So seeing finally a clean PE is some kind of heaven. By far this is the “only one” that I’ve analyzed from this developer this is not using Themida, VMprotect or Enigma Protector. Something that I am finally glad by reversing this malware is that I’m not in pain for unpacking a VM protected sample. The developer behind (glad0ff), is not as his first malware, he is also behind Acrux & Decrux. Sold 50$ (with C&C panel) and developed in C++, its cheaper than Smoke (usually seen with an average of 200$/300$) and could explain that some actors/customers are making some changes and trying new products to see if it’s worth to continue with it. For this article, the overview will focus on the latest one, the v1. Since a few months, another dedicated loader malware appears from multiple sources with the name of “Proton Bot” and on my side, first results were coming from a v0.30 version. This is easily catchable and already explained in earlier articles that I have made. Specialized loader malware like Smoke or Hancitor/Chanitor are facing more and more with new alternatives like Godzilla loader, stealers, miners and plenty other kinds of malware with this developed feature as an option. Loaders nowadays are part of the malware landscape and it is common to see on sandbox logs results with “loader” tagged on.
0 kommentar(er)
