55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
|
0xdeluks
|
easy
|
|
Deobfuscate the strings and identify the functionality of all commands.
|
3
|
|
3
|
05 Jan 2026
|
56f5623daa470bee190ae0ecd961be8e6df71c8da1ccf7b268fe876b84c183d9
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
3
|
|
3
|
20 Jan 2026
|
29325e23a684f782db14a1bf0dc56c65228e666d1f561808413a735000de3515
|
struppigel
|
easy
|
|
Where does this file load the next stage from?
|
2
|
|
0
|
20 Jan 2026
|
dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659
|
struppigel
|
medium
|
|
Unpack the sample and obtain the config
|
3
|
|
0
|
04 Feb 2026
|
13063a496da7e490f35ebb4f24a138db4551d48a1d82c0c876906a03b8e83e05
|
malcat
|
easy
|
|
Extract the next stage download url
|
2
|
|
0
|
04 Jan 2026
|
4029f9fcba1c53d86f2c59f07d5657930bd5ee64cca4c5929cbd3142484e815a
|
larsborn
|
medium
|
|
Identify and reverse engineer the API hashing function. Emulate it with an appropriate string list to confirm your findings.
|
2
|
|
0
|
13 Jan 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
easy
|
|
Write a Ghidra script to defeat the code obfuscation int his sample.
|
1
|
|
0
|
13 Jan 2026
|
4eb33ce768def8f7db79ef935aabf1c712f78974237e96889e1be3ced0d7e619
|
larsborn
|
easy
|
|
Identify and reverse engineer the string deobfuscation function. Bonus points if you can write a Ghidra script to emulate it.
|
1
|
|
0
|
13 Jan 2026
|
096607aa89ea6f17e5a815a67b94bc245ecbf18a87705e1dec2f1d85f8350e32
|
struppigel
|
advanced
|
|
Unpack the virus body of Virut and find the file infection code, figure out:
* Which file extensions does it target for infection and what other conditions must be true, e.g., values in the PE headers?
* What is the infect marker?
|
3
|
|
0
|
28 Dec 2025
|
09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74
|
struppigel
|
advanced
|
|
PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.
|
1
|
|
0
|
01 Feb 2026
|
c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e
|
struppigel
|
medium
|
|
This is Gnwwcgocwzl.wav. Decrypt this file based on the [previous stage's analysis](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/). Unpack the payload.
Afterwards continue with [payload analysis here](https://samplepedia.cc/sample/45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76/75/)
|
1
|
|
0
|
27 Jan 2026
|
1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6
|
struppigel
|
easy
|
|
This file has an unusual archive format. Figure out how to extract it. Then debloat the sample and determine how [the next stage](https://samplepedia.cc/sample/c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e/80/) is decrypted or decoded. After that continue analysis of [the next stage](https://samplepedia.cc/sample/c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e/80/).
|
1
|
|
0
|
27 Jan 2026
|
45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76
|
struppigel
|
medium
|
|
If you want to analyze the full infection chain, start with [the first stage here](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/)
Your task is to extract the configuration.
|
1
|
|
0
|
16 Jan 2026
|
e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7
|
struppigel
|
medium
|
|
Decompile the main malware code and figure out where it downloads the next stage. If the download URL is not available anymore, the deaddrop URL will suffice.
This ZIP archive is downloaded by this [InnoSetup sample](https://samplepedia.cc/sample/7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d/54/). You may want to start analyzing there.
|
2
|
|
0
|
09 Jan 2026
|
5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9
|
humpty_tony
|
medium
|
|
This post’s goal is to teach someone how to take a “real-world” supply-chain DLL dropper/loader and turn it into a set of actionable reversing primitives:
- Reconstruct the full execution chain from NPM install hook → rundll32 execution of a shipped DLL export → staged loader → staged stealer, and understand where “initial access” ends and “payload logic” begins.
- Deobfuscate a modern loader’s internals efficiently by focusing on the repeatable patterns that matter:
- PEB-walking + import hashing
- Encrypted static strings
- Hook checks + indirect syscalls
- Extract a protocol/crypto story from messy networking code, even if you don’t fully reverse the C2
|
1
|
|
0
|
04 Jan 2026
|
9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2
|
struppigel
|
easy
|
|
Figure out the download URL of this malware with static analysis
|
2
|
|
0
|
04 Jan 2026
|
5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30
|
struppigel
|
medium
|
|
Deobfuscate this loader such that you get the download URL.
|
2
|
|
0
|
04 Jan 2026
|