When we publish diary entries covering malware, we almost always share the hash of the malware sample. I prefer posting the MD5 hash because it is short, together with a link to the VirusTotal entry for said malware sample. VirusTotal reports different hashes, so that you can find your preferred hash. And if you have a VT subscription, you can also download the sample itself. A new, free malware sharing service is available now: MALWARE Bazaar. I will make sure that every public malware sample that I blog about from now on, will be available on MALWARE bazaar. Like this sample, for example, that I extracted from a malicious document I wrote recent diaries about. Didier Stevens |
DidierStevens 522 Posts ISC Handler Apr 25th 2020 |
Thread locked Subscribe |
Apr 25th 2020 8 months ago |
Hello,
trying to have a look to the samples, I failed to open the zip-file with several Debian tools and your zipdump.py as well. Here the error message was "bad password". Any hint? Thanks |
Anonymous |
Quote |
Apr 29th 2020 8 months ago |
I took a look, and the ZIP file you download from Malware Bazaar is encrypted with password "infected" (as mentioned on the download page), but they use modern AES encryption in stead of the old ZipCrypto encryption.
So make sure you use a ZIP tool that supports AES encryption. Tomorrow I'll release a new version of zipdump.py that supports module pyzipper (pyzipper supports AES). |
DidierStevens 522 Posts ISC Handler |
Quote |
Apr 29th 2020 8 months ago |
Thanks,
the keyword "AES" lead to 7zip. Having a look to some xlsm there were 3 versions of the same author. The first 32 bytes of the files might reveal something, but I can't interpret it. |
Anonymous |
Quote |
Apr 30th 2020 8 months ago |
Sign Up for Free or Log In to start participating in the conversation!