{
  "trx_id": "ca61258639058116143e2fb8ebc6bcd39d9dd702",
  "block": 106152529,
  "trx_in_block": 2,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2026-05-18T07:51:06",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "7108.112164 VESTS"
    }
  ]
}

{
  "trx_id": "ffdeacd1f5a33b2376440a0124721ca75ff27d43",
  "block": 106012624,
  "trx_in_block": 0,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2026-05-13T10:40:27",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "4395.901759 VESTS"
    }
  ]
}

{
  "trx_id": "ab495ba8ce55fb5b7b83d90e64f604224bc91e06",
  "block": 105519974,
  "trx_in_block": 1,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2026-04-26T07:00:54",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "7120.627920 VESTS"
    }
  ]
}

{
  "trx_id": "d8adc737197a52497c600cba606845f785234439",
  "block": 102876258,
  "trx_in_block": 1,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2026-01-24T04:13:03",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "4437.448578 VESTS"
    }
  ]
}

{
  "trx_id": "98f34b6763cef9f57ed0736a586934bfb6099a20",
  "block": 91322454,
  "trx_in_block": 0,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2024-12-17T23:21:45",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "4601.667775 VESTS"
    }
  ]
}

{
  "trx_id": "5c05e6067a76b363b12884d0e574181aa5f1a96a",
  "block": 79876541,
  "trx_in_block": 6,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2023-11-14T15:00:24",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "4770.801307 VESTS"
    }
  ]
}

{
  "trx_id": "75b755fbec93308e73c5739ce2c509c08ee4a95d",
  "block": 78365061,
  "trx_in_block": 7,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2023-09-22T12:13:42",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "7707.710093 VESTS"
    }
  ]
}

{
  "trx_id": "e952f45957b77d5bf78a227288a845cd0284f5cb",
  "block": 69122544,
  "trx_in_block": 2,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2022-11-03T19:28:30",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "7929.761531 VESTS"
    }
  ]
}

{
  "trx_id": "79dc07c6f1b3ee554fc3665388159ce0bee710b2",
  "block": 60825613,
  "trx_in_block": 26,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2022-01-18T00:31:24",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8149.869132 VESTS"
    }
  ]
}

{
  "trx_id": "8ee17efc3207bbab0629b83f42af925ff7dbce8e",
  "block": 54615854,
  "trx_in_block": 3,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2021-06-14T07:38:24",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8334.063420 VESTS"
    }
  ]
}

{
  "trx_id": "f31e49896fa442d590a8ef8db36e7065e912fe32",
  "block": 49363069,
  "trx_in_block": 3,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-12-11T17:49:12",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8521.485394 VESTS"
    }
  ]
}

{
  "trx_id": "118cca4921575fef0d6fe6c205d6123cb4d90ea2",
  "block": 49214581,
  "trx_in_block": 3,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-12-06T11:24:21",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "1912.543513 VESTS"
    }
  ]
}

{
  "trx_id": "8dd54934181cd22a4f514ac568c66f76ed6e2e11",
  "block": 49198153,
  "trx_in_block": 0,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-12-05T21:27:06",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8527.693248 VESTS"
    }
  ]
}

{
  "trx_id": "dcd20e926227feee89567cd1e9a4c08a492c98bd",
  "block": 48274112,
  "trx_in_block": 0,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-11-03T05:29:36",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "1920.017158 VESTS"
    }
  ]
}

{
  "trx_id": "47d4c9613952afbf88996e4e79671fa92f029227",
  "block": 43224935,
  "trx_in_block": 14,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-05-09T12:28:51",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8730.498607 VESTS"
    }
  ]
}

{
  "trx_id": "fa0a3c075a2b7a4f7e1952127077c9f10c6eb53a",
  "block": 43202216,
  "trx_in_block": 19,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-05-08T17:05:39",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "1953.311140 VESTS"
    }
  ]
}

{
  "trx_id": "dfc9db79ffbf47d8c991eaa06a7785df8410d11d",
  "block": 43068225,
  "trx_in_block": 1,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2020-05-03T22:40:48",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8733.505946 VESTS"
    }
  ]
}

{
  "trx_id": "53a7b5a69f886ebb8f3b45e775266dfdbf35123a",
  "block": 33682120,
  "trx_in_block": 5,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-06-10T16:44:27",
  "op": [
    "comment",
    {
      "parent_author": "utkonos",
      "parent_permlink": "alphablend-campaign-part-3",
      "author": "steemitboard",
      "permlink": "steemitboard-notify-utkonos-20190610t164426000z",
      "title": "",
      "body": "Congratulations @utkonos! You received a personal award!\n\n<table><tr><td>https://steemitimages.com/70x70/https://steemitboard.com/@utkonos/birthday2.png</td><td>Happy Birthday! - You are on the Steem blockchain for 2 years!</td></tr></table>\n\n<sub>_You can view [your badges on your Steem Board](https://steemitboard.com/@utkonos) and compare to others on the [Steem Ranking](https://steemitboard.com/ranking/index.php?name=utkonos)_</sub>\n\n\n###### [Vote for @Steemitboard as a witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1) to get one more award and increased upvotes!",
      "json_metadata": "{\"image\":[\"https://steemitboard.com/img/notify.png\"]}"
    }
  ]
}

{
  "trx_id": "791ec0b620faee45ef4a7df7bbd5a0501761a27c",
  "block": 33347639,
  "trx_in_block": 5,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-05-30T01:40:03",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "8928.891875 VESTS"
    }
  ]
}

{
  "trx_id": "6c3642b88efe0f591eb36463fa7b458d30f04261",
  "block": 30745860,
  "trx_in_block": 20,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T14:49:42",
  "op": [
    "vote",
    {
      "voter": "ciriaco",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "6930dfde2836d2ff2c21f9b9ceff432b3c3d7061",
  "block": 30732866,
  "trx_in_block": 9,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T03:59:15",
  "op": [
    "vote",
    {
      "voter": "malvero",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "597c4a7e0d3a89ef7be016fad4f5ab9c7e31801b",
  "block": 30732864,
  "trx_in_block": 1,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T03:59:09",
  "op": [
    "vote",
    {
      "voter": "malvero",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "9e8a365430d34bef561106c46c0e9d9cce3c2d1f",
  "block": 30732851,
  "trx_in_block": 7,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T03:58:30",
  "op": [
    "vote",
    {
      "voter": "malvero",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "d89e9184d1323dd38a6040f0810bd88a47eab361",
  "block": 30730117,
  "trx_in_block": 13,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T01:41:45",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "title": "AlphaBlend Campaign Part 3",
      "body": "@@ -3383,16 +3383,17 @@\n o and a \n+%5B\n formatti\n@@ -3401,16 +3401,80 @@\n g string\n+%5D(http://help.x64dbg.com/en/latest/introduction/Formatting.html)\n  for the\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png\",\"https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png\",\"https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png\",\"https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png\",\"https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png\",\"https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png\",\"https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png\",\"https://img.youtube.com/vi/5PwXNb5Bbbo/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode\",\"https://youtu.be/_rhQRwrH7yc?t=694\",\"https://x64dbg.com/#start\",\"http://help.x64dbg.com/en/latest/introduction/Formatting.html\",\"https://jupyter.org/\",\"https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop\",\"https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906\",\"https://en.wikipedia.org/wiki/Andy_C\",\"https://www.youtube.com/watch?v=5PwXNb5Bbbo\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "a7bf4c0f625abb7ab57af13b6e0fabad30a96ca6",
  "block": 30729525,
  "trx_in_block": 22,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T01:12:06",
  "op": [
    "vote",
    {
      "voter": "elowin",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "weight": 8000
    }
  ]
}

{
  "trx_id": "53c069e97accac4d546a51148f503eadd4bdfd9a",
  "block": 30729289,
  "trx_in_block": 52,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T01:00:18",
  "op": [
    "comment",
    {
      "parent_author": "utkonos",
      "parent_permlink": "alphablend-campaign-part-3",
      "author": "jehovahwitness",
      "permlink": "re-alphablend-campaign-part-3-20190228t010017",
      "title": "",
      "body": "Don't judge each day by the harvest you reap but by the seeds that you plant.",
      "json_metadata": ""
    }
  ]
}

{
  "trx_id": "4251b9cce59639b5c5c4f89250d7d0f5ade80519",
  "block": 30729283,
  "trx_in_block": 7,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T01:00:00",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "title": "AlphaBlend Campaign Part 3",
      "body": "@@ -2672,18 +2672,17 @@\n ysis. Th\n-is\n+e\n  AlphaBl\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png\",\"https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png\",\"https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png\",\"https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png\",\"https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png\",\"https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png\",\"https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png\",\"https://img.youtube.com/vi/5PwXNb5Bbbo/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode\",\"https://youtu.be/_rhQRwrH7yc?t=694\",\"https://x64dbg.com/#start\",\"https://jupyter.org/\",\"https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop\",\"https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906\",\"https://en.wikipedia.org/wiki/Andy_C\",\"https://www.youtube.com/watch?v=5PwXNb5Bbbo\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "b9ced9abfe4c98d644c3e303f359fa32fd011420",
  "block": 30729272,
  "trx_in_block": 52,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T00:59:27",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "title": "AlphaBlend Campaign Part 3",
      "body": "@@ -2621,18 +2621,16 @@\n keeps th\n-os\n e string\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png\",\"https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png\",\"https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png\",\"https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png\",\"https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png\",\"https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png\",\"https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png\",\"https://img.youtube.com/vi/5PwXNb5Bbbo/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode\",\"https://youtu.be/_rhQRwrH7yc?t=694\",\"https://x64dbg.com/#start\",\"https://jupyter.org/\",\"https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop\",\"https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906\",\"https://en.wikipedia.org/wiki/Andy_C\",\"https://www.youtube.com/watch?v=5PwXNb5Bbbo\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "c66da6293f6158271d5a36597d10cd255336f40f",
  "block": 30729258,
  "trx_in_block": 38,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T00:58:45",
  "op": [
    "vote",
    {
      "voter": "minibot",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "weight": 500
    }
  ]
}

