dca13fc006a3b55756ae0534bd0d37a1b53a219b5d7de236f20b0262f3662659
|
struppigel
|
medium
|
|
Unpack the sample and obtain the config
|
1
|
|
0
|
04 Feb 2026
|
09474277051fc387a9b43f7f08a9bf4f6817c24768719b21f9f7163d9c5c8f74
|
struppigel
|
advanced
|
|
PyInstxtractor does not work here. Extract and decrypt all the python code, including the plain "PYZ" archive contents.
|
1
|
|
0
|
01 Feb 2026
|
c2c466e178b39577912c9ce989cf8a975c574d5febe15ae11a91bbb985ca8d2e
|
struppigel
|
medium
|
|
This is Gnwwcgocwzl.wav. Decrypt this file based on the [previous stage's analysis](https://samplepedia.cc/sample/1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6/79/). Unpack the payload.
Afterwards continue with [payload analysis here](https://samplepedia.cc/sample/45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76/75/)
|
—
|
|
0
|
27 Jan 2026
|
361f20f5843a9d609d42fc17f164eb44ed4f86ae3062e66e978c2c93890f65fd
|
struppigel
|
medium
|
|
LICENSE.txt was run via > %ALLUSERSPROFILE%\Microsoft\AppUpdate\SystemInfo\UsbService86.exe LICENSE.txt
UsbService86.exe has the signer **Python Software Foundation**
Decompile the code, then create a binary refinery pipeline to unpack the next layers.
(CyberChef might be an alternative, but I did not check if it has all necessary algorithms)
|
1
|
|
1
|
23 Jan 2026
|
ee69b74d0f0dd59fcd87304863626efb727ad6255bc29a7d48b7a441390dff1a
|
struppigel
|
medium
|
|
This is packed by CypherIt crypter. Unpack the malware.
Bonus: Extract the config of the payload.
|
1
|
|
0
|
11 Jan 2026
|
cb21368467bdf0ca8a4cd458f54d684e10da2d43a9c7285e094d39bdc410fb10
|
struppigel
|
medium
|
|
Unpack the payload and extract the configuration.
This is a second stage file, you find the [first stage here](https://samplepedia.cc/sample/5bc8b1a067ec4b487e88c2bb93728158633f4fdf22b111d5562cbb4ad3426d30/31/)
|
1
|
|
0
|
04 Jan 2026
|
096607aa89ea6f17e5a815a67b94bc245ecbf18a87705e1dec2f1d85f8350e32
|
struppigel
|
advanced
|
|
Unpack the virus body of Virut and find the file infection code, figure out:
* Which file extensions does it target for infection and what other conditions must be true, e.g., values in the PE headers?
* What is the infect marker?
|
3
|
|
0
|
28 Dec 2025
|
eee8a68511bd00ff98425cf9e9bd12873a5e742548fe7e2b72add7ff8dbabb24
|
struppigel
|
advanced
|
|
Unpack the payload and obtain the C2, bonus points for deobfuscating the AutoIt script
|
1
|
|
0
|
26 Dec 2025
|
5544e6c66cbf6503cddef2797acbff4fb81ededaef2334a596e6484cfaa0b8e8
|
struppigel
|
medium
|
|
Unpack the payload. This can be done either with a debugger or using only static unpacking with binary refinery. Note: The payload is obfuscated with VMProtect, deobfuscating it is not part of the task.
|
1
|
|
0
|
26 Dec 2025
|