0b38ca277bbb042d43bd1f17c4e424e167020883526eb2527ba929b2f0990a8f
|
larsborn
|
medium
|
|
Circumvent unnecessary API calls by NOPing them out
|
1
|
|
0
|
05 Jan 2026
|
94237eac80fd2a20880180cab19b94e8760f0d1f06715ff42a6f60aef84f4adf
|
humpty_tony
|
medium
|
|
This post’s goal is to show how you reverse a “boring” stealer by treating the loader chain as the real specimen.
Peel multi-stage Python loaders safely:
- Identify and undo container transforms (reverse bytes + zlib).
- Recognize when crypto code is “almost right” but relies on a modified library (the PyAES GCM mismatch), then swap in a compatible implementation to decrypt without executing.
- Deal with Python marshalled bytecode.
- Reduce obfuscation to primitives (base64 aliasing, rot13, marshal.loads, LZMA/XZ payloads, BlankOBF patterns), so you can turn “giant blob soup” into discrete stages you can write to disk, identify with file, and decompile.
So the analysis goal is basically: build a repeatable methodology for unpacking + staging + version-correct decompilation of Python malware—because that workflow applies to tons of commodity stealers and loaders.
|
1
|
|
1
|
04 Jan 2026
|
5bed39728e404838ecd679df65048abcb443f8c7a9484702a2ded60104b8c4a9
|
humpty_tony
|
medium
|
|
This post’s goal is to teach someone how to take a “real-world” supply-chain DLL dropper/loader and turn it into a set of actionable reversing primitives:
- Reconstruct the full execution chain from NPM install hook → rundll32 execution of a shipped DLL export → staged loader → staged stealer, and understand where “initial access” ends and “payload logic” begins.
- Deobfuscate a modern loader’s internals efficiently by focusing on the repeatable patterns that matter:
- PEB-walking + import hashing
- Encrypted static strings
- Hook checks + indirect syscalls
- Extract a protocol/crypto story from messy networking code, even if you don’t fully reverse the C2
|
1
|
|
0
|
04 Jan 2026
|
61f8224108602eb1f74cb525731c9937c2ffd9a7654cb0257624507c0fdb5610
|
humpty_tony
|
medium
|
|
- Reconstructing the execution entrypoint of a DLL implant
- Dealing with weird socket usage
- Deriving crypto/obfuscation primitives from code
- Map "capabilities" to specific code paths and artifacts
- Recognize and analyze persistence
|
1
|
|
0
|
04 Jan 2026
|
4109d17d439e425d24e9d11956adcc63ff8e24ccfffe21dd8c5431fe969d2783
|
malcat
|
medium
|
|
Extract the cobal strike configuration.
|
1
|
|
0
|
04 Jan 2026
|
291df8186e62df74b8fcf2c361c6913b9b73e3e864dde58eb63d5c3159a4c32d
|
malcat
|
medium
|
|
Use emulation and/or static analysis to get to the final malware and extract its configuration
|
1
|
|
1
|
04 Jan 2026
|
6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
|
malcat
|
medium
|
|
List all the download urls for the next stage using static analysis only. Bonus point if you do not use Excel.
|
1
|
|
0
|
04 Jan 2026
|
cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
|
struppigel
|
medium
|
|
Unpack the payload and extract the configuration.
This is a second stage file, you find the [first stage here](https://samplepedia.cc/sample/5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30/31/)
|
1
|
|
0
|
04 Jan 2026
|
5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30
|
struppigel
|
medium
|
|
Deobfuscate this loader such that you get the download URL.
|
2
|
|
0
|
04 Jan 2026
|
0ad4f87dfa9b814b78e9db2360a89ea7940fb5ad919637bbaacb1222fb44098d
|
struppigel
|
medium
|
|
Write an emulation-based unpacker for this crypter. Use the native 32-bit stub and RunPE shellcode. Ignore .NET.
|
1
|
|
0
|
31 Dec 2025
|
892834734712fe5bc7a6614be6972de1be2d74ad424ef47b2c701046e4912426
|
struppigel
|
medium
|
|
Write a code-based signature with Yara for this sample.
|
1
|
|
0
|
30 Dec 2025
|
3d1a4b9e37868f54e7e7eb98aae0203e2c50b2977170e0006cd3cbcb071c6b94
|
struppigel
|
medium
|
|
Build a binary refinery pipeline or CyberChef recipe that extracts the download URL from the loader.
|
1
|
|
0
|
29 Dec 2025
|
20946142795ea4b9fafad9a279e5da0e2f491f567380d7f37570d451f3aa6b8f
|
struppigel
|
medium
|
|
This sample has multiple layers. Unpack the final one. Determine the malware family of the final payload.
|
1
|
|
0
|
26 Dec 2025
|
5544e6c66cbf6503cddef2797acbff4fb81ededaef2334a596e6484cfaa0b8e8
|
struppigel
|
medium
|
|
Unpack the payload. This can be done either with a debugger or using only static unpacking with binary refinery. Note: The payload is obfuscated with VMProtect, deobfuscating it is not part of the task.
|
1
|
|
0
|
26 Dec 2025
|
3c086e76942fb9fd3d1e4384e9c1228c227c00c78dc29fca512ed95ee919ee5e
|
struppigel
|
medium
|
|
This application consists of almost 3000 files. Find proof that the sample is malicious by finding the malicious code. A weird filename with homoglyphs is not enough, nor is behavioral analysis in a sandbox.
|
1
|
|
0
|
26 Dec 2025
|