7409250e8be3bdcdaa756faff2150b13677ae066e42cefa52844c87451f6f60d
|
struppigel
|
medium
|
|
Extract the InnoSetup script and decode the strings. Figure out the download URL statically.
Afterwards continue with [the next stage](https://samplepedia.cc/sample/e7cf02ad880e8ebb37134c5370189bd2620ce1bf60794aa8776db6ccc4d4f0f7/55/)
|
1
|
|
0
|
09 Jan 2026
|
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
|
larsborn
|
medium
|
|
Find and analyze the string decryption/deobfuscation function. Determine the cryptographic algorithm being used and the memory layout of the encrypted data and key material. Try to emulate it with your tooling of choice, Binary Refinery is a good recommendation.
|
1
|
|
0
|
07 Jan 2026
|
0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
medium
|
|
Circumvent unnecessary API calls by NOPing them out
|
1
|
|
0
|
05 Jan 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9
|
humpty_tony
|
medium
|
|
This post’s goal is to teach someone how to take a “real-world” supply-chain DLL dropper/loader and turn it into a set of actionable reversing primitives:
- Reconstruct the full execution chain from NPM install hook → rundll32 execution of a shipped DLL export → staged loader → staged stealer, and understand where “initial access” ends and “payload logic” begins.
- Deobfuscate a modern loader’s internals efficiently by focusing on the repeatable patterns that matter:
- PEB-walking + import hashing
- Encrypted static strings
- Hook checks + indirect syscalls
- Extract a protocol/crypto story from messy networking code, even if you don’t fully reverse the C2
|
1
|
|
0
|
04 Jan 2026
|
61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610
|
humpty_tony
|
medium
|
|
- Reconstructing the execution entrypoint of a DLL implant
- Dealing with weird socket usage
- Deriving crypto/obfuscation primitives from code
- Map "capabilities" to specific code paths and artifacts
- Recognize and analyze persistence
|
1
|
|
0
|
04 Jan 2026
|
4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
|
malcat
|
medium
|
|
Extract the cobal strike configuration.
|
1
|
|
0
|
04 Jan 2026
|
291df8186e62df74b8fcf2c361c6913b9b73e3e864dde58eb63d5c3159a4c32d
|
malcat
|
medium
|
|
Use emulation and/or static analysis to get to the final malware and extract its configuration
|
1
|
|
1
|
04 Jan 2026
|
6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
|
malcat
|
medium
|
|
List all the download urls for the next stage using static analysis only. Bonus point if you do not use Excel.
|
1
|
|
0
|
04 Jan 2026
|
cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
|
struppigel
|
medium
|
|
Unpack the payload and extract the configuration.
This is a second stage file, you find the [first stage here](https://samplepedia.cc/sample/5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30/31/)
|
1
|
|
0
|
04 Jan 2026
|
5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30
|
struppigel
|
medium
|
|
Deobfuscate this loader such that you get the download URL.
|
2
|
|
0
|
04 Jan 2026
|
0ad4f87dfa9b814b78e9db2360a89ea7940fb5ad919637bbaacb1222fb44098d
|
struppigel
|
medium
|
|
Write an emulation-based unpacker for this crypter. Use the native 32-bit stub and RunPE shellcode. Ignore .NET.
|
1
|
|
0
|
31 Dec 2025
|
892834734712fe5bc7a6614be6972de1be2d74ad424ef47b2c701046e4912426
|
struppigel
|
medium
|
|
Write a code-based signature with Yara for this sample.
|
1
|
|
0
|
30 Dec 2025
|
3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
|
struppigel
|
medium
|
|
Build a binary refinery pipeline or CyberChef recipe that extracts the download URL from the loader.
|
1
|
|
0
|
29 Dec 2025
|
20946142795ea4b9fafad9a279e5da0e2f491f567380d7f37570d451f3aa6b8f
|
struppigel
|
medium
|
|
This sample has multiple layers. Unpack the final one. Determine the malware family of the final payload.
|
1
|
|
0
|
26 Dec 2025
|
5544e6c66cbf6503cddef2797acbff4fb81ededaef2334a596e6484cfaa0b8e8
|
struppigel
|
medium
|
|
Unpack the payload. This can be done either with a debugger or using only static unpacking with binary refinery. Note: The payload is obfuscated with VMProtect, deobfuscating it is not part of the task.
|
1
|
|
0
|
26 Dec 2025
|
3c086e76942fb9fd3d1e4384e9c1228c227c00c78dc29fca512ed95ee919ee5e
|
struppigel
|
medium
|
|
This application consists of almost 3000 files. Find proof that the sample is malicious by finding the malicious code. A weird filename with homoglyphs is not enough, nor is behavioral analysis in a sandbox.
|
1
|
|
0
|
26 Dec 2025
|