{
  "trx_id": "586c5df09f137260feda847a4a2cb2b96fbe842c",
  "block": 30729254,
  "trx_in_block": 38,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T00:58:33",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "title": "AlphaBlend Campaign Part 3",
      "body": "@@ -1833,20 +1833,20 @@\n the two \n-part\n+step\n s of set\n@@ -1955,16 +1955,17 @@\n function\n+s\n , so I%E2%80%99m\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png\",\"https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png\",\"https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png\",\"https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png\",\"https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png\",\"https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png\",\"https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png\",\"https://img.youtube.com/vi/5PwXNb5Bbbo/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode\",\"https://youtu.be/_rhQRwrH7yc?t=694\",\"https://x64dbg.com/#start\",\"https://jupyter.org/\",\"https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop\",\"https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906\",\"https://en.wikipedia.org/wiki/Andy_C\",\"https://www.youtube.com/watch?v=5PwXNb5Bbbo\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "149d68a48759845a679f58876a050431ccfdf6f4",
  "block": 30729229,
  "trx_in_block": 5,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T00:57:18",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "title": "AlphaBlend Campaign Part 3",
      "body": "@@ -1579,16 +1579,24 @@\n API%0A%0AThe\n+ %60Actx %60\n  string \n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png\",\"https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png\",\"https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png\",\"https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png\",\"https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png\",\"https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png\",\"https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png\",\"https://img.youtube.com/vi/5PwXNb5Bbbo/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode\",\"https://youtu.be/_rhQRwrH7yc?t=694\",\"https://x64dbg.com/#start\",\"https://jupyter.org/\",\"https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop\",\"https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906\",\"https://en.wikipedia.org/wiki/Andy_C\",\"https://www.youtube.com/watch?v=5PwXNb5Bbbo\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "5171b3f92a6237e15df44befbd2a8432707c870e",
  "block": 30729119,
  "trx_in_block": 10,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T00:51:48",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-3",
      "title": "AlphaBlend Campaign Part 3",
      "body": "This continues the reversing journey of the malicious DLL, `msimg32.dll`, and the AlphaBlend campaign. Now that I covered how to circumvent the SEH-based anti-debugging capability, we will look more carefully at the behavior before the exception is raised. There are various functions that prepare resources for the malware as well as an interesting set of functions to resolve the dll names and API that the malware uses. I hope everyone is enjoying this series. Please reach out to me with any questions.\n\nThis first function shown in red below can perform a few checks for the malware’s environment.\n\n![outer_graph.png](https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png)\n\nIn the next graph screenshot, one can see that the function checks for time, IDs, and tick count. This is not executed the first time the function is called, but it has this capability.\n\n![check_env.png](https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png)\n\nOnce this environment check is run, the SEH is then set. With that set, the malware performs a few steps of setup. This is a basic outline of these steps, including ones previously mentioned:\n\n1. Check environment\n2. Set SEH\n3. Set thread variable\n   1. Set Actx thread variable via InterlockedExchange\n   2. Malloc something\n   3. Call InterlockedExchange\n1. Dosomething\n   1. CreateCompatibleDC\n   2. Dosomething\n      1. Set background mix for device context: transparent\n      2. Resolve DLLs\n         1. ntdll.dll\n         2. kernel32.dll\n      1. Resolve API\n\nThe string that I observed in previous reports is used as a thread variable. It is set as such using [InterlockedExchange](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange). Between the two parts of setting the thread variable, memory is allocated. Unfortunately, I don’t have good names yet for certain function, so I’m using `Dosomething` as a placeholder. The step [CreateCompatibleDC](https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc) creates memory device context compatible with the current screen. Then it sets the [background mix](https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode) for the new device context to transparent.\n\nThe next set of steps that it takes are quite interesting. I’m a subscriber to the excellent [OALabs](https://youtu.be/_rhQRwrH7yc?t=694) YouTube channel, and if you follow that link, you will see a video about how malware resolves its API from stack strings. This keeps those strings from appearing during static analysis. This AlphaBlend sample does not take exactly this way to resolve the API, but it is very similar in aim. The next image shows the malware’s process. This also shows how the malware uses the string `K/\\f` that I covered in a previous blog post. This string is used as a counter compared to `L’S’` until it matches and the function returns.\n\n![resolve_api.png](https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png)\n\nThe number of function names that the malware resolves is quite high. Therefore, I used the trace functionality in [x64dbg](https://x64dbg.com/#start) to log the contents of `esi` across the `resolve_api` function. All that’s needed is a path to log to and a formatting string for the log entries. I used something simple: `esi: {esi} {s:esi}\\n`. This provides the name of the register, the address, and the string. This part of the process starts with setting a breakpoint on the `resolve_api` function call.\n\n![set_breakpoint.png](https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png)\n\nNext, step into the function and start the trace log using the formatting string.\n\n![set_trace.png](https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png)\n\nNow rather than stepping through the function and wasting tons of time, I can run until return and collect all those juicy API strings. This is a great time to highlight an invaluable tool: [Jupyter](https://jupyter.org/). This is a notebook programming tool that is primarily for Python, but supports many third party kernels for various other languages. Notebook programming is somewhere between the two traditional ways that Python code is run: [read–eval–print](https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop) loop (REPL) and monolithic script. It allows you to run code blocks, or cells, in any order you need. It comes in two flavors: notebook and lab. I use lab even though it has not been released stable. It’s plenty [stable](https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906) for my needs.\n\n![log_processing.png](https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png)\n\nWith this technique, the list of function names in the API that the malware wanted to hide are easily recovered. In the appendix below, both the Jupyter notebook for log processing as well as the list of function names is provided (add your own path!).\n\nIn another pathway of analysis, I have been examining the results from retrohunts on various code blocks in the DLL. I’ve discovered that the section with the AlphaBlend exports is located in a section of code that is variable across samples. The following shows the difference between the sample in the AlphaBlend campaign and other samples that are clearly in the same malware family, but in other campaigns.\n\n![campaigns_side_by_side.png](https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png)\n\nThe part of the code that does not vary appears to be a stub that the adversary uses with different code based on campaign.\n\nThis concludes this episode of the AlphaBlend reversing saga. I hope everyone is finding this all valuable. Stay tuned for the next post!\n\n**Appendix**\n\n```\n['AcquireSRWLockExclusive',\n 'AcquireSRWLockShared',\n 'ActivateActCtx',\n 'AddAtomA',\n 'AddAtomW',\n 'AddConsoleAliasA',\n 'AddConsoleAliasW',\n 'AddIntegrityLabelToBoundaryDescriptor',\n 'AddLocalAlternateComputerNameA',\n 'AddLocalAlternateComputerNameW',\n 'AddRefActCtx',\n 'AddSIDToBoundaryDescriptor',\n 'AddSecureMemoryCacheCallback',\n 'AddVectoredContinueHandler',\n 'AddVectoredExceptionHandler',\n 'AdjustCalendarDate',\n 'AllocConsole',\n 'AllocateUserPhysicalPages',\n 'AllocateUserPhysicalPagesNuma',\n 'ApplicationRecoveryFinished',\n 'ApplicationRecoveryInProgress',\n 'AreFileApisANSI',\n 'AssignProcessToJobObject',\n 'AttachConsole',\n 'BackupRead',\n 'BackupSeek',\n 'BackupWrite',\n 'BaseCheckAppcompatCache',\n 'BaseCheckAppcompatCacheEx',\n 'BaseCheckRunApp',\n 'BaseCleanupAppcompatCacheSupport',\n 'BaseDllReadWriteIniFile',\n 'BaseDumpAppcompatCache',\n 'BaseFlushAppcompatCache',\n 'BaseFormatObjectAttributes',\n 'BaseFormatTimeOut',\n 'BaseGenerateAppCompatData',\n 'BaseGetNamedObjectDirectory',\n 'BaseInitAppcompatCacheSupport',\n 'BaseIsAppcompatInfrastructureDisabled',\n 'BaseQueryModuleData',\n 'BaseSetLastNTError',\n 'BaseThreadInitThunk',\n 'BaseUpdateAppcompatCache',\n 'BaseVerifyUnicodeString',\n 'Basep8BitStringToDynamicUnicodeString',\n 'BasepAllocateActivationContextActivationBlock',\n 'BasepAnsiStringToDynamicUnicodeString',\n 'BasepCheckAppCompat',\n 'BasepCheckBadapp',\n 'BasepCheckWinSaferRestrictions',\n 'BasepFreeActivationContextActivationBlock',\n 'BasepFreeAppCompatData',\n 'BasepMapModuleHandle',\n 'Beep',\n 'BeginUpdateResourceA',\n 'BeginUpdateResourceW',\n 'BindIoCompletionCallback',\n 'BuildCommDCBA',\n 'BuildCommDCBAndTimeoutsA',\n 'BuildCommDCBAndTimeoutsW',\n 'BuildCommDCBW',\n 'CallNamedPipeA',\n 'CallNamedPipeW',\n 'CallbackMayRunLong',\n 'CancelDeviceWakeupRequest',\n 'CancelIo',\n 'CancelIoEx',\n 'CancelSynchronousIo',\n 'CancelThreadpoolIo',\n 'CancelTimerQueueTimer',\n 'CancelWaitableTimer',\n 'ChangeTimerQueueTimer',\n 'CheckElevation',\n 'CheckElevationEnabled',\n 'CheckForReadOnlyResource',\n 'CheckNameLegalDOS8Dot3A',\n 'CheckNameLegalDOS8Dot3W',\n 'CheckRemoteDebuggerPresent',\n 'ClearCommBreak',\n 'ClearCommError',\n 'CloseConsoleHandle',\n 'CloseHandle',\n 'ClosePrivateNamespace',\n 'CloseProfileUserMapping',\n 'CloseThreadpool',\n 'CloseThreadpoolCleanupGroup',\n 'CloseThreadpoolCleanupGroupMembers',\n 'CloseThreadpoolIo',\n 'CloseThreadpoolTimer',\n 'CloseThreadpoolWait',\n 'CloseThreadpoolWork',\n 'CmdBatNotification',\n 'CommConfigDialogA',\n 'CommConfigDialogW',\n 'CompareCalendarDates',\n 'CompareFileTime',\n 'CompareStringA',\n 'CompareStringEx',\n 'CompareStringOrdinal',\n 'CompareStringW',\n 'ConnectNamedPipe',\n 'ConsoleMenuControl',\n 'ContinueDebugEvent',\n 'ConvertCalDateTimeToSystemTime',\n 'ConvertDefaultLocale',\n 'ConvertFiberToThread',\n 'ConvertNLSDayOfWeekToWin32DayOfWeek',\n 'ConvertSystemTimeToCalDateTime',\n 'ConvertThreadToFiber',\n 'ConvertThreadToFiberEx',\n 'CopyContext',\n 'CopyFileA',\n 'CopyFileExA',\n 'CopyFileExW',\n 'CopyFileTransactedA',\n 'CopyFileTransactedW',\n 'CopyFileW',\n 'CopyLZFile',\n 'CreateActCtxA',\n 'CreateActCtxW',\n 'CreateBoundaryDescriptorA',\n 'CreateBoundaryDescriptorW',\n 'CreateConsoleScreenBuffer',\n 'CreateDirectoryA',\n 'CreateDirectoryExA',\n 'CreateDirectoryExW',\n 'CreateDirectoryTransactedA',\n 'CreateDirectoryTransactedW',\n 'CreateDirectoryW',\n 'CreateEventA',\n 'CreateEventExA',\n 'CreateEventExW',\n 'CreateEventW',\n 'CreateFiber',\n 'CreateFiberEx',\n 'CreateFileA',\n 'CreateFileMappingA',\n 'CreateFileMappingNumaA',\n 'CreateFileMappingNumaW',\n 'CreateFileMappingW',\n 'CreateFileTransactedA',\n 'CreateFileTransactedW',\n 'CreateFileW',\n 'CreateHardLinkA',\n 'CreateHardLinkTransactedA',\n 'CreateHardLinkTransactedW',\n 'CreateHardLinkW',\n 'CreateIoCompletionPort',\n 'CreateJobObjectA',\n 'CreateJobObjectW',\n 'CreateJobSet',\n 'CreateMailslotA',\n 'CreateMailslotW',\n 'CreateMemoryResourceNotification',\n 'CreateMutexA',\n 'CreateMutexExA',\n 'CreateMutexExW',\n 'CreateMutexW',\n 'CreateNamedPipeA',\n 'CreateNamedPipeW',\n 'CreatePipe',\n 'CreatePrivateNamespaceA',\n 'CreatePrivateNamespaceW',\n 'CreateProcessA',\n 'CreateProcessAsUserW',\n 'CreateProcessInternalA',\n 'CreateProcessInternalW',\n 'CreateProcessW',\n 'CreateRemoteThread',\n 'CreateRemoteThreadEx',\n 'CreateSemaphoreA',\n 'CreateSemaphoreExA',\n 'CreateSemaphoreExW',\n 'CreateSemaphoreW',\n 'CreateSocketHandle',\n 'CreateSymbolicLinkA',\n 'CreateSymbolicLinkTransactedA',\n 'CreateSymbolicLinkTransactedW',\n 'CreateSymbolicLinkW',\n 'CreateTapePartition',\n 'CreateThread',\n 'CreateThreadpool',\n 'CreateThreadpoolCleanupGroup',\n 'CreateThreadpoolIo',\n 'CreateThreadpoolTimer',\n 'CreateThreadpoolWait',\n 'CreateThreadpoolWork',\n 'CreateTimerQueue',\n 'CreateTimerQueueTimer',\n 'CreateToolhelp32Snapshot',\n 'CreateWaitableTimerA',\n 'CreateWaitableTimerExA',\n 'CreateWaitableTimerExW',\n 'CreateWaitableTimerW',\n 'CtrlRoutine',\n 'DeactivateActCtx',\n 'DebugActiveProcess',\n 'DebugActiveProcessStop',\n 'DebugBreak',\n 'DebugBreakProcess',\n 'DebugSetProcessKillOnExit',\n 'DecodePointer',\n 'DecodeSystemPointer',\n 'DefineDosDeviceA',\n 'DefineDosDeviceW',\n 'DelayLoadFailureHook',\n 'DeleteAtom',\n 'DeleteBoundaryDescriptor',\n 'DeleteCriticalSection',\n 'DeleteFiber',\n 'DeleteFileA',\n 'DeleteFileTransactedA',\n 'DeleteFileTransactedW',\n 'DeleteFileW',\n 'DeleteProcThreadAttributeList',\n 'DeleteTimerQueue',\n 'DeleteTimerQueueEx']\n```\n*API*\n\n```\n{\n \"cells\": [\n  {\n   \"cell_type\": \"code\",\n   \"execution_count\": null,\n   \"metadata\": {},\n   \"outputs\": [],\n   \"source\": [\n    \"import pathlib\\n\",\n    \"import re\"\n   ]\n  },\n  {\n   \"cell_type\": \"code\",\n   \"execution_count\": null,\n   \"metadata\": {},\n   \"outputs\": [],\n   \"source\": [\n    \"log = pathlib.Path()\\n\",\n    \"log.exists()\"\n   ]\n  },\n  {\n   \"cell_type\": \"code\",\n   \"execution_count\": null,\n   \"metadata\": {},\n   \"outputs\": [],\n   \"source\": [\n    \"with open(log, 'r') as fh:\\n\",\n    \"    data = fh.read().splitlines()\"\n   ]\n  },\n  {\n   \"cell_type\": \"code\",\n   \"execution_count\": null,\n   \"metadata\": {},\n   \"outputs\": [],\n   \"source\": [\n    \"log_re = re.compile('(?P<register>[a-z]{3}): (?P<address>[A-Z0-9]+) (?:\\\\?\\\\?\\\\?|\\\"(?P<api>[A-Za-z0-9]+)\\\")')\\n\",\n    \"apis = list()\\n\",\n    \"first = True\\n\",\n    \"for entry in data:\\n\",\n    \"    match = re.match(log_re, entry)\\n\",\n    \"    if match:\\n\",\n    \"        if match.group('api'):\\n\",\n    \"            if first:\\n\",\n    \"                apis.append(match.group('api'))\\n\",\n    \"                first = False\\n\",\n    \"        else:\\n\",\n    \"            first = True\"\n   ]\n  },\n  {\n   \"cell_type\": \"code\",\n   \"execution_count\": null,\n   \"metadata\": {},\n   \"outputs\": [],\n   \"source\": [\n    \"apis\"\n   ]\n  }\n ],\n \"metadata\": {\n  \"kernelspec\": {\n   \"display_name\": \"Python 3\",\n   \"language\": \"python\",\n   \"name\": \"python3\"\n  },\n  \"language_info\": {\n   \"codemirror_mode\": {\n    \"name\": \"ipython\",\n    \"version\": 3\n   },\n   \"file_extension\": \".py\",\n   \"mimetype\": \"text/x-python\",\n   \"name\": \"python\",\n   \"nbconvert_exporter\": \"python\",\n   \"pygments_lexer\": \"ipython3\",\n   \"version\": \"3.7.2\"\n  }\n },\n \"nbformat\": 4,\n \"nbformat_minor\": 2\n}\n```\n*Jupyter Notebook*\n\nFor everyone who has read this far: [Andy C](https://en.wikipedia.org/wiki/Andy_C)!\nhttps://www.youtube.com/watch?v=5PwXNb5Bbbo",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmcbadMXr9mPmEK3GaaFy44HGPCsbCxGrWV1KsVMFzbMX2/outer_graph.png\",\"https://cdn.steemitimages.com/DQmTQ5fS7JgmTpitRZVzsgRcPvNAPXuju4u2bSjEKopD1ro/check_env.png\",\"https://cdn.steemitimages.com/DQmZHZfZAFjNKe5AAS1Wv6SrJjsT12ZEBUhYETwrLMYc3W2/resolve_api.png\",\"https://cdn.steemitimages.com/DQmfK4sDzv4Fc88gywj5tkRRqt2fx5WpYRB7dVzwobCkvrg/set_breakpoint.png\",\"https://cdn.steemitimages.com/DQmd85ZqbML76cxvJJuyw3TbzfDeB1c79iAEV4boVRLHVz2/set_trace.png\",\"https://cdn.steemitimages.com/DQmVMijX1FWHvWTFnqYA87z9iqPQngnzmbUqnAz141pxTLf/log_processing.png\",\"https://cdn.steemitimages.com/DQmZEa9xSd2S9nY324NSu2ngmpch51DfcP2Jd2AbuRJ6uhT/campaigns_side_by_side.png\",\"https://img.youtube.com/vi/5PwXNb5Bbbo/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-createcompatibledc\",\"https://docs.microsoft.com/en-us/windows/desktop/api/wingdi/nf-wingdi-setbkmode\",\"https://youtu.be/_rhQRwrH7yc?t=694\",\"https://x64dbg.com/#start\",\"https://jupyter.org/\",\"https://en.wikipedia.org/wiki/Read%E2%80%93eval%E2%80%93print_loop\",\"https://blog.jupyter.org/jupyterlab-is-ready-for-users-5a6f039b8906\",\"https://en.wikipedia.org/wiki/Andy_C\",\"https://www.youtube.com/watch?v=5PwXNb5Bbbo\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "adac408102851aa77f913f9a01b0f9df8f36fc74",
  "block": 30728585,
  "trx_in_block": 43,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-28T00:25:00",
  "op": [
    "vote",
    {
      "voter": "utkonos",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "2112bad79e91e2837c3a45e3e0aac123771e573f",
  "block": 30673594,
  "trx_in_block": 21,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-26T02:33:36",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -7872,19 +7872,20 @@\n red via \n-sys\n+proc\n mon.%0A%0A!%5B\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\",\"https://img.youtube.com/vi/L7wOTqIcBCE/0.jpg\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.reversinglabs.com/\",\"https://www.virustotal.com\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\",\"https://www.youtube.com/watch?v=L7wOTqIcBCE\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "910dc165cc3818631b66c7bac6d748c239f5a4da",
  "block": 30672571,
  "trx_in_block": 45,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-26T01:42:27",
  "op": [
    "comment",
    {
      "parent_author": "utkonos",
      "parent_permlink": "alphablend-campaign-part-2",
      "author": "partiko",
      "permlink": "partiko-re-utkonos-alphablend-campaign-part-2-20190226t014227097z",
      "title": "",
      "body": "Hello @utkonos! This is a friendly reminder that you have 3000 Partiko Points unclaimed in your Partiko account!\n\nPartiko is a fast and beautiful mobile app for Steem, and it’s the most popular Steem mobile app out there! Download Partiko using the link below and login using SteemConnect to claim your 3000 Partiko points! You can easily convert them into Steem token!\n\nhttps://partiko.app/referral/partiko\n\n![](https://d1vof77qrk4l5q.cloudfront.net/statics/partiko-poster-best-steem-app-for-your-phone.jpg)",
      "json_metadata": "{\"app\":\"partiko\"}"
    }
  ]
}

