3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
|
struppigel
|
medium
|
|
Build a binary refinery pipeline or CyberChef recipe that extracts the download URL from the loader.
|
1
|
|
0
|
29 Dec 2025
|
95a636c2b3af0bc69cc05f7b32281ff17c58cbe637bec5f8918f7514a5f37e09
|
struppigel
|
easy
|
|
Check out the LNK in this archive. It downloads malware. How does it achieve that?
|
1
|
|
0
|
21 Feb 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
medium
|
|
Circumvent unnecessary API calls by NOPing them out
|
1
|
|
0
|
05 Jan 2026
|
2299ff9c7e5995333691f3e68373ebbb036aa619acd61cbea6c5210490699bb6
|
struppigel
|
medium
|
|
Create a C2 extractor using a Python script, binary refinery pipeline or CyberChef recipie
|
1
|
|
0
|
11 Jan 2026
|
1bc77b013c83b5b075c3d3c403da330178477843fc2d8326d90e495a61fbb01f
|
struppigel
|
advanced
|
|
Create a static C2 extractor that uses abstract syntax tree transformations with Babel. You can use astexplorer.net as helper tool.
|
1
|
|
0
|
13 Jan 2026
|
e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7
|
struppigel
|
medium
|
|
Decompile the main malware code and figure out where it downloads the next stage. If the download URL is not available anymore, the deaddrop URL will suffice.
This ZIP archive is downloaded by this [InnoSetup sample](https://samplepedia.cc/sample/7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d/54/). You may want to start analyzing there.
|
2
|
|
0
|
09 Jan 2026
|
55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396
|
0xdeluks
|
easy
|
|
Deobfuscate the strings and identify the functionality of all commands.
|
3
|
|
3
|
05 Jan 2026
|
5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30
|
struppigel
|
medium
|
|
Deobfuscate this loader such that you get the download URL.
|
2
|
|
0
|
04 Jan 2026
|
4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
|
malcat
|
medium
|
|
Extract the cobal strike configuration.
|
1
|
|
0
|
04 Jan 2026
|
277089cb78a9c493cecd8f5fbe70df0577d4f9557fb8b55ff5f7c2505308ca3a
|
malcat
|
advanced
|
|
Extract the final Dridex downloader payload using static analysis.
|
1
|
|
0
|
04 Jan 2026
|
7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d
|
struppigel
|
medium
|
|
Extract the InnoSetup script and decode the strings. Figure out the download URL statically.
Afterwards continue with [the next stage](https://samplepedia.cc/sample/e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7/55/)
|
1
|
|
0
|
09 Jan 2026
|
49660527c1c910ad2d3c5625c1b44682e465e45b65883dfc8d7d229d1bd0ebd8
|
struppigel
|
advanced
|
|
Extract the main.js, decompile and deobfuscate it so far that you can see the webhook
|
1
|
|
0
|
07 Mar 2026
|
13063a496da7e490f35ebb4f24a138db4551d48a1d82c0c876906a03b8e83e05
|
malcat
|
easy
|
|
Extract the next stage download url
|
1
|
|
0
|
04 Jan 2026
|
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
|
malcat
|
advanced
|
|
Extract the next stage payload with static analysis.
|
1
|
|
0
|
04 Jan 2026
|
9887f1e95b4e11825941bd207400d1cc1580a7d438969f6c8d8c656551d339e2
|
struppigel
|
easy
|
|
Figure out the download URL of this malware with static analysis
|
2
|
|
0
|
04 Jan 2026
|
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
|
larsborn
|
medium
|
|
Find and analyze the string decryption/deobfuscation function. Determine the cryptographic algorithm being used and the memory layout of the encrypted data and key material. Try to emulate it with your tooling of choice, Binary Refinery is a good recommendation.
|
1
|
|
0
|
07 Jan 2026
|
67f8302a2fd28d15f62d6d20d748bfe350334e5353cbdef112bd1f8231b5599d
|
larsborn
|
medium
|
|
Find and reverse engineer the string deobfuscation function in the sample. Create a binary refinery pipeline to decrypt the strings. Bonus points if you manage to write a Ghidra script to decrypt them all.
|
1
|
|
0
|
13 Jan 2026
|