<![CDATA[This study aims to identify and understand the technical characteristics of the malware output.exe, obtained from the MalwareBazaar repository, through a hybrid reverse engineering approach. This method combines static and dynamic analyses to provide a comprehensive understanding of the malware’s internal structure, execution behavior, and evasion techniques. Static analysis revealed the invocation of system functions such as CreateProcessW and RegSetValueExA, as well as the use of syscall to execute PowerShell commands directly, indicating the implementation of the LOLBAS (Living off the Land Binaries and Scripts) technique. Dynamic analysis using CAPE Sandbox confirmed the malware’s actual behavior, including process injection into legitimate processes such as svchost.exe, launching powershell.exe for data compression, and establishing network communication via Discord Webhook for data exfiltration. Integration of both analyses shows that output.exe functions as an information stealer with fileless execution and advanced persistence mechanisms. These findings demonstrate that the hybrid analysis approach is effective in identifying modern malware that leverages legitimate system components to evade traditional signature-based detection methods.]]>
Copyrights © 2026
