tag:blogger.com,1999:blog-4984553587728477254.post2696924722677285284..comments2023-04-10T03:25:30.651-07:00Comments on Regalado (In) Security: Dumping Polymorphic Malware in seconds!Danuxhttp://www.blogger.com/profile/06729243424924753220noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4984553587728477254.post-12219217221095680972013-08-14T23:40:47.375-07:002013-08-14T23:40:47.375-07:00Related to Bolzano, I have not played with it yet ...Related to Bolzano, I have not played with it yet but VirtualProtect is not the only way to dump malware, actually, there are dozens of ways to do it. What I suggest is to set a br on VirtualAlloc and watch for the data dumped into those new allocated areas until you see the binary loaded. But as I said, there are different ways to do this, all depends on the way the malware was built. Good luck.Danuxhttps://www.blogger.com/profile/06729243424924753220noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-53707944383739188542013-08-14T22:12:41.572-07:002013-08-14T22:12:41.572-07:00Hi, Thanks for the tutorial. I am trying to decryp...Hi, Thanks for the tutorial. I am trying to decrypt another polymorphic malware, Bolzano. Following are details of it from offensive computing.<br /><br />MD5: 6eb5fdc7a80cb6b551b7aee3242ea9e4<br />SHA1: 8f9a97ef3388bc21367f245715d1e930c7dd81c0<br />SHA256: 0613e465dc0473c210c6e905ce938eaf6adcea800b116d0651f22c782ffb1cdb<br />OCID: 1663401483<br />Original Filename: Virus.Win32.Bolzano.3628 <br /><br />I put break point on virtual protect, but virus code is not coming there. However when I execute virus code in Ollydbg my memory dump is getting changed. But I am not sure how to get decrypted virus out of it and also its corresponding encrypted version. <br /><br />Thanks Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-48572657161736072632012-08-08T22:59:06.865-07:002012-08-08T22:59:06.865-07:00Finally and thanks to Danny Quist you can download...Finally and thanks to Danny Quist you can download the Malware sample to reproduce the video at:<br /><br />http://www.offensivecomputing.net/download.php?id=1827628134&auth=7e31c1a8c4daad781cf438c2ff4f7f85<br /><br />Not sure if you need an account. I prompted for password when unzipping it is "infected". Enjoy it and share new findings!!!!!Danuxhttps://www.blogger.com/profile/06729243424924753220noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-61249139645753600742012-07-28T00:52:45.794-07:002012-07-28T00:52:45.794-07:00Sorry for the delay response, definitely I can sha...Sorry for the delay response, definitely I can share the malicious binary, I uploaded to Offensive Computing but not able to retrieve it, waiting for feedback from Danny Quist. If you have another site where I can upload the binary, please let me know so that you can replicate my video.Danuxhttps://www.blogger.com/profile/06729243424924753220noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-43408485423534130182012-07-13T02:27:40.558-07:002012-07-13T02:27:40.558-07:00As someone already mentioned on reddit, are there ...As someone already mentioned on reddit, are there any chances that you will share the file itself? Thanks!Anonymousnoreply@blogger.com