5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
|
larsborn
|
medium
|
|
Find and analyze the string decryption/deobfuscation function. Determine the cryptographic algorithm being used and the memory layout of the encrypted data and key material. Try to emulate it with your tooling of choice, Binary Refinery is a good recommendation.
|
1
|
|
0
|
07 Jan 2026
|
55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
|
0xdeluks
|
easy
|
|
Deobfuscate the strings and identify the functionality of all commands.
|
2
|
|
3
|
05 Jan 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
medium
|
|
Circumvent unnecessary API calls by NOPing them out
|
1
|
|
0
|
05 Jan 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9
|
humpty_tony
|
medium
|
|
This post’s goal is to teach someone how to take a “real-world” supply-chain DLL dropper/loader and turn it into a set of actionable reversing primitives:
- Reconstruct the full execution chain from NPM install hook → rundll32 execution of a shipped DLL export → staged loader → staged stealer, and understand where “initial access” ends and “payload logic” begins.
- Deobfuscate a modern loader’s internals efficiently by focusing on the repeatable patterns that matter:
- PEB-walking + import hashing
- Encrypted static strings
- Hook checks + indirect syscalls
- Extract a protocol/crypto story from messy networking code, even if you don’t fully reverse the C2
|
1
|
|
0
|
04 Jan 2026
|
61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610
|
humpty_tony
|
medium
|
|
- Reconstructing the execution entrypoint of a DLL implant
- Dealing with weird socket usage
- Deriving crypto/obfuscation primitives from code
- Map "capabilities" to specific code paths and artifacts
- Recognize and analyze persistence
|
1
|
|
0
|
04 Jan 2026
|
4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
|
malcat
|
medium
|
|
Extract the cobal strike configuration.
|
1
|
|
0
|
04 Jan 2026
|
291df8186e62df74b8fcf2c361c6913b9b73e3e864dde58eb63d5c3159a4c32d
|
malcat
|
medium
|
|
Use emulation and/or static analysis to get to the final malware and extract its configuration
|
1
|
|
1
|
04 Jan 2026
|
277089cb78a9c493cecd8f5fbe70df0577d4f9557fb8b55ff5f7c2505308ca3a
|
malcat
|
advanced
|
|
Extract the final Dridex downloader payload using static analysis.
|
1
|
|
0
|
04 Jan 2026
|
6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
|
malcat
|
medium
|
|
List all the download urls for the next stage using static analysis only. Bonus point if you do not use Excel.
|
1
|
|
0
|
04 Jan 2026
|
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
|
malcat
|
advanced
|
|
Extract the next stage payload with static analysis.
|
1
|
|
0
|
04 Jan 2026
|
13063a496da7e490f35ebb4f24a138db4551d48a1d82c0c876906a03b8e83e05
|
malcat
|
easy
|
|
Extract the next stage download url
|
1
|
|
0
|
04 Jan 2026
|
15180ee9f6a8682b24a0d5cb0491bb4e09d457bfab5a24ec1fcb077dab59773b
|
malcat
|
easy
|
|
Unpack the payload and identify the final malware family using static analysis.
|
1
|
|
0
|
04 Jan 2026
|
9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2
|
struppigel
|
easy
|
|
Figure out the download URL of this malware with static analysis
|
2
|
|
0
|
04 Jan 2026
|
cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
|
struppigel
|
medium
|
|
Unpack the payload and extract the configuration.
This is a second stage file, you find the [first stage here](https://samplepedia.cc/sample/5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30/31/)
|
1
|
|
0
|
04 Jan 2026
|
5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30
|
struppigel
|
medium
|
|
Deobfuscate this loader such that you get the download URL.
|
2
|
|
0
|
04 Jan 2026
|
0ad4f87dfa9b814b78e9db2360a89ea7940fb5ad919637bbaacb1222fb44098d
|
struppigel
|
medium
|
|
Write an emulation-based unpacker for this crypter. Use the native 32-bit stub and RunPE shellcode. Ignore .NET.
|
1
|
|
0
|
31 Dec 2025
|