MalwareBytes has an local database on the machine. It is a SQLite database. It contains settings for various properties such as licensing, malware identified, and known-good and known-bad lists. This is standard anti-malware stuff. The database with "ThankYouForChoosingMalwarebytes" is the less interesting database, as it mostly contains settings (this can still be abused though).
Regardless, MalwareBytes does a couple of things with this SQLite stuff
MalwareBytes establishes a kernel-mode minifilter (mbam.sys). They setup minifilter callback routines to handle events on the system for process creation, process loading, and registry modification (Image 1)
In other words, MalwareBytes is notified immediately when a process is created or an executable image is loaded. When a process is created or an executable image is loaded, MalwareBytes has special functionality to temporarily "pause" execution so it can review it.
However, this "pause" happens faster than you or I can blink. Computers are fast.
The mbam.sys creates an internal record of all processes running. When a new process is loaded it is added to this internal record. When a program is closed, it is removed from the record. It does this so it doesn't accidentally review or "pause" the same process twice.
When a program is added to this list, the kernel-mode component communicates with the user-mode component that then signals and connects to a local SQLite database. The SQLite database then does a lookup to determine if the process "paused" is known or unknown (Image 2)
However, it should be noted, Image 2 is not the important SQLite instance I am looking for. This is something else MalwareBytes uses (and communicates to with kernel-mode components). The point still stands.
If it is known, it communicates back to the kernel-mode component that is it known. If it known, and known to be malicious, MalwareBytes takes action on the program attempting to run and immediately stops execution. If it is known to be good, MalwareBytes marks it internally as "seen" and keeps it in it's internal record.
Image 3 is from the internal database they use. It's fairly large and is mostly settings. I still haven't find where the really nice, big, and important dataset they use is. It requires more poking and more sticks.
Regardless, MalwareBytes does a couple of things with this SQLite stuff
MalwareBytes establishes a kernel-mode minifilter (mbam.sys). They setup minifilter callback routines to handle events on the system for process creation, process loading, and registry modification (Image 1)
In other words, MalwareBytes is notified immediately when a process is created or an executable image is loaded. When a process is created or an executable image is loaded, MalwareBytes has special functionality to temporarily "pause" execution so it can review it.
However, this "pause" happens faster than you or I can blink. Computers are fast.
The mbam.sys creates an internal record of all processes running. When a new process is loaded it is added to this internal record. When a program is closed, it is removed from the record. It does this so it doesn't accidentally review or "pause" the same process twice.
When a program is added to this list, the kernel-mode component communicates with the user-mode component that then signals and connects to a local SQLite database. The SQLite database then does a lookup to determine if the process "paused" is known or unknown (Image 2)
However, it should be noted, Image 2 is not the important SQLite instance I am looking for. This is something else MalwareBytes uses (and communicates to with kernel-mode components). The point still stands.
If it is known, it communicates back to the kernel-mode component that is it known. If it known, and known to be malicious, MalwareBytes takes action on the program attempting to run and immediately stops execution. If it is known to be good, MalwareBytes marks it internally as "seen" and keeps it in it's internal record.
Image 3 is from the internal database they use. It's fairly large and is mostly settings. I still haven't find where the really nice, big, and important dataset they use is. It requires more poking and more sticks.
β€βπ₯54β€23π4π₯2π2π₯°1π1π’1
Going to do a write-up on poking MalwareBytes with a stick, how it works fundamentally, some possible attack vectors against it, ... then I'll do something else.
If you have any recommendations on what I should poke with a stick please let me know.
If you have any recommendations on what I should poke with a stick please let me know.
β€40π₯°7π5π’1
Hello,
We have hit a significant milestone. 400,000 followers.
What does this mean? I've got 400,000 little people inside of my internet. I don't know how so many tiny people got in here, but you're in there.
Thank you for the love and support. If any of you by chance happen to be extremely wealthy please consider giving me a large quantity of money so I don't have to do work.
I would love having a large quantity of money.
Mildly interesting things about this accounts followers:
- Some of you are sex workers. Is this surprising that sex workers are on the internet? No. Is it surprising sex workers are interested in malware? Kind of. I'm aware some of the sex workers following this account are very famous and it surprised me.
