Help Unpacking

[pichoo]

Hi, can anyone help me to figure out what this malware is packed with. PeID does not identify it, and VirusTotal gives these results from F-Prot and Authentium:

packers (F-Prot): PE-Armor, Malware_Prot.V

packers (Authentium): PE-Armor, Malware_Prot.V

I've attached the file in a password protected Rar, password is "password".

Any help would be appreciated. Thank you

Also, I'm new to these forums, so if I'm breaking any rules, please let me know.

malware.rar

[ragdog]

Hi

Have you try this unpack with GUnpacker v0.41

this unpack PE-Armor 0.46, 0.49, 0.75, 0.765

I hope it helps

Greets,

[pichoo]

Thank you ragdog, GUnpacker appeared to have unpacked the file for me, however I think I still need to fix the IAT.

Both GUnpacker and deroko's oepfinder both tell me that my original entry point is most likely 402FD9, but imprec tells me that's wrong.

When this malware runs, it deletes itself almost immediately, so the only way I have been able to attach imprec to it has been by attaching to paused instance of it in olly.

On the plus side, looking the dumped file in hex mode, I noticed an abundance of "5A" bytes. When I XORd those blocks with 5A I was able to pull out a bunch of static strings that I couldn't get before, so I'm at least making some progress.

Am I even on the right track here? Thanks again, and if I'm asking things I should already know, please point me to the place I need to learn them..

-

[Armaked0n]

This malware probably is the PoisonIvy RAT. I've attached the unpacked file, the password for the archive is "password".

unpacked.rar

[pichoo]

This malware probably is the PoisonIvy RAT. I've attached the unpacked file, the password for the archive is "password".

Thanks Armaked0n. I sent you a message.