Email address | private |
---|---|
Website | malvuln.com |
First Active | 2021-01-04 |
Last Active | 2024-05-09 |
Backdoor.Win32.Winshell.5_0 malware suffers from a hardcoded credential vulnerability.
201d48fd8e208d4a8f0f5fe13f6ea04030c8b92edf569417c28e11967d421e3b
Trojan.Win32.Autoit.fhj malware suffers from an insecure permissions vulnerability.
0f6155ea2513333fd3502daa57841369a525497799193023cf1e190924b6beef
The BlueSky Win32.Ransom.BlueSky ransomware looks for and executes arbitrary DLLs in its current working directory. Therefore, we can hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our own process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.
89d2bd5ff16cd696ea9036900183536f0e04110cc01f816bc6a135cd810e99bb
Backdoor.Win32.Guptachar.20 malware suffers from an insecure credential storage vulnerability.
e3369625a4e3f23a7d0dca07bf0660807db452941c0e93d8a5ede6f3641451dc
Backdoor.Win32.Bushtrommel.122 malware suffers from an unauthenticated remote command execution vulnerability.
cf89785b492c836d6c244e6fc3290bceee66fd68edf28a7400e7d2792d8b6e34
Backdoor.Win32.Bushtrommel.122 malware suffers from an authentication bypass vulnerability.
d7fc922486275581f2cf458522575af4443622981bf09a3aaadddd603ff38990
Backdoor.Win32.Jokerdoor malware suffers from a buffer overflow vulnerability.
b1a0f0eda16637855c7124025a9bba474d285060035c7ace064b81d352be6595
Backdoor.Win32.Destrukor.20 malware suffers from an unauthenticated remote command execution vulnerability.
b2929297a27431a955030b6a10960d07ffdcbdeb69b274c81b62bcbd3f78ab50
Backdoor.Win32.Destrukor.20 malware suffers from authentication bypass and code execution vulnerabilities.
094948131e62030329dfa1f6e0d5cc98ee61866dcecf381f4a6aa14f046758b4
Backdoor.Win32.Eclipse.h malware suffers from a hardcoded credential vulnerability.
cb80773c5ec99bb1c8f84021a4d97f89b467aa36feac244444c08a628a4e0d51
Builder XtremeRAT malware version 3.7 suffers from an insecure cryptography implementation vulnerability that allows an attacker to login with only partial knowledge of a secret.
64afc70b38c5684f21216d5ed8e39c73acbe6348ff91c93e3ee63365a41f1707
Builder XtremeRAT malware version 3.7 suffers from an insecure permissions vulnerability.
ef90ca2ab92a13d6e33b94fee625bc1e804dce16d6f7434e1b00204cd73cf811
Backdoor.Win32.HoneyPot.a malware suffers from a weak hardcoded password vulnerability.
fdde865ffe948d481838603a00c0516a0d9f4a63ff58349bf3b6ddeb98e2b35b
Lockbit version 3.0 ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, in this case "RstrtMgr.dll", execute our own code, and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.
a8a36c8b61552ab9f3cad6eb0046a944604dace1c03fa5782e607d1933f5f017
Lockbit ransomware version 3.0 apparently now requires a password to execute as noted by "@vxunderground", but does not properly check bounds for both the -pass and -k arguments. Supplying a long string of characters for either flag will trigger a unicode stack buffer overflow overwriting the ECX register and structured exception handler (SEH).
06a133f3bc4006162df18df2401be464873b516bcdfcc7cac2c75f2ef63c8d53
Backdoor.Win32.Coredoor.10.a malware suffers from an authentication bypass vulnerability.
055d74c98fd4886a4ab9e17cd07e71ac4ac4ad467f97fde9461333c1c7f00d4b
Backdoor.Win32.EvilGoat.b malware suffers from a hardcoded credential vulnerability.
19ef0671c05c0afcf2c8bf3c081a0188020bbea1b901243ff9829edcb89199ff
Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.
214a018ddc8a2c372d96a47976e8c26f81dd4d2ccb905c570b6443c8eca58854
Backdoor.Win32.InfecDoor.17.c malware suffers from an insecure permissions vulnerability.
3d83874665d92c5753ea0f979739fbb96e5a47c3ff77657f79b68a13a96e6218
Trojan-Mailfinder.Win32.VB.p malware suffers from an insecure permissions vulnerability.
eccb9f610544b46bcdf27fabac4f1f936099cd8c6b21232d4171889d289f6dd4
Backdoor.Win32.Shark.btu malware suffers from an insecure permissions vulnerability.
c655d4e022fcaf26fe0ab1bc5057626705455cfc787337ad8df95d9c1fca1f2f
Yashma Ransomware Builder version 1.2 malware suffers from an insecure permissions vulnerability.
2958cbdc74819764ad9679c607c3aa49b36ad14d86fb437d927a14ccf2c14229
Backdoor.Win32.Cabrotor.10.d malware suffers from an unauthenticated remote command execution vulnerability.
781c3249eb6aa36f7b01597bb27d91c8d79a40805368b694be3b50761acdfb32
Haron ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL to execute our own code and control and terminate the malware pre-encryption. The exploit DLL will check if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. We do not need to rely on hash signatures or third-party products as the malware's own flaw will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
a7bd8f153e57e54fb1756517560dc5963dec37175fe2367abb498be3cb192cc2
Trojan-Proxy.Win32.Symbab.o malware suffers from a heap corruption vulnerability.
d87eadfc59cb93da41ff57f425f1d203ea3db932253b3a8c23cde42e7b31c47c