neonprimetime security , just trying to help

Thursday, February 16, 2023

Redline Malware Malware Analysis Feb 16 2023

›
Started with this redline malware sample  https://www.joesandbox.com/analysis/808971/0/html Which the sandbox says dumps a bunch of child-...
3 comments:

CAB files FDICreate FDICopy

›
 call ds:__imp__FDICreate (creates context for extracting Microsoft .CAB Cabinet files) ... push offset pszCabPath  call ds:__imp__FDICopy Y...
3 comments:

FindResourceA 0xa

›
 v0 = FindResourceA(0, "UPROMPT", (LPCSTR)0xA); or push 0xA ; lpType push edi ; lpName push 0 ; hModule call ds:__imp__Findresourc...
2 comments:
Wednesday, February 15, 2023

Packer Process Injection - CreateProcessInternalW CREATE_SUSPENDED

›
CreateProcessInternalW CreationFlags: CREATE_SUSPENDED 0x00000004 Malware creating a process in a suspended state typically from a packer an...
2 comments:

VirtualProtectEx PAGE_EXECUTE_READWRITE

›
 VirtualProtectEx Protection: PAGE_EXECUTE_READWRITE 0x40 in malware that almost always means "injected code"
Tuesday, February 14, 2023

IDA Pro - The graph is too big (more than 1000 nodes)

›
 IDA Pro error The graph is too big (more than 1000 nodes) two options as to why the graph is "too big" 1) either it's obfusca...
Friday, December 30, 2022

Browser Hijacker HLoginAssistant.co LoginAssistantTab

›
  https://app.any.run/tasks/ab008b3d-fe3b-44f2-bb5d-d6758f46d571 Browser Hijacker HLoginAssistant establishes persistence in startup  hku\**...
‹
›
Home
View web version
Powered by Blogger.