A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13155  by wealllbe20
 Fri May 11, 2012 1:55 pm
Keylogger according to TE with a very different type of dll injection.

I usually do High-level anaylsis on files.

This one I am unable to.

Very different type of dll injection.

Able to inject itself inside ANY ARK tool I run.

Upon removal I get a winlogon 21A bsod.

Upon replacement get a checksum mismatch bsod.

Not in registry, not performing any hooks that I see but I cannot unload the dll out of ARK tools.

Not like anything I have seen, It's a real nasty One.

http://www.threatexpert.com/report.aspx ... e6cc88cb86


Will include some screenshots of dll injecting inside RKU and KD and VBA32
Attachments
Password: infected
(251.96 KiB) Downloaded 55 times
 #13156  by EP_X0FF
 Fri May 11, 2012 2:20 pm
More interesting to see a dropper. This is dll.