- Some of you are employed by the United States government. I'm well aware some of you are employed by the FBI or NSA. It is very strange receiving a $5 monthly reoccurring donation from someone employed by the NSA. I'll take your money still.
- Some of you work for governments outside the United States. It is interesting receiving emails from foreign militaries asking about particular malware samples. It is also surprising some of you email me (unironically) from your military emails.
- Some of you are criminals. Yes, I see your emails and messages. I see you're ransoming places, developing ransomware, or extorting people. I speak with criminals less now because I have a baby boy and I don't want him to grow up thinking Daddy is an internet schizo
- Some of you are regular people who do regular stuff. I see you commenting and being curious about stuff. It's surprising seeing teachers, or students, or local politicians, or geologists, or firefighters, or athletes, talking to me about malware. Once again, is it surprising normal people are on the internet? No. Is it interesting to see a random ass person curious about malware? Kind of. I enjoy it.
- Some of are unironically professional video game players. If I ever want to be carried in a video game I WILL call in a favor.
- Some of you work for cool companies. I'm always delighted to get contacted by a company like Rockstar Games, or NVIDIA, or Walmart (unironically).
- Some of you are dead. I've lost several friends, peers, and colleagues since vx-underground was created. Sometimes I look at your accounts, scroll your post history, and feel sad.
Lots of cool people doing cool stuff. I appreciate the love and support over the past 6.5 years.
Cheers,
- smelly smellington
We have hit a significant milestone. 400,000 followers.
What does this mean? I've got 400,000 little people inside of my internet. I don't know how so many tiny people got in here, but you're in there.
Thank you for the love and support. If any of you by chance happen to be extremely wealthy please consider giving me a large quantity of money so I don't have to do work.
I would love having a large quantity of money.
Mildly interesting things about this accounts followers:
- Some of you are sex workers. Is this surprising that sex workers are on the internet? No. Is it surprising sex workers are interested in malware? Kind of. I'm aware some of the sex workers following this account are very famous and it surprised me.
- Some of you are employed by the United States government. I'm well aware some of you are employed by the FBI or NSA. It is very strange receiving a $5 monthly reoccurring donation from someone employed by the NSA. I'll take your money still.
- Some of you work for governments outside the United States. It is interesting receiving emails from foreign militaries asking about particular malware samples. It is also surprising some of you email me (unironically) from your military emails.
- Some of you are criminals. Yes, I see your emails and messages. I see you're ransoming places, developing ransomware, or extorting people. I speak with criminals less now because I have a baby boy and I don't want him to grow up thinking Daddy is an internet schizo
- Some of you are regular people who do regular stuff. I see you commenting and being curious about stuff. It's surprising seeing teachers, or students, or local politicians, or geologists, or firefighters, or athletes, talking to me about malware. Once again, is it surprising normal people are on the internet? No. Is it interesting to see a random ass person curious about malware? Kind of. I enjoy it.
- Some of are unironically professional video game players. If I ever want to be carried in a video game I WILL call in a favor.
- Some of you work for cool companies. I'm always delighted to get contacted by a company like Rockstar Games, or NVIDIA, or Walmart (unironically).
- Some of you are dead. I've lost several friends, peers, and colleagues since vx-underground was created. Sometimes I look at your accounts, scroll your post history, and feel sad.
Lots of cool people doing cool stuff. I appreciate the love and support over the past 6.5 years.
Cheers,
- smelly smellington
β€199π«‘30π18π₯°9π₯6β€βπ₯3π―3π€£3π1π±1π’1
mY tEsLa iS sElF dRiViNg
This is ancient technology. Nothing new. My Dad's 94 Toyota had self driving capabilities.
It was called "cruise control".
All you did was flip the switch and then let Jesus take the wheel.
Sometimes we ran over pedestrians, drove on the sidewalk, sped through red lights, but God dammit it WORKED. We didn't need any "government" telling us how to cruise
This is ancient technology. Nothing new. My Dad's 94 Toyota had self driving capabilities.
It was called "cruise control".
All you did was flip the switch and then let Jesus take the wheel.
