Category Archives: Malware

Unpacking a malware with libPeConv (Pykspa case study)

Posted on January 29, 2018 by hasherezade

In one of the recent episodes of “Open Analysis Live!” Sergei demonstrated how to statically unpack the Pykspa Malware using a Python script. If you haven’t seen this video yet, I recommend you to watch, it is available here – … Continue reading

Posted in Malware, Programming, Tutorial | Tagged | Leave a comment

Process Doppelgänging – a new way to impersonate a process

Posted on December 18, 2017 by hasherezade

Recently at Black Hat Europe conference, Tal Liberman and Eugene Kogan form enSilo lab presented a new technique called Process Doppelgänging. The video from the talk is available here. (Also, it is worth mentioning that Tal Liberman is an author … Continue reading

Posted in Malware, Programming, Techniques | Tagged , | 8 Comments

Hijacking extensions handlers as a malware persistence method

Posted on May 25, 2017 by hasherezade

Recently I gave a presentation titled “Wicked malware persistence methods” (read more here). After releasing the slides I got questions about some of the demonstrated methods – especially about the details of extension handler hijacking – so, I decided to … Continue reading

Posted in Malware, Techniques, Tutorial | 4 Comments

Introducing PE_unmapper

Posted on December 2, 2016 by hasherezade

Recently I wrote a small tool, that can be used as a helper in malware analysis. Various malware types unpack their core modules in memory, load them and run. In order to unpack them fast, we can let the malware … Continue reading

Posted in Malware, Tools, Tutorial | Tagged , | 1 Comment

Princess Locker decryptor

Posted on November 17, 2016 by hasherezade

[UPDATE: 19th March 2018] – I keep getting e-mails from people asking me why my decryptor doesn’t work. Please understand, this is an obsolete tool, it was written in 2016 for the FIRST VERSION of  Princess Locker. The current version … Continue reading

Posted in Malware, Malware Decryptor | 12 Comments

How to turn a DLL into a standalone EXE

Posted on July 21, 2016 by hasherezade

During malware analysis we can often encounter payloads in form of DLLs. Analyzing them dynamically may not be very handy, because they need some external loaders to run. Different researchers have different tricks to deal with them. In this post … Continue reading

Posted in Malware, Techniques, Tutorial | 11 Comments

Unpacking NSIS-based Crypter – part 2

Posted on July 15, 2016 by hasherezade

After publishing my short tutorial about unpacking NSIS-based crypter I got one more sample from a reader who complained that my method doesn’t work – so I decided to take a look inside. Of course cybercriminals continuously work on improving … Continue reading

Posted in Malware, Tutorial | 2 Comments

Unpacking NSIS-based Crypter – step by step

Posted on July 3, 2016 by hasherezade

Nowadays we can encounter many malware samples packed by a crypter using installer scripts. We can distinguish them by a NSIS tag on Virus Total: Often, (but not always) they come with a standard NSIS icon: In this tutorial, I … Continue reading

Posted in Malware, Tutorial | 12 Comments

Decoders for 7ev3n ransomware

Posted on June 13, 2016 by hasherezade

7ev3n is yet another ransomware about which I wrote some time ago (for Malwarebytes – you can read more here). It uses custom cryptography and I managed to decrypt several variants.  In this thread you can find my decryptors (and … Continue reading

Posted in Malware, Malware Decryptor | Tagged , , | 21 Comments

Anti-Petya live CD (the fastest Stage1 key decoder)

Posted on April 20, 2016 by hasherezade

❗❗❗ATTENTION❗❗❗ Please use the  LATEST version of the decoder, available here: https://github.com/hasherezade/petya_key UPDATE: 17-th July a new version of Petya has been released. At the moment, there is no way to decrypt the disk. Don’t let the infection reach the … Continue reading

Posted in Malware, Malware Decryptor, Tools | 5 Comments