[R136a1]

A few weeks ago, I started to reverse engineer a malicious x64 .dll (see Parts section below, No. 2) to begin to learn x64 (dis)assembly. From analysis it became apparent that the .dll was part of a bigger malware package. After a while searching on the Internet, I found some Droppers which contained similar files to the one I was analyzing. Luckily some of the files of these Droppers contained .pdb debug strings. At the same time there were the "South Korean Cyber Attacks" on banks and broadcasting organizations (see: http://www.symantec.com/connect/blogs/s ... ber-attack and http://www.symantec.com/connect/blogs/a ... ks-related). As it turned out, the Droppers I found are from the same attackers like described in the Symantec article.
...

Blogpost: http://thegoldenmessenger.blogspot.de/2 ... lware.html

The samples can be found here (ZIP Password = "infected"):
Concealment Troy - https://www.dropbox.com/s/w1892v0hzjgti ... xer%29.zip
Http Dr0pper - https://www.dropbox.com/s/fzk9bkn6fk5kl ... r0pper.zip
Http Troy - https://www.dropbox.com/s/n6h6vgnoihy59 ... 20Troy.zip
PDF Exploit - https://www.dropbox.com/s/lvzj14261bbaj ... xploit.zip
TDrop - https://www.dropbox.com/s/wn5a1jruatpq3x5/TDrop.zip
Parts (of additional packages) - https://www.dropbox.com/s/mqp1bvhuacoakcq/Parts.zip

[R136a1]

Analysis of a tiny Downloader: http://thegoldenmessenger.blogspot.de/2 ... -tiny.html

Malware attached.

[R136a1]

New Disk Wiper Found in Korean Attacks: http://www.symantec.com/connect/blogs/n ... an-attacks

Trojan.Korhigh
https://www.virustotal.com/en/file/6452 ... /analysis/
https://www.virustotal.com/en/file/b8a1 ... /analysis/

Samples attached

[Marc Ochsenmeier]

Thank you very much for the info!

With PeStudio http://www.winitor.com, it takes one drag-and-drop to see that the image contains *several* EXE, DLL inside...(which is almost always a big red flag)