Sometimes we ran over pedestrians, drove on the sidewalk, sped through red lights, but God dammit it WORKED. We didn't need any "government" telling us how to cruise
π€£117β€20π6π₯°5π’1
vx-underground
mY tEsLa iS sElF dRiViNg This is ancient technology. Nothing new. My Dad's 94 Toyota had self driving capabilities. It was called "cruise control". All you did was flip the switch and then let Jesus take the wheel. Sometimes we ran over pedestrians, droveβ¦
One time we got home and found a children's bicycle lodged in the grill of the car. Did we brag about it? No
π₯54π€£29π13π₯°8β€2π’2
I have continued to poke MalwareBytes with a stick. I've written a little article about it.
I discuss their main executable, some of their minifilter stuff, their proprietary file format ... I haven't even scratched the surface. I am TIRED
https://malwaresourcecode.com/home/my-projects/write-ups/malwarebytes-internals-incomplete
I discuss their main executable, some of their minifilter stuff, their proprietary file format ... I haven't even scratched the surface. I am TIRED
https://malwaresourcecode.com/home/my-projects/write-ups/malwarebytes-internals-incomplete
Malwaresourcecode
MalwareBytes internals (incomplete) | malware source code
β€41π’2
vx-underground
I have continued to poke MalwareBytes with a stick. I've written a little article about it. I discuss their main executable, some of their minifilter stuff, their proprietary file format ... I haven't even scratched the surface. I am TIRED https://malwaβ¦
There is so much to reverse with their "SwissKnife", internal COM stuff, their internal protocol, their VPN technology, their hooking mechanisms.
I don't know if I got that dog in me to finish this. It's really interesting, but I want to do something else now.
I don't know if I got that dog in me to finish this. It's really interesting, but I want to do something else now.
π€£43β€11π«‘8π2π’2
One of my biggest weaknesses is writing. I hate writing.
My cybersecurity peers, colleagues, friends, who have the willpower to sit down and write and explain their work (or discoveries) is truly amazing.
I'd argue the process of writing is actually more difficult than the actual reverse engineering and/or development part. Partially because it's really boring, partially because it requires you to put structure and coherency on the madness floating around in your brain.
Huge shout-out to the nerds who have written big ass blog posts (or books).
My cybersecurity peers, colleagues, friends, who have the willpower to sit down and write and explain their work (or discoveries) is truly amazing.
I'd argue the process of writing is actually more difficult than the actual reverse engineering and/or development part. Partially because it's really boring, partially because it requires you to put structure and coherency on the madness floating around in your brain.
Huge shout-out to the nerds who have written big ass blog posts (or books).
β€81π«‘21π―12π₯°8β€βπ₯4π4π2π’2π₯1π€1π1
Discussion on the internet today on the origins of traffic on the highway and the accordion effect it produces.
People were critical toward others who intentionally slowed down to be "nosey" about car accidents.
Let me be totally clear: I am one of those people.
I want to see the aftermath of a violent car accident. I am curious who is involved. I want to see a dead body. I 100% will slow down and take my time to inspect the scene. If possible, I will take out my phone and try to record it so I can show my friends later.
People were critical toward others who intentionally slowed down to be "nosey" about car accidents.
Let me be totally clear: I am one of those people.
I want to see the aftermath of a violent car accident. I am curious who is involved. I want to see a dead body. I 100% will slow down and take my time to inspect the scene. If possible, I will take out my phone and try to record it so I can show my friends later.
π€£63π₯°21π€5π’3β€2π2π€2π€―1π―1
A few days ago malwrhunterteam discovered a new malware family (I think, I couldn't find any family overlap, vendors please confirm).
I poked it with a stick. I've named it Smokest.
It was deobfuscated by nullableVoidPtr. It's neato.
https://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe
I poked it with a stick. I've named it Smokest.
