eee8a68511bd00ff98425cf9e9bd12873a5e742548fe7e2b72add7ff8dbabb24
|
struppigel
|
advanced
|
|
Unpack the payload and obtain the C2, bonus points for deobfuscating the AutoIt script
|
1
|
|
0
|
26 Dec 2025
|
ee69b74d0f0dd59fcd87304863626efb727ad6255bc29a7d48b7a441390dff1a
|
struppigel
|
medium
|
|
This is packed by CypherIt crypter. Unpack the malware.
Bonus: Extract the config of the payload.
|
1
|
|
0
|
11 Jan 2026
|
e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7
|
struppigel
|
medium
|
|
Decompile the main malware code and figure out where it downloads the next stage. If the download URL is not available anymore, the deaddrop URL will suffice.
This ZIP archive is downloaded by this [InnoSetup sample](https://samplepedia.cc/sample/7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d/54/). You may want to start analyzing there.
|
2
|
|
0
|
09 Jan 2026
|
dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659
|
struppigel
|
medium
|
|
Unpack the sample and obtain the config
|
3
|
|
0
|
04 Feb 2026
|
db5d284b9a9c02f76030ba89fd85c7c8f830f8fe4195cdc1f9cddf15f127125d
|
struppigel
|
medium
|
|
Deobfuscate the strings and markup the code of this rootkit. What exactly can it hide?
|
—
|
|
0
|
13 Jun 2026
|
cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
|
struppigel
|
medium
|
|
Unpack the payload and extract the configuration.
This is a second stage file, you find the [first stage here](https://samplepedia.cc/sample/5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30/31/)
|
1
|
|
0
|
04 Jan 2026
|
c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e
|
struppigel
|
medium
|
|
This is Gnwwcgocwzl.wav. Decrypt this file based on the [previous stage's analysis](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/). Unpack the payload.
Afterwards continue with [payload analysis here](https://samplepedia.cc/sample/45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76/75/)
|
1
|
|
0
|
27 Jan 2026
|
b0e365c603013751085946ff0500f7d8c0e3c106d3b02c368c2f267279660a6d
|
struppigel
|
medium
|
|
Write a configuration extractor for this loader
|
1
|
|
0
|
28 Feb 2026
|
aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb
|
struppigel
|
easy
|
|
Markup the sample in Ghidra/IDA/Binary Ninja
|
—
|
|
0
|
26 Dec 2025
|
9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2
|
struppigel
|
easy
|
|
Figure out the download URL of this malware with static analysis
|
2
|
|
0
|
04 Jan 2026
|
95a636c2b3af0bc69cc05f7b32281ff17c58cbe637bec5f8918f7514a5f37e09
|
struppigel
|
easy
|
|
Check out the LNK in this archive. It downloads malware. How does it achieve that?
|
1
|
|
0
|
21 Feb 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
892834734712fe5bc7a6614be6972de1be2d74ad424ef47b2c701046e4912426
|
struppigel
|
medium
|
|
Write a code-based signature with Yara for this sample.
|
1
|
|
0
|
30 Dec 2025
|
7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d
|
struppigel
|
medium
|
|
Extract the InnoSetup script and decode the strings. Figure out the download URL statically.
Afterwards continue with [the next stage](https://samplepedia.cc/sample/e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7/55/)
|
1
|
|
0
|
09 Jan 2026
|
6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
|
malcat
|
medium
|
|
List all the download urls for the next stage using static analysis only. Bonus point if you do not use Excel.
|
1
|
|
0
|
04 Jan 2026
|
67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
|
larsborn
|
medium
|
|
Find and reverse engineer the string deobfuscation function in the sample. Create a binary refinery pipeline to decrypt the strings. Bonus points if you manage to write a Ghidra script to decrypt them all.
|
1
|
|
0
|
13 Jan 2026
|
61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610
|
humpty_tony
|
medium
|
|
- Reconstructing the execution entrypoint of a DLL implant
- Dealing with weird socket usage
- Deriving crypto/obfuscation primitives from code
- Map "capabilities" to specific code paths and artifacts
- Recognize and analyze persistence
|
1
|
|
0
|
04 Jan 2026
|