Malware Researchers

Unpacking and reversing Hancitor and analyzing it's functionality in depth:
Both packed and unpacked payloads available on @virusbay_io
virusbay_io photo

@thinkPoison @jckichen @QW5kcmV3 @JohnLaTwC @itm4n Seems like a good business opportunity for a criminal reseller with a VTi account.

"Prove detection to me before I pay."
... <downloads sample or asks for it on @virusbay_io>

After my previous tweet, I'm publishing my first blog post about "Automatically Mapping Binaries with Debug Prints using IDAPython"
A simple script that can come useful when starting to map a large binary.

Another Qbot/Qakbot sample:
The sample is signed with a cert given to another totally legit company by @SectigoHQ...
This is boring now.
In 24h, this is the 3rd different signer I seen used to sign Qakbot samples.
This is interesting...
malwrhunterteam photo

Two very convincing IDN #phishing domains for google and apple resolve to the same IP address (



both domains are using @Namecheap

cc: @malwrhunterteam @nullcookies @SteveD3 @JayTHL
malwrhunterteam photo

One talks like this when only the money matters and nothing else, but obviously he not want to say it, because that make them look bad (to say the least)...
And you know, revoking the cert after the campaign is over is good for exactly 1 thing: nothing.
@SwitHak @DanielGallagher
malwrhunterteam photo