╝██║ ██║██╔══██╗╚══██╔══╝██╔════╝██╔═══██╗██╔══██╗██╔════╝ ██████╔╝██║ ███████║██║ █████╔╝ ███████║███████║ ██║ ██║ ██║ ██║██║ ██║█████╗ ██╔══██╗██║ ██╔══██║██║ ██╔═██╗ ██╔══██║██╔══██║ ██║ ██║ ██║ ██║██║ ██║██╔══╝ ██████╔╝███████╗██║ ██║╚██████╗██║ ██╗██║ ██║██║ ██║ ██║ ╚██████╗╚██████╔╝██████╔╝███████╗ ╚═════╝ ╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝
______ ______ ______ ______ ______ ______
/\ == \ /\ __ \ /\ == \ /\ ___\ /\ == \ /\ ___\
\ \ _-/ \ \ __ \ \ \ _-/ \ \ __\ \ \ __< \ \___ \
\ \_\ \ \_\ \_\ \ \_\ \ \_____\ \ \_\ \_\ \/\_____\
\/_/ \/_/\/_/ \/_/ \/_____/ \/_/ /_/ \/_____/
Windows VX
EVASION
Identifying Antivirus Software by enumerating Minifilter String Names
Author(s): smelly__vx
Identifying Antivirus Software by enumerating Minifilter String Names
Code
The Ultimate Anti-Reversing Reference
Author(s): Peter Ferrie
The Ultimate Anti-Reversing Reference
Fake Entry Point Trick
Author(s): Rafael S Marques
Fake EP trick
Трюк с фейковым EP
Fake EP
Falso EP
Masking Malicious Memory Artifacts series
Author(s): Forrest Orr
Part I: Phantom DLL Hollowing (Mirror)
Part II: Insights from Moneta
Part III: Bypassing Defensive Scanners
Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
Author(s): ModExpBlog/MDSEC
Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
Hiding your .NET - COMPlus_ETWEnabled
Author(s): XPN
Original link: Hiding your .NET - COMPlus_ETWEnabled
(Mirror)
Implementing Syscalls In The CobaltStrike Artifact Kit
Author(s): Christopher R. Neelis
Implementing Syscalls In The CobaltStrike Artifact Kit
Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
Author(s): Pat H/VX
Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR
Evasive Memory Indicators as Callstack Spoofing
Author(s): Christopher R. Neelis
Evasive Memory Indicators as Callstack Spoofing
Linux & *nix
Malware/Rootkit/EVASION
Mac OSX
Multi-OS Papers
Hasherezade's Deep Dive Malware Analyses Archive
2020
Ghost Ransomware – Full Analysis
Woodsrat – Inside laying additional IAT obfuscation
Payload level under the obfuscation of Woodsrat
The Demise of Emotet
VAR: decrypting Emotet
Paymer/ABRA Ransomware – Kept
Kingston Ransomware
Dystopia Ransomware – free tools cannot save us in using the deprecated algorithm
Rapid Stealer – inside a big .NET collection
Curvery – stealthy DDoS trojan
Baazar – inside a new tricky loader (BaazarCall)
CVE-2017-5487 exploited by TeamTNT
CVE-2020-9027 exploited by teamTNT
DiscordRAT – a stealer distributed on the cloud (discord)
Prometheus Ransomware – built on Thanos code
BUER – inside a new tricky loader
TrickBot version detection
Obfuscation 2.0: QakBot calls Stack Strings
Ursnif (Fake DLL)
Zeppo Ransomware
AvosLocker – inside a few russian-speaking ransomware
Inside Covid Ransomware
From CodeGhoul to DwadeLeaks: a 220 USD crappy trojan
MassLogger Trojan
Babuk Ransomware – Inside A Full
MountLocker Ransomware – inside
Prometheus – decoding payload
Avaddon Ransomware – from in the inside out
REvil takes your data to auctions
Deception and DDoS Attacks: NotPetya and BadRabbit
Guloader – looking inside test samples
HawkEye Reborn
CryptOne: Stub Analysis
Snatch Ransomware
Clapzok: A new trickyboi
SolarMaker: Hiding Behind Custom Packing
Inside Brushly – stealthy banking Trojan
Agent Tesla – using telegram
When malware is building malware
2019
Jigsaw Ransomware Reloaded
Inside GandCrab 2 Version – Hidden
Divide and Infect: how the Ransomware Loader is
Nemty 2 Ransomware – what changed?
