Open
Description
I'm analyzing some malware samples to check their similarity. I met two samples giving 100 similarity but at the same time they are totally different. By using 010 Editor I found that the only bytes they share are the PE MS-DOS header and some sequences of 0s, so their similarity should be around 0. You can find those two samples in this zip archive: samples.zip.
THOSE ARE REAL WINDOWS MALWARE, DON'T EXECUTE THEM UNLESS YOU ARE IN A CONTROLLED ENVIRONMENT. The password of the archive is: "infected". What I'd like to understand is if this is a bug in sdhash algorithm, sdhash implementation or if this is the expected behavior.
Metadata
Metadata
Assignees
Labels
No labels