{
  "trx_id": "086e16d2063226e6b4d7d295b8103864104d6c23",
  "block": 30575257,
  "trx_in_block": 28,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-22T16:32:51",
  "op": [
    "vote",
    {
      "voter": "ciriaco",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "41c17903439fce3a3b7e33b3b31b6c5ac8d65e23",
  "block": 30557266,
  "trx_in_block": 7,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-22T01:32:39",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "title": "AlphaBlend Campaign Part 2",
      "body": "@@ -4252,16 +4252,26 @@\n to occur\n+ (arrow 2)\n . This i\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmVpZunVDY3YAXvmhcU5FWtXaTFY5csmgRdBiR6gSY3HYD/Memory%20Map.png\",\"https://cdn.steemitimages.com/DQmaweTzPfzDHgXJUx3anPdQwLTwhXEfwgm8AWu6gakoCKD/Set%20Breakpoint.png\",\"https://cdn.steemitimages.com/DQmWN3B4AfpuDMMEPAFH2RrZnWtW635PsPZ4ckJGt7DJFsy/Breakpoints.png\",\"https://cdn.steemitimages.com/DQmSWxFMMBV1wC2QRwARuBNJDAtBDkR9JNZc8i8Gwqus8TJ/Set%20SEH%20in%20Hopper.png\",\"https://cdn.steemitimages.com/DQmS3Rp6K3VS9nxDZV3EB2Withffneo5fJhCVDPzL9HqbC1/SEH%20Setup.png\",\"https://cdn.steemitimages.com/DQmZmUhzJkNx2voth3FaGkM1RU4tB8NvBDKcfXsxwmk8qzW/Actx.png\",\"https://img.youtube.com/vi/9fbBRNC9nJY/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling\",\"https://x64dbg.com\",\"https://www.hopperapp.com/\",\"https://virustotal.github.io/yara/\",\"https://twitter.com/NaxoneZ\",\"https://attack.mitre.org/\",\"https://github.com/plyara/plyara\",\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://cuckoosandbox.org/\",\"https://www.youtube.com/watch?v=9fbBRNC9nJY\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "4e1d9ef06bb9870ba370b796a05e96ce017e3ea0",
  "block": 30555784,
  "trx_in_block": 9,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-22T00:18:33",
  "op": [
    "vote",
    {
      "voter": "pinoy",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "weight": 1000
    }
  ]
}

