Skip navigation.


RTFScan - Finding malicious traces in rtf documents

The new version of the OfficeMalScanner suite introduces RTFScan. As you might know, there are several samples in the wild, using the RTF format as OLE and PE-File container. So here is a very first version of RTFScan. It currently is able
to scan for malicious traces like shellcode, dumps embedded OLE and PE files and other data containers. Buffer decryption in RTFScan is not supported in this release, as OMS and RTFScan will be enhanced to a cryptanalysis feature to break keys up to 1024 bytes in seconds. The old brute force feature in OMS will be kicked then.



Hello , yesterday i downloaded the latest version of zerowine , and i wanted to use it in vmware so i followed this tutorial :Automated Malware Analysis with Zerowine

to convert the image to vmdk , i installed the new vmware machine all goes well but when i wanted to start using zerowine :
i entered in my browser all what i get is :
" Error response

Error code 501.

Message: Unsupported method ('GET').

Error code explanation: 501 = Server does not support this operation.

Released Buster Sandbox Analyzer 1.56

Buster Sandbox Analyzer 1.56 has been released and it has been some time since last time I wrote about my tool here, so I decided to write some news about it.

In this time I have added many new features. I would like to remark next ones:

* BSA is able to perform several analyses at the same time.

* It has multi-language support. Right now there are translations to russian and portuguese.

* BSA is able to dump processes automatically.

* BSA can search for defined strings inside the analyzed file and dumped binaries.

Stealthy Profiling and Debugging of Malware

Here is a Windows driver I developed that I presented at Blackhat this year. Enjoy

Hades is a tool for dynamic application analysis on Microsoft Windows-based systems. It has function hooking capabilities similar to those of Microsoft Detours and WinAPIOverride (WAO), and it can also function as a debugger. It was developed to allow analysis of malware binaries that were able to detect Detours and WAO.

MeMMon - A Light Weight Process Memory Scanner

| | |

Vejovis is a project that was started to develop an user mode memory scanning tool "MeMMoN - A Process Memory Scanning Tool". It scans the memory of all the processes in the system. It can be downloaded from the below link.


Releasing PDF X-RAY

| |

For the past few months I have been doing research on PDF analysis and how it could be better improved. While doing the research I found myself writing tools and scripts to help me get the job done and decided it was time to put something more useful together. PDF X-RAY is a static analysis tool that allows you to analyze PDF files through a web interface or API. The tool uses multiple open source tools and custom code to take a PDF and turn it into a sharable format. The goal with this tool is to centralize PDF analysis and begin sharing comments on files that are seen.

PDF X-RAY differs from all other tools because it doesn't focus on the single file. Instead it compares the file you upload against thousands of malicious PDF files in our repository. These checks look for similar data structures within the PDF you upload and ones that have been reviewed by analysts. Using this feature we can begin to see shared coded samples among malicious files or trends due to malicious author coding styles. The tool is still in beta, but I wanted to release it to the public to see what users thought. In my opinion the API is the most useful as you can begin to integrate rich PDF analysis into other tools and services with little or no cost.

Released Buster Sandbox Analyzer 1.37

Released Buster Sandbox Analyzer 1.37


* Improved hiding feature
* Updated BSA.DAT
* Removed evaluation risk feature
* Fixed several bugs

Part of the improved hiding feature is the possibility of naming LOG_API.DLL with the file name you prefer.

Evaluation risk was removed from malware analysis report because it was too misleading. Probably I will reintroduce the feature in the near future but having other format.

FakeDNS server setup help...


Hi All,

I was wondering if anyone had a helpful setup guide for a FakeDNS server? I am trying to utilize one for callbacks and malware analysis, and I am kind of new to this field and do not have much experience with Command Line in Linux enviroments. What I would like to do, is setup two VM's that talk to each other while running simaltaneously. This would allow me to see if the malware is calling out at all. I appreciate all of the assistance and thank all of you in advance.

Released Buster Sandbox Analyzer 1.30

Buster Sandbox Analyzer 1.30 has been released.

This new release includes several new features that improve automatic malware analysis.

BSA will be able to automate a very high % of setups. BSA will click on "Next", "Install" or "Finish" buttons, so the analysis of malwares that come embedded inside a setup will be possible in automatic mode in most cases.

BSA 1.30 also includes a feature that allows to run custom commands after the automatic analysis finished.

YARA 1.5 released

A new version of YARA has been released. This version provides some new features, including:

* Process memory scanning
* Support for ELF files
* Faster regular expressions by using RE2 instead of PCRE

For more information visit:

Syndicate content