Nemty Ransomware – learning by analysing mistakes
Flawed Amnesia Ransomware
Vidar – The Stealthy Stealer
Frenchiest Phobos Ransomware
Inside MegaCortex Ransomware
BEGAN Ransomware – new member in the VegaLocker
Do Not Steal Ransomware – new GandCrab
Lazagne: Software vault and password recovery
Jigsaw Ransomware: updated and back
Sohos Ransomware – Not Around The Block
NetWalker Ransomware
PhoenixLocker: Dead and Succeeded
2018
VegaLocker Ransomware – inside out
EyeCry Ransomware – New Version of Scarab
Marsjoke Stellar Ransomware
MadLocker 2.0: The Evolution of Matrix
Dharma (Lincoln) Ransomware – Inside Analysis
Matrix Ransomware with a twist of Ekans
SunCrypt Ransomware
RegretLocker – Ransomware family spotted in the wild
SunnyLocker 3: Sketchy Ransomware
Radon Ransomware: exit scam
ATM Jackpot: Leto Ransomware Detailed
RobinHood Ransomware – New Version of RobbinHood
AVCrypt Ransomware – inside a C# Trojan
STOP (DJVU) Ransomware family – new variant is
GandCrab 5.5 Ransomware – analysis and Full Configuration
PhoenixLocker Ransomware
Eny Ransomware – analysis and Full Configuration
SpartaCrypt Ransomware – a new variant of PHOBOS
GandCrab v5.0 – analysis
Heroes In A Half Shell: A
GandCrab v4.4-6: new changes
Lokilocker Ransomware – digging deeper to find
GandCrab v4.3: new changes
Inside GandCrab v4.1 – decrypting the config
PHOBOS Ransomware – new variant of Crysis
Scarab Ransomware spreads via fake numbers
Scarab-Scrutiny Ransomware
ATM Jackpotting – Part Two
2017
Wannacry V2 – WinRar on steroids
BadRabbit Ransomware – Analysis
WannaCry
TrickBot Analysis – Part 1
Inside BrainCrypt Ransomware
Atomic Ransomware is back
HiddenTear Ransomware doesn't give shit about
Papia Stealer
JAFF Crypt – analyzing further the connection
XData Ransomware – data kidnapper inside
Inside Malware: CryptoBit
Petya disk wiper and instead of ransomware uses
PetrWrap Ransomware
JAFF Ransomware
MoleRats
2016
Atomic Ransomware: detailed analysis
CryptoMix in detail
DMA Locker V4: new version – detailed analysis
Fantastic Four Monster Pack: Dilma, Locky, Cerbere
Gozi: Evil Twin of Thanos
Rename.Tomy Ransomware: Detailed
Third time (un)lucky – improved Petya is out
Untangling Kovter's persistence methods
Satana ransomware – threat coming soon?
DMA Locker 4.0: Known ransomware preparing for a massive distribution
Petya and Mischa – Ransomware Duet (Part 2)
Petya and Mischa – Ransomware Duet (Part 1)
7ev3n ransomware turning 'HONE$T'
Rokku Ransomware shows possible link with Chimera
Petya – Taking Ransomware To The Low Level
Maktub Locker – Beautiful And Dangerous
Cerber ransomware: new, but mature
Look Into Locky Ransomware
LeChiffre, Ransomware Ran Manually
Ransom32 – look at the malicious package
2015
Inside Chimera Ransomware – the first 'doxingware' in wild
Malware Crypters – the Deceptive First Layer
No money, but Pony! From a mail to a trojan horse
A Technical Look At Dyreza
Unpacking Fraudulent "Fax": Dyreza Malware from Spam
Rainbows, Steganography and Malware in a new .NET cryptor
Who's Behind Your Proxy? Uncovering Bunitu's Secrets
Revisiting The Bunitu Trojan
Elusive HanJuan EK Drops New Tinba Version (updated)
Unusual Exploit Kit Targets Chinese Users (Part 2)
.d-
. :d-h/ -
. `+ +h```yo /- .
