Jump to content
Tuts 4 You

Help Unpacking


Recommended Posts

Hi, can anyone help me to figure out what this malware is packed with. PeID does not identify it, and VirusTotal gives these results from F-Prot and Authentium:

packers (F-Prot): PE-Armor, Malware_Prot.V

packers (Authentium): PE-Armor, Malware_Prot.V

I've attached the file in a password protected Rar, password is "password".

Any help would be appreciated. Thank you :)

Also, I'm new to these forums, so if I'm breaking any rules, please let me know.


Link to comment
Share on other sites

Thank you ragdog, GUnpacker appeared to have unpacked the file for me, however I think I still need to fix the IAT.

Both GUnpacker and deroko's oepfinder both tell me that my original entry point is most likely 402FD9, but imprec tells me that's wrong.

When this malware runs, it deletes itself almost immediately, so the only way I have been able to attach imprec to it has been by attaching to paused instance of it in olly.

On the plus side, looking the dumped file in hex mode, I noticed an abundance of "5A" bytes. When I XORd those blocks with 5A I was able to pull out a bunch of static strings that I couldn't get before, so I'm at least making some progress.

Am I even on the right track here? Thanks again, and if I'm asking things I should already know, please point me to the place I need to learn them..


Link to comment
Share on other sites

This malware probably is the PoisonIvy RAT. I've attached the unpacked file, the password for the archive is "password".

Thanks Armaked0n. I sent you a message.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...