{
	"id": "ef476955-f24f-4d31-8a5a-5fabcb39d484",
	"created_at": "2026-04-06T01:32:25.137452Z",
	"updated_at": "2026-04-10T03:20:59.319178Z",
	"deleted_at": null,
	"sha1_hash": "f47a8d5806add6a11973a4a82a1edcdf4f1cae03",
	"title": "An Exhaustively Analyzed IDB for ComLook — Möbius Strip Reverse Engineering",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 37021,
	"plain_text": "An Exhaustively Analyzed IDB for ComLook — Möbius Strip\r\nReverse Engineering\r\nBy Rolf Rolles\r\nPublished: 2022-01-25 · Archived: 2026-04-06 00:20:32 UTC\r\nThis blog entry announces the release of an exhaustive analysis of ComLook, a newly-discovered malware family\r\nabout which little information has been published. It was recently discovered by ClearSky Cyber Security, and\r\nannounced in a thread on Twitter. You can find the IDB for the DLL here, in which every function has been\r\nanalyzed, and every data structure has been recovered.\r\nLike the previous two entries in this series on ComRAT v4 and FlawedGrace, I did this analysis as part of my\r\npreparation for an upcoming class on C++ reverse engineering. The analysis took about a one and a half days\r\n(done on Friday and Saturday). ComLook is an Outlook plugin that masquerades as Antispam Marisuite v1.7.4 for\r\nThe Bat!. It is fairly standard as far as remote-access trojans go; it spawns a thread to retrieve messages from a\r\nC\u0026C server over IMAP, and processes incoming messages in a loop. Its command vocabulary is limited; it can\r\nonly read and write files to the victim server, run commands and retrieve the output, and update/retrieve the\r\ncurrent configuration (which is saved persistently in the registry). See the IDB for complete details.\r\n(Note that if you are interested in the forthcoming C++ training class, it is nearing completion, and should be\r\navailable in Q2 2022. More generally, remote public classes (where individual students can sign up) are\r\ntemporarily suspended; remote private classes (multiple students on behalf of the same organization) are currently\r\navailable. If you would like to be notified when public classes become available, or when the C++ course is ready,\r\nplease sign up on our no-spam, very low-volume, course notification mailing list. (Click the button that says\r\n\"Provide your email to be notified of public course availability\".) )\r\nThis analysis was performed with IDA Pro 7.7 and Hex-Rays 32-bit. All analysis has been done in Hex-Rays; go\r\nthere for all the gory details, and don't expect much from the disassembly listing. All of the programmer-created\r\ndata structures have been recovered and applied to the proper Hex-Rays variables. The functionality has been\r\norganized into folders, as in the following screenshot:\r\nSource: https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook\r\nhttps://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.msreverseengineering.com/blog/2022/1/25/an-exhaustively-analyzed-idb-for-comlook"
	],
	"report_names": [
		"an-exhaustively-analyzed-idb-for-comlook"
	],
	"threat_actors": [],
	"ts_created_at": 1775439145,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f47a8d5806add6a11973a4a82a1edcdf4f1cae03.pdf",
		"text": "https://archive.orkl.eu/f47a8d5806add6a11973a4a82a1edcdf4f1cae03.txt",
		"img": "https://archive.orkl.eu/f47a8d5806add6a11973a4a82a1edcdf4f1cae03.jpg"
	}
}