A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6458  by EP_X0FF
 Sat May 21, 2011 11:48 am
lol
This application was obfuscated using a trial version of CodeFort.
It is strictly forbidden to publish this obfuscated application in any form.
See more at www.codefort.org
And then (when it spawns second (deobfuscated) copy):
This assembly is protected by an unregistered version of Eziriz's ".NET Reactor"
And then it's XtremeRAT written on Delphi and packed by UPX.

hxxp://sites.google.com/site/nxtremerat/home/
C:\Users\Rafael\Desktop\Xtreme RAT Unicode\Servidor\Indy10\System\IdStreamVCL.pas
C:\Users\Rafael\Desktop\Xtreme RAT Unicode\Servidor\Indy10\System\IdGlobal.pas
C:\Users\Rafael\Desktop\Xtreme RAT Unicode\Servidor\Indy10\System\IdStack.pas
C:\Users\Rafael\Desktop\Xtreme RAT Unicode\Servidor\Indy10\Core\IdIOHandler.pas
 #6459  by markusg
 Sat May 21, 2011 12:05 pm
found yesterday some similar, but this one was not working in my sandboxie.