-/ h. ss :N/ os `d ::
.` o+ oyy+ +MMMo /hys /s .
/: ho ` /N: sMMNMMy`:N+ ` +d` :/
:y- .Ns /oh-`hMMy`sMMh`-ho+ oN. .y/
`:- -ds` o./My+d..dMMo +MMm.`hosM/`o``od- -:.
-o+` ``ym/-m+sMy`-mMN/ /NMN:`sMy+m-/mh.` `/o-
:yy: :o:oNdyMms`/NMN: -mMN+ omMyhNs:o: :sy:`
---` `:hdo/ddhMMM+ oNMm- .dMMo`/NMMhdd/+dh/` ---
`.+o+-` /+/+dNdNMMN:`sMMh. `hMMy`:NMMMdNdo//. `-+o+-`
`-ohho+ydmNMMMm-`hMMy` `sMMh..dMMMNmy+:+yho:`
..` .:/sdmmMMMMd..dMMo +NMm-`hMMMNdmds/:. ..`
`.:+++/:--:ohdmMMMMy`:mMN/ .-://+//:-.` /NMN:`sMMMMmdhs/--:/+++:.`
`.:+syhddmMMMMs`/NMm:`-+ydmNmmdddmmNmdy+-`-mMN+`oMMMMmdddhs+:.`
-:+oydMMMN+`oNMm+sdNMmy+:::----::/sdNNms+mMMo`/NMMMdys+:-
..--::::::/+shNMMN:`sMMMmNMMmhyhdhhNNNNNdhhhyyhNMMmMMMy`:mMMNhs+/::::::--..
``..-:/+oshdmNMm-`hMMMMMMNdhosMo.yMMMMMm./Mh+ydNMMMMMMd..dMNmdyso+/:-..``
`:+sydMh..dMMMMNs:-` /Mo yMMMMMm :M/ `.:oNMMMMm-`hMdys+:.
``..-:/oyhmy`:mMNsdMMd+. `hN/./ydho.-mh .+dMMmsNMN:`smdyo/:-..``
.-:://+++++omo`/NMm: `/hNMNh/.``+dhs+//ohdo``./ymMNh/` -mMN+`omo+++++//::-.
-om+`oMMd. -odNMNds+:+oyyys+/+sdNMNdo- .dMMs`/do-
`./h:`yMMh` -/ydmNMMNmmmNMMNNdy+- `yMMy`-h/.`
``-/oohm-.hMMs` .-:+oosoo+/-. sMMd..ddoo/-``
...` /y.-dMNo +NMm-`y+ `..`
+y`:NMMmsssssssssssssssssssssssssssssssssssssssssssssssmMMN/`so`
`so :mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm: +y`
`hy--:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::--sh`
./////////omd+/sdohMmyMNMMMMMMMMMMMMMMMMMMMMMNMhmMh+hs/+hmo/::::::::.
.+o- .`oNs-mssMdmMmMMMMMMMMMNMmMNhMssm-oNs`. -oo.
`-:` `hh. o--Nh.NoyMoNmsMymN+Mh+M-hM:-s .yh. `::`
-h: `mh`/o Nm d//M+:m dN`++ ym` ` :h- `
:+` yy . -M: o -M: o -M: . sh +/
.. /s oh `M. ys o+ `-
.+ h. N` .d +-
. `s h o. .
-` + :