5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
|
larsborn
|
medium
|
|
Find and analyze the string decryption/deobfuscation function. Determine the cryptographic algorithm being used and the memory layout of the encrypted data and key material. Try to emulate it with your tooling of choice, Binary Refinery is a good recommendation.
|
1
|
|
0
|
07 Jan 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
medium
|
|
Circumvent unnecessary API calls by NOPing them out
|
1
|
|
0
|
05 Jan 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610
|
humpty_tony
|
medium
|
|
- Reconstructing the execution entrypoint of a DLL implant
- Dealing with weird socket usage
- Deriving crypto/obfuscation primitives from code
- Map "capabilities" to specific code paths and artifacts
- Recognize and analyze persistence
|
1
|
|
0
|
04 Jan 2026
|
4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
|
malcat
|
medium
|
|
Extract the cobal strike configuration.
|
1
|
|
0
|
04 Jan 2026
|
291df8186e62df74b8fcf2c361c6913b9b73e3e864dde58eb63d5c3159a4c32d
|
malcat
|
medium
|
|
Use emulation and/or static analysis to get to the final malware and extract its configuration
|
1
|
|
1
|
04 Jan 2026
|
277089cb78a9c493cecd8f5fbe70df0577d4f9557fb8b55ff5f7c2505308ca3a
|
malcat
|
advanced
|
|
Extract the final Dridex downloader payload using static analysis.
|
1
|
|
0
|
04 Jan 2026
|
6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
|
malcat
|
medium
|
|
List all the download urls for the next stage using static analysis only. Bonus point if you do not use Excel.
|
1
|
|
0
|
04 Jan 2026
|
3045902d7104e67ca88ca54360d9ef5bfe5bec8b575580bc28205ca67eeba96d
|
malcat
|
advanced
|
|
Extract the next stage payload with static analysis.
|
1
|
|
0
|
04 Jan 2026
|
15180ee9f6a8682b24a0d5cb0491bb4e09d457bfab5a24ec1fcb077dab59773b
|
malcat
|
easy
|
|
Unpack the payload and identify the final malware family using static analysis.
|
1
|
|
0
|
04 Jan 2026
|
cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
|
struppigel
|
medium
|
|
Unpack the payload and extract the configuration.
This is a second stage file, you find the [first stage here](https://samplepedia.cc/sample/5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30/31/)
|
1
|
|
0
|
04 Jan 2026
|
0ad4f87dfa9b814b78e9db2360a89ea7940fb5ad919637bbaacb1222fb44098d
|
struppigel
|
medium
|
|
Write an emulation-based unpacker for this crypter. Use the native 32-bit stub and RunPE shellcode. Ignore .NET.
|
1
|
|
0
|
31 Dec 2025
|
892834734712fe5bc7a6614be6972de1be2d74ad424ef47b2c701046e4912426
|
struppigel
|
medium
|
|
Write a code-based signature with Yara for this sample.
|
1
|
|
0
|
30 Dec 2025
|
3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
|
struppigel
|
medium
|
|
Build a binary refinery pipeline or CyberChef recipe that extracts the download URL from the loader.
|
1
|
|
0
|
29 Dec 2025
|
eee8a68511bd00ff98425cf9e9bd12873a5e742548fe7e2b72add7ff8dbabb24
|
struppigel
|
advanced
|
|
Unpack the payload and obtain the C2, bonus points for deobfuscating the AutoIt script
|
1
|
|
0
|
26 Dec 2025
|
20946142795ea4b9fafad9a279e5da0e2f491f567380d7f37570d451f3aa6b8f
|
struppigel
|
medium
|
|
This sample has multiple layers. Unpack the final one. Determine the malware family of the final payload.
|
1
|
|
0
|
26 Dec 2025
|
5544e6c66cbf6503cddef2797acbff4fb81ededaef2334a596e6484cfaa0b8e8
|
struppigel
|
medium
|
|
Unpack the payload. This can be done either with a debugger or using only static unpacking with binary refinery. Note: The payload is obfuscated with VMProtect, deobfuscating it is not part of the task.
|
1
|
|
0
|
26 Dec 2025
|