Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Matrix ThePornDude
Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Live Stream VOD: in2al5dp3in4er Drops Aurora Stealer (Patreon)

Published:
2023-05-04 06:28:53
Imported:
2023-09

Content

In this Twitch live stream we unpack in2al5dp3in4er loader which is using CreateDXGIFactory to detect sandboxes based on their lack of graphics card and triage its payload Aurora Stealer.

Samples

66383d931f13bcdd07ca6aa50030968e44d8607cf19bdaf70ed4f9ac704ac4d1 

Notes

in2al5dp3in4er Loader: Invalid Printer using CreateDXGIFactory graphics card g-checking sandboxes 

Files

Live Stream VOD: in2al5dp3in4er Drops Aurora Stealer

This is "Live Stream VOD: in2al5dp3in4er Drops Aurora Stealer" by OALABS on Vimeo, the home for high quality videos and the people who love them.

Comments

m4n0w4r

Thanks so much for nice stream! I think the code for getting the final pe size is wrong. It must be: tmp_pe = pefile.PE(data=out) pe_size = tmp_pe.sections[-1].PointerToRawData + tmp_pe.sections[-1].SizeOfRawData Regards,

oalabs
>>108168177

Yes, it should be SizeOfRawData. I recall reading an article a long time ago mentioning that this is unreliable but I can't seem to find it now so maybe I imagined it haha.

Karsten Hahn
>>108168177

Yes, there are some special cases. E.g. if the sizeofrawdata is larger than the virtualsize, windows loader will use the virtualsize instead. pefile has an overlay offset, you can use that.