Binary Reverse Engineering BlogReverse Engineering Malware and Crackmes2024-12-27T00:00:00Zurn:uuid:b1054148-02c9-4c8a-8ad4-2ee2e765c0aeJohannes Baderhttps://bin.rehello@bin.reCopyright (c) 2024 Johannes Baderhttps://bin.re/assets/img/site/viql_logo.pnghttps://bin.re/assets/img/site/viql_icon.pngHugo 0.98.0The DGA of BumbleBee2023-09-15T00:00:00Z2023-09-15T00:00:00Zhttps://bin.re/2023/09/the-dga-of-bumblebee/This very short post shows the Domain Generation Algorithm of BumbleBee, a loader for Cobalt Strike or other malware.]]>Sinkholing the Domain Generation Algorithm of m0yv2023-03-31T00:00:00Z2023-03-31T00:00:00Zhttps://bin.re/2023/03/sinkholing-the-domain-generation-algorithm-of-m0yv/Video that shows the DGA of the fileinfector m0yv and results of sinkholing domains for over a year.]]>The Domain Generation Algorithm of Orchard v32022-07-24T00:00:00Z2022-07-24T00:00:00Zhttps://bin.re/2022/07/a-dga-seeded-by-the-bitcoin-genesis-block/The Orchard malware uses a domain generation algorithm (DGA) that is seeded both by the current date, and also by the current balance of the Bitcoin genesis block.]]>The Domain Generation Algorithms of SharkBot2022-06-04T00:00:00Z2022-06-04T00:00:00Zhttps://bin.re/2022/06/the-dgas-of-sharkbot/SharkBot uses a DGA for communication, which was changed several times during the development of SharkBot. This blogpost shows four versions of the DGA, and their differences.]]>Full Control over HTTP Requests Headers in Python2022-05-11T00:00:00Z2022-05-11T00:00:00Zhttps://bin.re/2022/05/how-to-gain-control-over-http-headers-in-python/In this blog post I’ll show how remove any header, set their order, define their capitalization and how to send duplicate headers.]]>Analysing TA551/Shathak Malspam With Binary Refinery2021-11-01T00:00:00Z2021-11-01T00:00:00Zhttps://bin.re/2021/11/analysing-ta551-malspam-with-binary-refinery/This blog post shows how the open source framework “binary refinery™” can extract the download URL of complicated TA551 malspam emails.]]>A BazarLoader DGA that Breaks Down in the Summer2021-08-09T00:00:00Z2021-08-09T00:00:00Zhttps://bin.re/2021/08/a-bazarloader-dga-that-breaks-during-summer-months/Domain generation algorithms are relatively straightforward to program and usually bug free. Not so the new DGA of BazarLoader, which goes haywire during the summer months.]]>Yet Another Bazar Loader DGA2021-01-23T00:00:00Z2021-01-23T00:00:00Zhttps://bin.re/2021/01/yet-another-bazarloader-dga/Bazar Loader decided to change its perfectly fine domain generation algorithm (DGA) once again. The change in the algorithm is very minor, but it yields more domain names.]]>Next Version of the Bazar Loader DGA2020-12-16T00:00:00Z2020-12-16T00:00:00Zhttps://bin.re/2020/12/next-version-of-the-bazarloader-dga/This blog post shows yet another domain generation algorithm of Bazar Loader. Although it still uses exclusively the .bazar top level domain and similar seeding, the algorithm itself is completely new.]]>The Defective Domain Generation Algorithm of BazarLoader2020-07-15T00:00:00Z2020-07-15T00:00:00Zhttps://bin.re/2020/07/the-buggy-dga-of-bazarbackdoor/This blog post is about the faulty domain generation algorithm found in some BazarLoader samples. The DGA not only uses an invalid tld, it also occasionally generates invalid characters for the second level domain.]]>
This very short post shows the Domain Generation Algorithm of BumbleBee, a loader for Cobalt Strike or other malware.]]>
Video that shows the DGA of the fileinfector m0yv and results of sinkholing domains for over a year.]]>
The Orchard malware uses a domain generation algorithm (DGA) that is seeded both by the current date, and also by the current balance of the Bitcoin genesis block.]]>
SharkBot uses a DGA for communication, which was changed several times during the development of SharkBot. This blogpost shows four versions of the DGA, and their differences.]]>
In this blog post I’ll show how remove any header, set their order, define their capitalization and how to send duplicate headers.]]>
This blog post shows how the open source framework “binary refinery™” can extract the download URL of complicated TA551 malspam emails.]]>
Domain generation algorithms are relatively straightforward to program and usually bug free. Not so the new DGA of BazarLoader, which goes haywire during the summer months.]]>
Bazar Loader decided to change its perfectly fine domain generation algorithm (DGA) once again. The change in the algorithm is very minor, but it yields more domain names.]]>
This blog post shows yet another domain generation algorithm of Bazar Loader. Although it still uses exclusively the .bazar top level domain and similar seeding, the algorithm itself is completely new.]]>
This blog post is about the faulty domain generation algorithm found in some BazarLoader samples. The DGA not only uses an invalid tld, it also occasionally generates invalid characters for the second level domain.]]>