{
  "trx_id": "1ecdc6a687fd34cd7f84e7c028375d71fab5dca8",
  "block": 30555477,
  "trx_in_block": 5,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-22T00:03:09",
  "op": [
    "vote",
    {
      "voter": "yehey",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "weight": 1000
    }
  ]
}

{
  "trx_id": "b2b8fa6bef63c44034c9f6a3c31f3f9707903edc",
  "block": 30555237,
  "trx_in_block": 11,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-21T23:51:06",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "title": "AlphaBlend Campaign Part 2",
      "body": "@@ -4338,34 +4338,19 @@\n need\n- be further on in analysis\n+ed later on\n . I \n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmVpZunVDY3YAXvmhcU5FWtXaTFY5csmgRdBiR6gSY3HYD/Memory%20Map.png\",\"https://cdn.steemitimages.com/DQmaweTzPfzDHgXJUx3anPdQwLTwhXEfwgm8AWu6gakoCKD/Set%20Breakpoint.png\",\"https://cdn.steemitimages.com/DQmWN3B4AfpuDMMEPAFH2RrZnWtW635PsPZ4ckJGt7DJFsy/Breakpoints.png\",\"https://cdn.steemitimages.com/DQmSWxFMMBV1wC2QRwARuBNJDAtBDkR9JNZc8i8Gwqus8TJ/Set%20SEH%20in%20Hopper.png\",\"https://cdn.steemitimages.com/DQmS3Rp6K3VS9nxDZV3EB2Withffneo5fJhCVDPzL9HqbC1/SEH%20Setup.png\",\"https://cdn.steemitimages.com/DQmZmUhzJkNx2voth3FaGkM1RU4tB8NvBDKcfXsxwmk8qzW/Actx.png\",\"https://img.youtube.com/vi/9fbBRNC9nJY/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling\",\"https://x64dbg.com\",\"https://www.hopperapp.com/\",\"https://virustotal.github.io/yara/\",\"https://twitter.com/NaxoneZ\",\"https://attack.mitre.org/\",\"https://github.com/plyara/plyara\",\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://cuckoosandbox.org/\",\"https://www.youtube.com/watch?v=9fbBRNC9nJY\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "4e769ba1fd2b2b373944ad09fcfa8e5139714fbf",
  "block": 30555192,
  "trx_in_block": 27,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-21T23:48:51",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "title": "AlphaBlend Campaign Part 2",
      "body": "@@ -1718,16 +1718,427 @@\n t.png)%0A%0A\n+With the breakpoint set, go over to the list of breakpoints and disable it so it stays out of the way until you need it. Next, set an exception breakpoint on %60EXCEPTION_ACCESS_VIOLATION%60 and proceed to the exception breakpoint. Finally, enable the memory breakpoint and step into the exception.%0A%0A!%5BBreakpoints.png%5D(https://cdn.steemitimages.com/DQmWN3B4AfpuDMMEPAFH2RrZnWtW635PsPZ4ckJGt7DJFsy/Breakpoints.png)%0A%0A\n In the f\n@@ -3129,19 +3129,21 @@\n he init \n+%60\n mov\n+%60\n  instruc\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmVpZunVDY3YAXvmhcU5FWtXaTFY5csmgRdBiR6gSY3HYD/Memory%20Map.png\",\"https://cdn.steemitimages.com/DQmaweTzPfzDHgXJUx3anPdQwLTwhXEfwgm8AWu6gakoCKD/Set%20Breakpoint.png\",\"https://cdn.steemitimages.com/DQmWN3B4AfpuDMMEPAFH2RrZnWtW635PsPZ4ckJGt7DJFsy/Breakpoints.png\",\"https://cdn.steemitimages.com/DQmSWxFMMBV1wC2QRwARuBNJDAtBDkR9JNZc8i8Gwqus8TJ/Set%20SEH%20in%20Hopper.png\",\"https://cdn.steemitimages.com/DQmS3Rp6K3VS9nxDZV3EB2Withffneo5fJhCVDPzL9HqbC1/SEH%20Setup.png\",\"https://cdn.steemitimages.com/DQmZmUhzJkNx2voth3FaGkM1RU4tB8NvBDKcfXsxwmk8qzW/Actx.png\",\"https://img.youtube.com/vi/9fbBRNC9nJY/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling\",\"https://x64dbg.com\",\"https://www.hopperapp.com/\",\"https://virustotal.github.io/yara/\",\"https://twitter.com/NaxoneZ\",\"https://attack.mitre.org/\",\"https://github.com/plyara/plyara\",\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://cuckoosandbox.org/\",\"https://www.youtube.com/watch?v=9fbBRNC9nJY\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "01d8f9fbc60e39fc8d8610ca2b376bc25fe149a7",
  "block": 30554906,
  "trx_in_block": 32,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-21T23:34:33",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "title": "AlphaBlend Campaign Part 2",
      "body": "@@ -1722,196 +1722,8 @@\n g)%0A%0A\n-The only annoying part is that the handler needs to be removed once in that code, or the breakpoint stops execution on every instruction from that point on. A nuisance, but not a problem. \n In t\n",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmVpZunVDY3YAXvmhcU5FWtXaTFY5csmgRdBiR6gSY3HYD/Memory%20Map.png\",\"https://cdn.steemitimages.com/DQmaweTzPfzDHgXJUx3anPdQwLTwhXEfwgm8AWu6gakoCKD/Set%20Breakpoint.png\",\"https://cdn.steemitimages.com/DQmSWxFMMBV1wC2QRwARuBNJDAtBDkR9JNZc8i8Gwqus8TJ/Set%20SEH%20in%20Hopper.png\",\"https://cdn.steemitimages.com/DQmS3Rp6K3VS9nxDZV3EB2Withffneo5fJhCVDPzL9HqbC1/SEH%20Setup.png\",\"https://cdn.steemitimages.com/DQmZmUhzJkNx2voth3FaGkM1RU4tB8NvBDKcfXsxwmk8qzW/Actx.png\",\"https://img.youtube.com/vi/9fbBRNC9nJY/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling\",\"https://x64dbg.com\",\"https://www.hopperapp.com/\",\"https://virustotal.github.io/yara/\",\"https://twitter.com/NaxoneZ\",\"https://attack.mitre.org/\",\"https://github.com/plyara/plyara\",\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://cuckoosandbox.org/\",\"https://www.youtube.com/watch?v=9fbBRNC9nJY\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "61b81f7853968d6916c4ed6006eb7bf3d4544c2f",
  "block": 30554792,
  "trx_in_block": 11,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-21T23:28:51",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverseengineering",
      "author": "utkonos",
      "permlink": "alphablend-campaign-part-2",
      "title": "AlphaBlend Campaign Part 2",
      "body": "This post continues the analysis of the AlphaBlend campaign. I’d like to thank everyone for all the fantastic feedback. One goal I have is to always show my work, and I think my elementary school math teachers would be proud. In the last post, I noted that a structured exception handler is used to prevent easy debugging. This is an old technique, but I’ve found that much of the information about circumventing this technique is hard to follow. Below is a step-by-step process for circumvention using x64dbg. Additionally, I noted that there is an odd string `“Actx “` that appears during debugging. I’ve found how it is used, but I don’t yet know why.\n\nA [structured exception handler](https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling) (SEH) is used by software to “do something” if a particular exception is raised. It lives in register `fs` at `fs:[0]`. Malware can set a custom handler that then runs when a particular exception is raised. Then the malware does something that causes the exception to be raised. Then the custom handler with the malicious code is run. The lab rat I’m working with poses an interesting challenge for the standard SEH circumvention technique of setting a software or hardware breakpoint on the handler. It doesn’t work, or I’m doing it wrong. However, if one follows the handler pointer and sets a memory breakpoint in the memory map of [x64dbg](https://x64dbg.com), one is able to debug the code in the handler.\n\n![Memory Map.png](https://cdn.steemitimages.com/DQmVpZunVDY3YAXvmhcU5FWtXaTFY5csmgRdBiR6gSY3HYD/Memory%20Map.png)\n\n![Set Breakpoint.png](https://cdn.steemitimages.com/DQmaweTzPfzDHgXJUx3anPdQwLTwhXEfwgm8AWu6gakoCKD/Set%20Breakpoint.png)\n\nThe only annoying part is that the handler needs to be removed once in that code, or the breakpoint stops execution on every instruction from that point on. A nuisance, but not a problem. In the following screenshot of [Hopper Disassembler](https://www.hopperapp.com/), I’ve identified the function where the SEH is setup. I renamed it `set_SEH` to make it clear. If anyone knows a better way to mark this in Hopper, please let me know.\n\n![Set SEH in Hopper.png](https://cdn.steemitimages.com/DQmSWxFMMBV1wC2QRwARuBNJDAtBDkR9JNZc8i8Gwqus8TJ/Set%20SEH%20in%20Hopper.png)\n\nThere are two very important instructions in this function: SEH save and SEH init. The code between them, I think, is the configuration of the SEH. Here is a look at the same stretch of code in the debugger.\n\n![SEH Setup.png](https://cdn.steemitimages.com/DQmS3Rp6K3VS9nxDZV3EB2Withffneo5fJhCVDPzL9HqbC1/SEH%20Setup.png)\n\nThese two instructions provide a nice bit of code to build a [YARA](https://virustotal.github.io/yara/) rule on. I went on a search for previous research on this topic and found a pair of rules written by [@NaxoneZ](https://twitter.com/NaxoneZ). AlphaBlend uses a different register in the init mov instruction, so I built on those rules and developed a pair of new rules that cover both observed instruction patterns. I also added a set of tags to the rules that make their incorporation into [MITRE ATT&CK](https://attack.mitre.org/) easier. That ruleset is found in the appendix in both standard format and [plyara](https://github.com/plyara/plyara) format.\n\nNext, we examine the interesting string `“Actx “` I noticed in the last post. I located where the string is originally loaded. Arrow 1 is where the string `ecx+4` is moved to the `ebx` register. This address is located in the main, benign Setup.exe thread. The next instruction moves the pointer to [InterlockCompareExchange](https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange) to the `edi` register.\n\n![Actx.png](https://cdn.steemitimages.com/DQmZmUhzJkNx2voth3FaGkM1RU4tB8NvBDKcfXsxwmk8qzW/Actx.png)\n\nArrow 3 is the set of input parameters for InterlockCompareExchange: `0`, `“Actx “`, and an address in the malicious DLL. This stretch of code includes a comparison that can cause sleep to occur. This is important to note so that it can be patched to disable the sleep if need be further on in analysis. I am not sure if this is important yet, but sleep can be poisonous to sandbox analysis. Knowing where it happens can allow you to patch it out in an automated way. This lets future samples run in [Cuckoo Sandbox](https://cuckoosandbox.org/) easier.\n\nWe’ve seen two potential anti-analysis defenses used by AlphaBlend. I hope this has helped you understand how to find them. If you have any questions or suggestions, please leave comments below.\n\n**Appendix**\n```\n[\n    {\n        \"condition_terms\": [\n            \"uint16\",\n            \"(\",\n            \"0\",\n            \")\",\n            \"==\",\n            \"0x5A4D\",\n            \"and\",\n            \"uint32\",\n            \"(\",\n            \"uint32\",\n            \"(\",\n            \"0x3C\",\n            \")\",\n            \")\",\n            \"==\",\n            \"0x00004550\"\n        ],\n        \"raw_condition\": \"condition:\\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550\\n\",\n        \"rule_name\": \"WindowsPE\",\n        \"scopes\": [\n            \"private\"\n        ],\n        \"start_line\": 1,\n        \"stop_line\": 5\n    },\n    {\n        \"condition_terms\": [\n            \"WindowsPE\",\n            \"and\",\n            \"$a\"\n        ],\n        \"metadata\": [\n            {\n                \"author\": \"Malware Utkonos\"\n            },\n            {\n                \"original_author\": \"naxonez\"\n            },\n            {\n                \"source\": \"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\"\n            }\n        ],\n        \"raw_condition\": \"condition:\\n        WindowsPE and $a\\n\",\n        \"raw_meta\": \"meta:\\n        author = \\\"Malware Utkonos\\\"\\n        original_author = \\\"naxonez\\\"\\n        source = \\\"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\\\"\\n    \",\n        \"raw_strings\": \"strings:\\n        $a = { 64 ff 35 00 00 00 00 }\\n    \",\n        \"rule_name\": \"SEH_Save\",\n        \"start_line\": 7,\n        \"stop_line\": 17,\n        \"strings\": [\n            {\n                \"name\": \"$a\",\n                \"type\": \"byte\",\n                \"value\": \"{ 64 ff 35 00 00 00 00 }\"\n            }\n        ],\n        \"tags\": [\n            \"Tactic_DefensiveEvasion\",\n            \"Technique_AntiDebugging\",\n            \"SubTechnique_SEH\"\n        ]\n    },\n    {\n        \"condition_terms\": [\n            \"WindowsPE\",\n            \"and\",\n            \"(\",\n            \"$a\",\n            \"or\",\n            \"$b\",\n            \")\"\n        ],\n        \"metadata\": [\n            {\n                \"author\": \"Malware Utkonos\"\n            },\n            {\n                \"original_author\": \"naxonez\"\n            },\n            {\n                \"source\": \"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\"\n            }\n        ],\n        \"raw_condition\": \"condition:\\n        WindowsPE and ($a or $b)\\n\",\n        \"raw_meta\": \"meta:\\n        author = \\\"Malware Utkonos\\\"\\n        original_author = \\\"naxonez\\\"\\n        source = \\\"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\\\"\\n    \",\n        \"raw_strings\": \"strings:\\n        $a = { 64 A3 00 00 00 00 }\\n        $b = { 64 89 25 00 00 00 00 }\\n    \",\n        \"rule_name\": \"SEH_Init\",\n        \"start_line\": 19,\n        \"stop_line\": 30,\n        \"strings\": [\n            {\n                \"name\": \"$a\",\n                \"type\": \"byte\",\n                \"value\": \"{ 64 A3 00 00 00 00 }\"\n            },\n            {\n                \"name\": \"$b\",\n                \"type\": \"byte\",\n                \"value\": \"{ 64 89 25 00 00 00 00 }\"\n            }\n        ],\n        \"tags\": [\n            \"Tactic_DefensiveEvasion\",\n            \"Technique_AntiDebugging\",\n            \"SubTechnique_SEH\"\n        ]\n    }\n]\n```\n*YARA Rule in plyara Format*\n```\nprivate rule WindowsPE\n{\n    condition:\n        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550\n}\n\nrule SEH_Save : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH\n{\n    meta:\n        author = \"Malware Utkonos\"\n        original_author = \"naxonez\"\n        source = \"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\"\n    strings:\n        $a = { 64 ff 35 00 00 00 00 }\n    condition:\n        WindowsPE and $a\n}\n\nrule SEH_Init : Tactic_DefensiveEvasion Technique_AntiDebugging SubTechnique_SEH\n{\n    meta:\n        author = \"Malware Utkonos\"\n        original_author = \"naxonez\"\n        source = \"https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara\"\n    strings:\n        $a = { 64 A3 00 00 00 00 }\n        $b = { 64 89 25 00 00 00 00 }\n    condition:\n        WindowsPE and ($a or $b)\n}\n```\n*YARA Rule*\n\nFor the people who read this far, some more music for your pleasure.\nhttps://www.youtube.com/watch?v=9fbBRNC9nJY",
      "json_metadata": "{\"tags\":[\"reverseengineering\",\"malwareanalysis\"],\"image\":[\"https://cdn.steemitimages.com/DQmVpZunVDY3YAXvmhcU5FWtXaTFY5csmgRdBiR6gSY3HYD/Memory%20Map.png\",\"https://cdn.steemitimages.com/DQmaweTzPfzDHgXJUx3anPdQwLTwhXEfwgm8AWu6gakoCKD/Set%20Breakpoint.png\",\"https://cdn.steemitimages.com/DQmSWxFMMBV1wC2QRwARuBNJDAtBDkR9JNZc8i8Gwqus8TJ/Set%20SEH%20in%20Hopper.png\",\"https://cdn.steemitimages.com/DQmS3Rp6K3VS9nxDZV3EB2Withffneo5fJhCVDPzL9HqbC1/SEH%20Setup.png\",\"https://cdn.steemitimages.com/DQmZmUhzJkNx2voth3FaGkM1RU4tB8NvBDKcfXsxwmk8qzW/Actx.png\",\"https://img.youtube.com/vi/9fbBRNC9nJY/0.jpg\"],\"links\":[\"https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling\",\"https://x64dbg.com\",\"https://www.hopperapp.com/\",\"https://virustotal.github.io/yara/\",\"https://twitter.com/NaxoneZ\",\"https://attack.mitre.org/\",\"https://github.com/plyara/plyara\",\"https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-interlockedcompareexchange\",\"https://cuckoosandbox.org/\",\"https://www.youtube.com/watch?v=9fbBRNC9nJY\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "adf26a80aa3571f0baae1cd0eb9148c581b3aed4",
  "block": 30513612,
  "trx_in_block": 19,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-20T13:08:36",
  "op": [
    "vote",
    {
      "voter": "ciriaco",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "weight": 10000
    }
  ]
}

{
  "trx_id": "64b4539946139ae32dd54e70c45b503f89e251b7",
  "block": 30496935,
  "trx_in_block": 24,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T23:14:06",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -11933,15 +11933,15 @@\n ng. \n-Croatia\n+Balkans\n , I'\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\",\"https://img.youtube.com/vi/L7wOTqIcBCE/0.jpg\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.reversinglabs.com/\",\"https://www.virustotal.com\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\",\"https://www.youtube.com/watch?v=L7wOTqIcBCE\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "4fc91f38d0c10e61a4bbca888d9028b6cb61a350",
  "block": 30496924,
  "trx_in_block": 31,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T23:13:33",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -893,16 +893,8 @@\n  zip\n- (e54bc)\n  wit\n@@ -979,27 +979,8 @@\n ble,\n- Setup.exe (78410),\n  whi\n@@ -1044,24 +1044,8 @@\n DLLs\n- (70cff & 4ded6)\n . Th\n@@ -1072,16 +1072,8 @@\n .dll\n- (2fb00)\n , sh\n@@ -1150,16 +1150,215 @@\n  runs.%0A%0A\n+* Setup_4852.zip (e54bc), malicious zip%0A* Setup.exe (78410), benign ISO extraction program%0A* QtCore4.dll (70cff), benign DLL%0A* CFNetwork.dll (4ded6), benign DLL%0A* msimg32.dll (2fb00), malicious DLL%0A%0A\n On a sid\n@@ -11842,8 +11842,169 @@\n RA Rule*\n+%0A%0AFor those of you who made it this far, here is a track to listen to while reversing. Croatia, I'm looking at you ;)%0Ahttps://www.youtube.com/watch?v=L7wOTqIcBCE\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\",\"https://img.youtube.com/vi/L7wOTqIcBCE/0.jpg\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.reversinglabs.com/\",\"https://www.virustotal.com\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\",\"https://www.youtube.com/watch?v=L7wOTqIcBCE\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "b4cb509dadc21c51c16c38f94d89702c628a046f",
  "block": 30496051,
  "trx_in_block": 28,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T22:29:54",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "This post kicks off my new blog which will primarily be about malware analysis and reverse engineering. I will try to go into detail about tools used and the theory behind the techniques that I’m using wherever appropriate. Also, I’d like to point out that if you’re interested in malware analysis and reverse engineering services, please contact me. I’m now a grass-fed, free-range independent malware researcher. This is the first in a series I will be writing about AlphaBlend, my name for this particular campaign. The backstory on researching AlphaBlend starts with a group of people that pool resources and knowledge to tackle various malware files and threats that pop up. We have have been working together for the past year or so, and all of the following is based on the most recent of these fire drills.\n\nThis particular campaign began in mid-January, and the file in question is a zip (e54bc) with four executable files inside. Three of the files are DLLs. One is an executable, Setup.exe (78410), which is a benign ISO extraction program and two are benign DLLs (70cff & 4ded6). The third DLL, msimg32.dll (2fb00), shares a filename with a benign DLL that the ISO extractor loads when it runs.\n\nOn a side note, I am going to “defang” all benign file hashes. I know people are automatically processing blogs like this for malicious indicators, and I don’t want to introduce unnecessary noise into those systems. Additionally, I’ll refer to files and other indicators using a short form of the first 5 characters of the sha256 to make this all easier to read. All indicators will be provided in the appendix in JSON format. It is still readable, and it makes it easier on the folks scraping the data.\n\nOne of the people in the group noticed that this zip file was being hosted at hxxp://uneft[.]com/userfiles/file/Setup_4852.zip (will add credits if they wish to be known). This is hosted on a compromised website on a large hosting server. I determined this from using poor man’s pDNS, bing.com’s IP index search:\n\nhttps://www.bing.com/search?q=ip%3A62.210.16.61\n\nThis IP address is not of much value on it’s own, but there may be some valuable forensic evidence on the server. I’m not including it as an IP indicator in this post for this reason. However, looking for other malicious files downloaded from the same IP using VirusTotal search yields another zip payload (b191e). Looking at URLs in VT’s database that have hosted this file, a number of Github URLs are found. All are under one single Github account:\n\nhxxps://github[.]com/noroh90\n\nAt the time of writing, this user had joined Github 25 days prior. There is a single repository under this account that appears to be used to rotate malware payloads in this campaign.\n\nFocusing on the payload DLL, msimg32.dll, I ran it through [Intezer Analyze](https://www.intezer.com/intezer-analyze/) to look for code reuse from other malware families. Nothing was found:\n\nhttps://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\n\nFocusing on the Import Hash of the DLL, two additional DLLs are revealed via search in VirusTotal (4ff45 & f28ab). The second file didn’t have a filename listed, but it must be what I’ve added below. We’ll see why soon. The second one, f28ab, has an interesting theme to the AV detections: “Floxif”. This is the malware that used CCleaner as a vehicle in a similar way to how this one uses the benign ISO extractor. I have not yet explored how this may be related, but here are two blog posts detailing Floxif. How and if this is related will be explored in a future post in this series.\n\nhttps://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\n\nExamining the three malicious DLLs along with the ones from the Github repo, they all share a similar set of exports. One export, “AlphaBlend”, is identical across all of them. The following is a view of that stretch of code in [Hopper Disassembler](https://www.hopperapp.com/).\n\n![AlphaBlend Exports.png](https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png)\n\nI’d like to point out a concept when writing detection signatures that I learned a few years back at [ShmooCon](https://www.shmoocon.org/). The concept is strings-based signatures are quite weak, but code-based signatures are quite strong. The following is a video of Lauren Pearce's excellent talk. The backstory starts at about 14:52.\n\nhttps://youtu.be/_BfLSRjHWo8\n\nWith this concept in mind, I opened the file in [Synalize It Pro](https://www.synalysis.net/), a really good hex editor with colored grammar for PE files and other file types. It colorizes the various parts of a PE file for you.\n\n![Hex View.png](https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png)\n\nArmed with this information, I wrote a [YARA](https://virustotal.github.io/yara/) rule to detect this malware. I used the hex representation of the three consecutive exported functions as one of the conditions in the signature. In addition to standard YARA format, a JSON representation of the rule is also provided to help the scapers. I used a tool called [plyara](https://github.com/plyara/plyara) to generate this format. I am a maintainer of this tool, so any feedback is more than welcome.\n\nThe results of retrohunts for this rule in [ReversingLabs](https://www.reversinglabs.com/) and [VirusTotal](https://www.virustotal.com) have uncovered around 45 unique files in the campaign which began in January.\n\nMalware that uses a benign file and loads a DLL makes automated malware analysis difficult. Running the DLL by itself or the Setup.exe by itself both yield no results. Therefore, before starting the manual reversing journey, I ran everything in app.any.run’s interactive sandbox.\n\nhttps://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\n\nI found that the file crashes when a file named “Setup.msg” is missing. With the file present, a different error is produced, but execution ends presumably because the file content is not what the malware expects.\n\nI then began the process of manual reversing. My setup is straightforward with three tools, [x64dbg](https://x64dbg.com/), [Process Hacker](https://processhacker.sourceforge.io/), and [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) in a Windows 7x64 VM.\n\nThe key to analyzing a DLL like this is to set a breakpoint on the DLL being loaded in the benign file. You just need use the name of the DLL in configuring the breakpoint. Running up to the breakpoint leaves you at the entry point of the DLL. From there, stepping through the code reveals a number of interesting items. One is an interesting string “Actx “. The trailing space is part of the data. It’s unclear what this string is used for, but an XOR key is one possibility.\n\n![Debugger XOR Key.png](https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png)\n\nLooking at procmon to see what’s happening, the malware is observed to do a few checks for AV including Avira and ESET.\n\n![procmon1.png](https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png)\n\nIt also checks if CEIPEnable is set, which is part of [Windows Customer Experience Improvement Program](https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable). It also checks for the locales of both CodeGear and Borland.\n\n![Locales.png](https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png)\n\nThere is much work to be done sorting through the behavioral data, but via the debugger, everything up to the crash can be captured via sysmon.\n\n![First Crash.png](https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png)\n\nLooking at the file in [Cerbero Profiler](https://cerbero.io/profiler/), one sees that there is a debug directory present.\n\n![Debug Directory.png](https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png)\n\nOne of the people in the group asked how I arrived at the hex code snippet used in the YARA signature. It is based on both the concept outlined in the YouTube video above coupled with a concept from David Bianco’s pyramid of pain. This type of signature aims for the top of the pyramid at the TTPs of the attacker. To avoid this signature, the adversary must change the code. This is in that most painful part of the pyramid. For more info on the pyramid of pain:\n\nhttps://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\n\nThere are a number of avenues of investigation still to take including checking for overlap with Floxif, processing the 45 or so files found by the retrohunt, determining what the Actx interesting string is used for, examining the debug directory, and analyzing the structured exception handler. I hope this has been an enlightening blog post and I look forward to writing more in this series.\n\n**Appendix**\n\n```\n78410 2cb5eed 67931b6d6 037168c733  571877682 6c24c1c5 e2af3903f8 a72064 (Setup.exe)\n70cfff0b4  055994b38 bbb420f59c5  81b5bb1d13db  3a03905f19 dbf5779430c47 (QtCore4.dll)\n4ded6 618a9 e294bb670  45d3c45c 705a46231 0de63143d 36bd779f6 13e5c 5085d (CFNetwork.dll)\n```\n*Benign File Hashes*\n\n```\n{\n  \"files\": [\n    {\n      \"filename\": \"Setup_4852.zip\",\n      \"md5\": \"f0dc136af71e4ebad31da1850c343692\",\n      \"sha1\": \"18ac41ddb0de66ba9b6047b6a0cb5a5e432b634e\",\n      \"sha256\": \"e54bcff1d12e49c1adf1264dbd04993dc4a127fb1bf223caa115cd547c08131d\"\n    },\n    {\n      \"filename\": \"msimg32.dll\",\n      \"md5\": \"c0ab87b047515dc2dd47bb49223f24c1\",\n      \"sha1\": \"ac3649b0c3f4e23c3f52e1131d45c16e42eba834\",\n      \"sha256\": \"2fb00d9f9eee56523ac9fe61e7af8966ac60de6fdaf3ccd6214aae745ce2e922\",\n      \"imphash\": \"1bd3413303a379c6301fcac645b55e0c\"\n    },\n    {\n      \"filename\": \"Setup_5341.zip\",\n      \"md5\": \"7516fac6d6b3b3085197604a61d8bdf6\",\n      \"sha1\": \"241ed5972a1f46603c684256da7fcc9edef02c11\",\n      \"sha256\": \"b191e33360b886d1d846151b9c30a0e4273b460b709c04648734c71562239868\"\n    },\n    {\n      \"filename\": \"msimg32.dll\",\n      \"md5\": \"d7e8d0831dd2d1856da705bc0c80517b\",\n      \"sha1\": \"3b52ab4d6f9e79f95fe1cb27a1ba37de1e14b9eb\",\n      \"sha256\": \"4ff457b97d26f785c57812146565bf1e8b079c076df2ede2b6d3ee3a18eaad87\",\n      \"imphash\": \"1bd3413303a379c6301fcac645b55e0c\"\n    },\n    {\n      \"filename\": \"msimg32.dll\",\n      \"md5\": \"e5a16fe47e050df730b71b18265d1f0b\",\n      \"sha1\": \"b1299b7657bdfd4f44ddd17def7487375a592065\",\n      \"sha256\": \"f28ab348185b1c670c738ce90993544e352702f5b2a02b1c5529f3cc3e9f9a3d\",\n      \"imphash\": \"1bd3413303a379c6301fcac645b55e0c\"\n    }\n  ],\n  \"network\": [\n    {\n      \"url\": \"http://uneft.com/userfiles/file/Setup_4852.zip\",\n      \"hostname\": \"uneft.com\"\n    }\n  ],\n  \"yara\": [\n    {\n      \"condition_terms\": [\n        \"$a\",\n        \"and\",\n        \"pe.exports\",\n        \"(\",\n        \"\\\"AlphaBlend\\\"\",\n        \")\"\n      ],\n      \"imports\": [\n        \"pe\"\n      ],\n      \"raw_condition\": \"condition:\\n        $a and pe.exports(\\\"AlphaBlend\\\")\\n\",\n      \"raw_strings\": \"strings:\\n        $a = { 33 C0 40 C2 18 00 33 C0 40 C2 2C 00 33 C0 40 C3 }\\n    \",\n      \"rule_name\": \"AlphaBlend\",\n      \"start_line\": 3,\n      \"stop_line\": 9,\n      \"strings\": [\n        {\n          \"name\": \"$a\",\n          \"type\": \"byte\",\n          \"value\": \"{ 33 C0 40 C2 18 00 33 C0 40 C2 2C 00 33 C0 40 C3 }\"\n        }\n      ]\n    }\n  ]\n}\n```\n*Machine Readable Intelligence*\n\n```\nimport \"pe\"\n\nrule AlphaBlend\n{\n    strings:\n        $a = { 33 C0 40 C2 18 00 33 C0 40 C2 2C 00 33 C0 40 C3 }\n    condition:\n        $a and pe.exports(\"AlphaBlend\")\n}\n```\n*YARA Rule*",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.reversinglabs.com/\",\"https://www.virustotal.com\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "9b2aa6e32afaa74d6e36e34a9f9e4e87ecb39ed7",
  "block": 30489421,
  "trx_in_block": 15,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T16:58:21",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -7961,53 +7961,8 @@\n in %5B\n-VirusTotal%5D(https://www.virustotal.com) and %5B\n Reve\n@@ -8002,16 +8002,61 @@\n abs.com/\n+) and %5BVirusTotal%5D(https://www.virustotal.com\n ) have u\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.reversinglabs.com/\",\"https://www.virustotal.com\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "5f12b1632dc921903df6ce35eba5f9e47cc549f0",
  "block": 30477294,
  "trx_in_block": 2,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T06:51:33",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -6065,18 +6065,28 @@\n rg/). Th\n-at\n+e concept is\n  strings\n@@ -6096,20 +6096,22 @@\n sed \n-detection is\n+signatures are\n  qui\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.virustotal.com\",\"https://www.reversinglabs.com/\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "eabe7a05245a5c43d2b279b9a1b168882717a3e1",
  "block": 30477171,
  "trx_in_block": 6,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T06:45:24",
  "op": [
    "comment",
    {
      "parent_author": "utkonos",
      "parent_permlink": "alphablend-malware",
      "author": "steemitboard",
      "permlink": "steemitboard-notify-utkonos-20190219t064523000z",
      "title": "",
      "body": "Congratulations @utkonos! You received a personal award!\n\n<table><tr><td>https://steemitimages.com/70x70/http://steemitboard.com/@utkonos/birthday1.png</td><td>Happy Birthday! - You are on the Steem blockchain for 1 year!</td></tr></table>\n\n<sub>_[Click here to view your Board](https://steemitboard.com/@utkonos)_</sub>\n\n\n**Do not miss the last post from @steemitboard:**\n<table><tr><td><a href=\"https://steemit.com/valentine/@steemitboard/valentine-challenge-love-is-in-the-air\"><img src=\"https://steemitimages.com/64x128/http://i.cubeupload.com/LvDzr5.png\"></a></td><td><a href=\"https://steemit.com/valentine/@steemitboard/valentine-challenge-love-is-in-the-air\">Valentine challenge - Love is in the air!</a></td></tr></table>\n\n> Support [SteemitBoard's project](https://steemit.com/@steemitboard)! **[Vote for its witness](https://v2.steemconnect.com/sign/account-witness-vote?witness=steemitboard&approve=1)** and **get one more award**!",
      "json_metadata": "{\"image\":[\"https://steemitboard.com/img/notify.png\"]}"
    }
  ]
}

{
  "trx_id": "76cb886a5a6877be0bc8067da2b052e16344eeb3",
  "block": 30477153,
  "trx_in_block": 16,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T06:44:30",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -6730,16 +6730,108 @@\n malware.\n+ I used the hex representation of the three consecutive exported functions in the signature.\n  The fol\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.virustotal.com\",\"https://www.reversinglabs.com/\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "d622d703c6fc5593500a2de9cb2e94ff89a1f2d7",
  "block": 30476945,
  "trx_in_block": 8,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T06:34:06",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -6183,72 +6183,69 @@\n  of \n-that talk starting at the time of the backstory. Fast-forward to\n+Lauren Pearce's excellent talk. The backstory starts at about\n  14:\n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.virustotal.com\",\"https://www.reversinglabs.com/\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "94eecfac801addcf101528cb1e294ff63805433d",
  "block": 30476745,
  "trx_in_block": 3,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T06:24:06",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -9311,16 +9311,55 @@\n he data.\n+ I%E2%80%99ll be looking deeper into its usage.\n %0A%0A!%5BDebu\n@@ -10569,16 +10569,50 @@\n handler \n+and examining the debug directory \n will be \n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.virustotal.com\",\"https://www.reversinglabs.com/\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "5bb572c50e2eb998c7b31ce53e76a9c27ad2e6c0",
  "block": 30476612,
  "trx_in_block": 19,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T06:17:27",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "@@ -460,17 +460,17 @@\n  I will \n-w\n+b\n e writin\n@@ -529,120 +529,40 @@\n rts \n-on a private hacker Slack I%E2%80%99m a member of which has a really activ\n+with a group of peopl\n e \n-#\n th\n-reatintel channel. Lots of people\n+at\n  pool\n-ing\n  res\n@@ -585,50 +585,18 @@\n edge\n-. For the past year or more, we%E2%80%99ve\n+ to\n  tackle\n-d\n  var\n@@ -643,35 +643,78 @@\n up. \n-It%E2%80%99s always a fun time. All\n+We have have been working together for the past year or so, and all of\n  the\n@@ -735,18 +735,17 @@\n his \n-first blog\n+blog post\n  is \n",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.virustotal.com\",\"https://www.reversinglabs.com/\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "2f7acabe1802ab25925911134fc2f528819970e4",
  "block": 30475086,
  "trx_in_block": 8,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T05:01:09",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "29030.774844 VESTS"
    }
  ]
}

{
  "trx_id": "91033fef82d35ef764432c0f67376b311f266e4e",
  "block": 30474998,
  "trx_in_block": 3,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2019-02-19T04:56:45",
  "op": [
    "comment",
    {
      "parent_author": "",
      "parent_permlink": "reverse",
      "author": "utkonos",
      "permlink": "alphablend-malware",
      "title": "AlphaBlend Malware",
      "body": "This blog post kicks off my new blog which will primarily be about malware analysis and reverse engineering. I will try to go into detail about tools used and the theory behind the techniques that I’m using wherever appropriate. Also, I’d like to point out that if you’re interested in malware analysis and reverse engineering services, please contact me. I’m now a grass-fed, free-range independent malware researcher. This blog post is the first in a series I will we writing about AlphaBlend.\n\nThe backstory on AlphaBlend starts on a private hacker Slack I’m a member of which has a really active #threatintel channel. Lots of people pooling resources and knowledge. For the past year or more, we’ve tackled various malware files and threats that pop up. It’s always a fun time. All the research in this first blog is based on the most recent of these fire drills.\n\nThis particular campaign began in mid-January, and the file in question is a zip with four executable files inside. Three of the files are DLLs. One is an executable, Setup.exe, which is a benign ISO extraction program and two are benign DLLs. The third DLL, msimg32.dll, shares a filename with a benign DLL that the ISO extractor expects to be present when it runs. These are the three benign file hashes. I am going to “defang” all benign file hashes in all blog posts because I know people are automatically processing blogs like this for malicious indicators. I don’t want to introduce unnecessary noise into those systems.\n```\n78410 2cb5eed 67931b6d6 037168c733  571877682 6c24c1c5 e2af3903f8 a72064 (Setup.exe)\n70cfff0b4  055994b38 bbb420f59c5  81b5bb1d13db  3a03905f19 dbf5779430c47 (QtCore4.dll)\n4ded6 618a9 e294bb670  45d3c45c 705a46231 0de63143d 36bd779f6 13e5c 5085d (CFNetwork.dll)\n```\n*Benign Hashes*\n\nThe two malicious file hashes are as follows. The following is the way that my blog posts will show malicious indicators for the same reason I’m defanging benign hashes. JSON is still readable, and it makes it easier on the folks scraping the data to operationalize it without much additional work.\n```\n{\n  \"Filename\": \"Setup_4852.zip\",\n  \"MD5\": \"f0dc136af71e4ebad31da1850c343692\",\n  \"SHA1\": \"18ac41ddb0de66ba9b6047b6a0cb5a5e432b634e\",\n  \"SHA256\": \"e54bcff1d12e49c1adf1264dbd04993dc4a127fb1bf223caa115cd547c08131d\"\n}\n{\n  \"Filename\": \"msimg32.dll\",\n  \"MD5\": \"c0ab87b047515dc2dd47bb49223f24c1\",\n  \"SHA1\": \"ac3649b0c3f4e23c3f52e1131d45c16e42eba834\",\n  \"SHA256\": \"2fb00d9f9eee56523ac9fe61e7af8966ac60de6fdaf3ccd6214aae745ce2e922\",\n  \"Imphash\": \"1bd3413303a379c6301fcac645b55e0c\"\n}\n```\n*Malicious Hashes*\n\nAnother of the people in the channel noticed that this zip file was being hosted on the following URL (will add credits if they wish to be known):\n```\n{\n  \"URL\": \"http://uneft.com/userfiles/file/Setup_4852.zip\",\n  \"Hostname\": \"uneft.com\"\n}\n```\n*Malicious URL and Hostname*\n\nThe host is a compromised website on a large hosting server. I determined this from using poor man’s pDNS, bing.com ip: index search:\n\nhttps://www.bing.com/search?q=ip%3A62.210.16.61\n\nThis IP address is not of much value on it’s own, but there may be some valuable forensic evidence there. I’m not including it as an IP indicator in this post for this reason. However, looking for other malicious files downloaded from the same IP using VirusTotal search yields another payload:\n```\n{\n  \"Filename\": \"Setup_5341.zip\",\n  \"MD5\": \"7516fac6d6b3b3085197604a61d8bdf6\",\n  \"SHA1\": \"241ed5972a1f46603c684256da7fcc9edef02c11\",\n  \"SHA256\": \"b191e33360b886d1d846151b9c30a0e4273b460b709c04648734c71562239868\"\n}\n```\n*Malicious File Hash*\n\nLooking at URLs that have hosted this file in VT’s database, a number of Github URLs are found and all are under one single Github account:\n\nhxxps://github[.]com/noroh90\n\nAt the time of writing, this user joined Github 25 days prior. There is a single repository that appears to be used to rotate malware payloads of this campaign. In a follow-up post, I will release all the hashes that I’ve found related to this campaign: ~45 payload DLLs so far and all related indicators.\n\nFocusing on the payload DLL, msimg32.dll, I ran it through [Intezer Analyze](https://www.intezer.com/intezer-analyze/) to look for code reuse from other malware families, but nothing was found:\n\nhttps://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\n\nFocusing on the Import Hash of the DLL, two additional DLLs are revealed via search in VirusTotal. The second file didn’t have a filename listed, but it must be what I’ve added here, and we’ll see why soon.\n```\n{\n  \"Filename\": \"msimg32.dll\",\n  \"MD5\": \"d7e8d0831dd2d1856da705bc0c80517b\",\n  \"SHA1\": \"3b52ab4d6f9e79f95fe1cb27a1ba37de1e14b9eb\",\n  \"SHA256\": \"4ff457b97d26f785c57812146565bf1e8b079c076df2ede2b6d3ee3a18eaad87\",\n  \"Imphash\": \"1bd3413303a379c6301fcac645b55e0c\"\n}\n{\n  \"Filename\": \"msimg32.dll\",\n  \"MD5\": \"e5a16fe47e050df730b71b18265d1f0b\",\n  \"SHA1\": \"b1299b7657bdfd4f44ddd17def7487375a592065\",\n  \"SHA256\": \"f28ab348185b1c670c738ce90993544e352702f5b2a02b1c5529f3cc3e9f9a3d\",\n  \"Imphash\": \"1bd3413303a379c6301fcac645b55e0c\"\n}\n```\n*Malicious File Hashes*\n\nThe second one, f28ab, has an interesting theme to the AV detections, “Floxif”. This is the malware that used CCleaner as a vehicle in a similar way to how this one uses the benign ISO extractor. I have not yet explored how this may be related, but here are two blog posts detailing Floxif. How and if this is related will be detailed in a future post.\n\nhttps://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\nhttp://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\n\nExamining the three DLLs listed above along with the ones from the Github repo, they all share a similar set of exports. One export, “AlphaBlend”, is identical across all of them. The following is a view of that stretch of code in [Hopper Disassembler](https://www.hopperapp.com/).\n\n![AlphaBlend Exports.png](https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png)\n\nI’d like to point out a concept when writing detection signatures that I learned a few years back at [ShmooCon](https://www.shmoocon.org/). That strings-based detection is quite weak, but code-based signatures are quite strong. The following is a video of that talk starting at the time of the backstory. Fast-forward to 14:52.\n\nhttps://youtu.be/_BfLSRjHWo8\n\nWith this concept in mind, I opened the file in [Synalize It Pro](https://www.synalysis.net/), a really good hex editor with colored grammar for PE files and other file types. It colorizes the various parts of a PE file for you.\n\n![Hex View.png](https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png)\n\nArmed with this information, I wrote a [YARA](https://virustotal.github.io/yara/) rule to detect this malware. The following is how I will be formatting YARA rules in blog posts to facilitate folks scraping the blog. I used a tool called [plyara](https://github.com/plyara/plyara) to generate this JSON formatted YARA rule. I am a maintainer of this tool, so any feedback is more than welcome. The standard format rule can be found at the bottom of the post.\n```\n[\n    {\n        \"condition_terms\": [\n            \"$a\",\n            \"and\",\n            \"pe.exports\",\n            \"(\",\n            \"\\\"AlphaBlend\\\"\",\n            \")\"\n        ],\n        \"imports\": [\n            \"pe\"\n        ],\n        \"raw_condition\": \"condition:\\n        $a and pe.exports(\\\"AlphaBlend\\\")\\n\",\n        \"raw_strings\": \"strings:\\n        $a = { 33 C0 40 C2 18 00 33 C0 40 C2 2C 00 33 C0 40 C3 }\\n    \",\n        \"rule_name\": \"AlphaBlend\",\n        \"start_line\": 3,\n        \"stop_line\": 9,\n        \"strings\": [\n            {\n                \"name\": \"$a\",\n                \"type\": \"byte\",\n                \"value\": \"{ 33 C0 40 C2 18 00 33 C0 40 C2 2C 00 33 C0 40 C3 }\"\n            }\n        ]\n    }\n]\n```\n*YARA Rule in plyara format*\n\nThe results of retrohunts in [VirusTotal](https://www.virustotal.com) and [ReversingLabs](https://www.reversinglabs.com/) have uncovered around 45 unique files in the campaign which began in January. Full analysis of all those files is pending and I will report that in a future blog post.\n\nMalware that uses a benign file and loads a DLL makes automated malware analysis difficult. Running the DLL by itself or the Setup.exe by itself both yield no results. Therefore, before starting the manual reversing journey, I ran everything in app.any.run’s interactive sandbox.\n\nhttps://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\n\nI found that the file crashes when a file named “Setup.msg” is missing, and then produces a different error when it is present, but not what it probably expects. I then began the process of manual reversing. My setup is straightforward with three tools, [x64dbg](https://x64dbg.com/), [Process Hacker](https://processhacker.sourceforge.io/), and [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) in a Windows 7x64 VM. The key to analyzing a DLL like this is to set a breakpoint on the DLL being loaded in the benign file. You just need use the name of the DLL in configuring the breakpoint. Running up to the breakpoint leaves you at the entry point of the DLL. From there, stepping through the code reveals a number of interesting items. One is what appears to be an XOR key “Actx “. The trailing space is part of the data.\n\n![Debugger XOR Key.png](https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png)\n\nLooking at procmon to see what’s happening, the malware is observed to do a few checks for AV including Avira and ESET.\n\n![procmon1.png](https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png)\n\nIt also checks if CEIPEnable is set, which is part of [Windows Customer Experience Improvement Program](https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable). It also checks for the locales of both CodeGear and Borland.\n\n![Locales.png](https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png)\n\nI will write up the full behavior with registry, file system, and potentially network indicators in a future blog once I’ve got all of them sorted out. In the debugger, all the behavior up to the crash can be captured via sysmon.\n\n![First Crash.png](https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png)\n\nLooking at the file in [Cerbero Profiler](https://cerbero.io/profiler/), one sees that there is a debug directory present. Analyzing the structured exception handler will be detailed in a future post in this series.\n\n![Debug Directory.png](https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png)\n\nI hope this has been an enlightening blog post and I look forward to writing more in this series. On a side note, one of the people in the Slack channel asked how I arrived at the hex code snippet used in the YARA signature. It is based on both the concept outlined in the YouTube video above from ShmooCon coupled with the concept of David Bianco’s pyramid of pain. This type of signature aims for the top of the pyramid at the TTPs of the attacker. Armed with this signature, the adversary must change the code, which is in that most painful part of the pyramid. For more info on the pyramid of pain:\n\nhttps://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\n```\nimport \"pe\"\n\nrule AlphaBlend\n{\n    strings:\n        $a = { 33 C0 40 C2 18 00 33 C0 40 C2 2C 00 33 C0 40 C3 }\n    condition:\n        $a and pe.exports(\"AlphaBlend\")\n}\n```\n*YARA Rule*",
      "json_metadata": "{\"tags\":[\"reverse\",\"engineering\",\"threatintel\"],\"image\":[\"https://cdn.steemitimages.com/DQmX8N7rARW7sVaFStpYhC7CxzK6BzguYx6yd25HWUgPFjD/AlphaBlend%20Exports.png\",\"https://img.youtube.com/vi/_BfLSRjHWo8/0.jpg\",\"https://cdn.steemitimages.com/DQmcy1m11oa5sVTu5mW8CR5DzcaA91ZP9BQSSKg9XYedpgX/Hex%20View.png\",\"https://cdn.steemitimages.com/DQmRfifitm5ok8ZafvkaG2RUgTaBmPU8Qc7sgeccRF5Qcoy/Debugger%20XOR%20Key.png\",\"https://cdn.steemitimages.com/DQmePjnioPXKEJJGyxbRHgB9XihiC6j3hVL8jUdBiG6aisS/procmon1.png\",\"https://cdn.steemitimages.com/DQmZqE1eJ1xbsdTupEp3SiuGtodkDGoBqxwBngMuLUexQ2G/Locales.png\",\"https://cdn.steemitimages.com/DQmauASTjK2xXxktd5fhJuSzWdfwij6i2urPNciqMdU85Ky/First%20Crash.png\",\"https://cdn.steemitimages.com/DQmQux45oVzcxhEwtJF7fvvw6cnm4P92CZB6bHtECcpNeXA/Debug%20Directory.png\"],\"links\":[\"https://www.bing.com/search?q=ip%3A62.210.16.61\",\"https://www.intezer.com/intezer-analyze/\",\"https://analyze.intezer.com/#/analyses/bdefb307-3853-44bb-bb5d-037665d35052\",\"https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html\",\"http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor\",\"https://www.hopperapp.com/\",\"https://www.shmoocon.org/\",\"https://youtu.be/_BfLSRjHWo8\",\"https://www.synalysis.net/\",\"https://virustotal.github.io/yara/\",\"https://github.com/plyara/plyara\",\"https://www.virustotal.com\",\"https://www.reversinglabs.com/\",\"https://app.any.run/tasks/cc9eaa7c-5649-443d-9666-fd55a43cc0b6\",\"https://x64dbg.com/\",\"https://processhacker.sourceforge.io/\",\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\",\"https://docs.microsoft.com/en-us/windows/desktop/devnotes/ceipenable\",\"https://cerbero.io/profiler/\",\"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html\"],\"app\":\"steemit/0.1\",\"format\":\"markdown\"}"
    }
  ]
}

{
  "trx_id": "90a2b4ad1884622a096b52c8a19f51c5431a43c1",
  "block": 27524504,
  "trx_in_block": 37,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2018-11-08T16:23:09",
  "op": [
    "account_update",
    {
      "account": "utkonos",
      "owner": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM6JqeCotBywLAATAoY8WUfXRb5e7QVxXKANQJnGkdiy7uugA86h",
            1
          ]
        ]
      },
      "active": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM6GpYMDhArwgcLoTW74mhqn7AZuW6815VKGJMQXeR4851vny1Sk",
            1
          ]
        ]
      },
      "posting": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM8E2caQYYs9iXVZvzpGnXAyXxhzBEUpdQkfKrwZsLhUzw2zBi1f",
            1
          ]
        ]
      },
      "memo_key": "STM7V8ux3EhyLUb3NE8NwZVd2pLbBT657UHZ6TDzwChRFmGUmz2qK",
      "json_metadata": "{\"profile\":{\"name\":\"Malware Utkonos\"}}"
    }
  ]
}

{
  "trx_id": "fbc1e2eed219621915c21783148554ac300df0fa",
  "block": 22498555,
  "trx_in_block": 9,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2018-05-17T03:32:51",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "9138.517960 VESTS"
    }
  ]
}

{
  "trx_id": "bd796174e28859f66e94d6837caceffc4036a3d3",
  "block": 18820293,
  "trx_in_block": 34,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2018-01-09T07:14:51",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "29689.605909 VESTS"
    }
  ]
}

{
  "trx_id": "00c303a94560277612859ac9564df23dbf10a56b",
  "block": 14271473,
  "trx_in_block": 11,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2017-08-04T05:19:51",
  "op": [
    "delegate_vesting_shares",
    {
      "delegator": "steem",
      "delegatee": "utkonos",
      "vesting_shares": "29940.452358 VESTS"
    }
  ]
}

{
  "trx_id": "e93ed81507876bcb88789651d08896b8dbf3b7a2",
  "block": 12702994,
  "trx_in_block": 0,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2017-06-10T16:31:03",
  "op": [
    "account_update",
    {
      "account": "utkonos",
      "memo_key": "STM7j3BU5AFaGi49wsQchGzzzZ4T8hbgnixowyDzNBuJRCyiW4f5E",
      "json_metadata": "{\"profile\":{\"name\":\"Malware Utkonos\"}}"
    }
  ]
}

{
  "trx_id": "1c5f19bd67341abb362916c20440f207858d5bed",
  "block": 12702968,
  "trx_in_block": 0,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2017-06-10T16:29:45",
  "op": [
    "account_update",
    {
      "account": "utkonos",
      "owner": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM7A55GGgvfwCrbvixgMptka85KygfyEQH4U78j42myM3KsNQmT4",
            1
          ]
        ]
      },
      "active": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM56S3zwk362E1tpw7a9Muts6mmVBwiXF51P26zGsEMYqLsURw46",
            1
          ]
        ]
      },
      "posting": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM7nr1JHDj9XuL2RpR8yMPsy44bA4qW1oS1mAS8rRLJa3EzrJXts",
            1
          ]
        ]
      },
      "memo_key": "STM7j3BU5AFaGi49wsQchGzzzZ4T8hbgnixowyDzNBuJRCyiW4f5E",
      "json_metadata": ""
    }
  ]
}

{
  "trx_id": "be7713c602d3cab9f9a1b3377c53055eea9d0bce",
  "block": 12702908,
  "trx_in_block": 17,
  "op_in_trx": 0,
  "virtual_op": 0,
  "timestamp": "2017-06-10T16:26:45",
  "op": [
    "account_create_with_delegation",
    {
      "fee": "0.500 STEEM",
      "delegation": "57000.000000 VESTS",
      "creator": "steem",
      "new_account_name": "utkonos",
      "owner": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM721tmicsRuGfEhMobpRVChzPMh9adBC5ijkdRL35jgXbVb3hWH",
            1
          ]
        ]
      },
      "active": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM8VvPzphk99XB2qwhCrR3tjH5bc52TcnJkhGCfNShtxxow6Kh1G",
            1
          ]
        ]
      },
      "posting": {
        "weight_threshold": 1,
        "account_auths": [],
        "key_auths": [
          [
            "STM64NbDnZPamCECA4yoWCKdog3pWLFXf6jZs3GYtkFQWWPnpL9j1",
            1
          ]
        ]
      },
      "memo_key": "STM7bGA8ZprPbdyXt4hTCYpitvTYWxarfBmSD1pnzEmjGMGfC2db7",
      "json_metadata": "",
      "extensions": []
    }
  ]
}