It was deobfuscated by nullableVoidPtr. It's neato.
https://malwaresourcecode.com/home/my-projects/write-ups/smokest-stealer-a-new-malware-family-maybe
Malwaresourcecode
Smokest Stealer, a new malware family? Maybe? | malware source code
π₯°24β€13
vx-underground
A few days ago malwrhunterteam discovered a new malware family (I think, I couldn't find any family overlap, vendors please confirm). I poked it with a stick. I've named it Smokest. It was deobfuscated by nullableVoidPtr. It's neato. https://malwaresoβ¦
It should probably be noted their C2 leaks information (don't tell them that). It shows Smokest has stolen 5,850 passwords, 23,085 cookies, 0 wallets.
https://gist.github.com/vxunderground/87ce045ddfa57f05e53e65e423b51f49
https://gist.github.com/vxunderground/87ce045ddfa57f05e53e65e423b51f49
Gist
Smokest Leaks
GitHub Gist: instantly share code, notes, and snippets.
π€£34π₯°7β€3
FYI: Security research pedro2sudo (I have no idea who they are, they just randomly send me pictures of cats) has noted the discovery of malware targeting HyTale
What does this mean? I don't know. I'm not a NERD.
What does this mean? I don't know. I'm not a NERD.
π€£46β€6π€5π₯°1
We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150!
Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns.
Previously malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file.
nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2.
The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG.
After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by RecordedFuture).
CastleRAT payload found January, 18th:
8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402
"Smokest Stealer" MSI:
5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01
"Smokest Stealer" JS:
29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d
Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.
Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns.
Previously malwrhunterteam discovered an unusual malicious .MSI file called "TopWebComics". It dropped an obfuscated .JS file.
nullableVoidPtr deobfuscated the malicious .JS, I reverse engineered it and named it "Smokest Stealer". However, Kali3ndo went off my research notes and discovered that Smokest drops an additional malicious .PS1 file when Smokest connects to the C2.
The malicious .PS1 file drops a malicious .PY file, encoded with PyArmor. The Python script extracts a payload from a .JPEG.
After reviewing it, poking it with a stick, and having all sorts of fun, it turns out this payload was first noted by YungBinary in August, 2025. This payload is CastleRAT (and tracked as TAG-150 by RecordedFuture).
CastleRAT payload found January, 18th:
8d2e77912e2e1d9d8cafb76d4562686cfaad556ca1df1919bfba304b31193402
"Smokest Stealer" MSI:
5a1c14335d0a8b007ff2813e6ef738e8836be38257cc82fe03c02b71d71e1b01
"Smokest Stealer" JS:
29e13df9547d4e85e7ca3fc5b95eab90f56a233aabc406638bee2ded368acd3d
Thank you to my peers and colleagues for reversing this with me throughout the day and having fun with it. This was a very silly malware sample.
π44β€8π₯5
vx-underground
We've solved the mystery. Who's That Pokemon? It's CastleRAT a/k/a TAG-150! Okay, here is the drama and scoop, or whatever. I don't know if anyone cares, but this has been a really interesting puzzle with lots of twists and turns. Previously malwrhunterteamβ¦
More information about Threat Actor Group (TAG) 150:
https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations
Recordedfuture
From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure
Insikt Group reveals TAG-150βs multi-tiered infrastructure and CastleRAT malwareβan advanced threat actor evolving rapidly with stealth and scale.
β€22π€6
Big news coming later today. It'll be the slopocalypse.
I don't feel like writing about it right now, because I'm tired from a teething baby with sleep regression, but basically all these fucking AI vibe coders are using Firebase and like, 22,000,000 records are exposed, or something, an outrageously high number.
Also, a disgustingly high amount of people trying to use AI for CSAM.
It's not my research, it's someone else's, but I want to give them a proper shout out and explanation of their work.
I cannot stress this enough: DO NOT TRUST VIBE CODERS. DO NOT DO IT. AI CODE IS NOT SECURE. DO NOT DO IT. STOP THE SLOP.
I don't feel like writing about it right now, because I'm tired from a teething baby with sleep regression, but basically all these fucking AI vibe coders are using Firebase and like, 22,000,000 records are exposed, or something, an outrageously high number.
Also, a disgustingly high amount of people trying to use AI for CSAM.
It's not my research, it's someone else's, but I want to give them a proper shout out and explanation of their work.
I cannot stress this enough: DO NOT TRUST VIBE CODERS. DO NOT DO IT. AI CODE IS NOT SECURE. DO NOT DO IT. STOP THE SLOP.
β€34π€8π€6π«‘5π’4π₯°2π1π₯1