Thursday, May 14, 2009

first look - trying to analyze mebroot (torpig) - part 0.5

My submission to threatexpert.com for md5:0x53d03e99cfbfaa0df3695c27b2b5f364 (sinowal/mebroot and i hope torpig related):
http://www.threatexpert.com/report.aspx?md5:0x53d03e99cfbfaa0df3695c27b2b5f364

How virustotal.com detect
0x53d03e99cfbfaa0df3695c27b2b5f364:
http://www.virustotal.com/analisis/65ccef31523490ed798110dab5bf884e

What's shown with ArmInline for 0x53d03e99cfbfaa0df3695c27b2b5f364 run by ollydbg:




It seems packed but not UPXed. It may been used Armadillo o something like. As showed there are a lot of int 3 (usually is an anti debugging technique marker)

No comments:

Post a Comment