Last active
December 5, 2019 18:06
-
-
Save r00tten/3a002e5db0aa48981b684f463b54c5c5 to your computer and use it in GitHub Desktop.
Flags that I have assigned during my analysis, https://r00tten.com/in-depth-analysis-rtf-file-drops-agent_tesla/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
af @ 0xbe | |
afvb -52 sus.imp.VirtualProtectEx int32_t @ 0xbe | |
afvb -84 sus.imp.ResumeThread int32_t @ 0xbe | |
afvb -60 sus.imp.VirtualFree int32_t @ 0xbe | |
afvb -108 sus.imp.ReadProcessMemory int32_t @ 0xbe | |
afvb -112 sus.imp.SetThreadContext int32_t @ 0xbe | |
afvb -96 sus.imp.GetThreadContext int32_t @ 0xbe | |
afvb -88 sus.imp.TerminateProcess int32_t @ 0xbe | |
afvb -44 sus.imp.WriteProcessMemory int32_t @ 0xbe | |
afvb -104 sus.imp.VirtualAlloc int32_t @ 0xbe | |
afvb -64 sus.imp.VirtualAllocEx int32_t @ 0xbe | |
afvb -212 var_d4h int32_t @ 0xbe | |
afvb -92 sus.imp.CreateProcessW int32_t @ 0xbe | |
afvb -216 var_d8h int32_t @ 0xbe | |
afvb -80 sus.imp.NtUnmapViewOfSection int32_t @ 0xbe | |
afvb -24 sus.imp.RtlZeroMemory int32_t @ 0xbe | |
afvb -76 sus.imp.memcpy int32_t @ 0xbe | |
"e asm.bits = 32" | |
"f sus.hashCheck 103 0x00000057" | |
"f sus.strLen 25 0x00000000" | |
"f sus.hashCalc 62 0x00000019" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment