Can't identify packer

[Fizban]

Hi everyone

I'm trying to unpack a certain malware file which has some sort of protector on it and i can't seem to manually unpack it.

I'm pretty new to the trade and maybe i "over shot" a little here but is there anyone who can help me?

I'd appreciate some pointers on how to solve this.

I'm uploading the sample here.

Password: malware

Thanks in advance!

p.s: needless to say, this is Malware, so use a Virtual Machine

malware.zip

[quosego]

Defenitely custom, and quite nice as well.

It first decrypts the preliminary loader, set bp on 40135a and skip the ret loop to get to the preliminary loader. Then loads another PE which it decrypts, PE is untouched you can dump it as is..

In this new PE it allocs a section writes decrypt routines there executes them then returns to the PE (return is a jmp register), loads all imports and then finally executes the malware.

Which seems to be a cookie snatcher.

Also has some nice antitrace/debug..

Edited July 29, 2009 by quosego

[Fizban]

Defenitely custom, and quite nice as well.

It first decrypts the preliminary loader, set bp on 40135a and skip the ret loop to get to the preliminary loader. Then loads another PE which it decrypts, PE is untouched you can dump it as is..

In this new PE it allocs a section writes decrypt routines there executes them then returns to the PE (return is a jmp register), loads all imports and then finally executes the malware.

Which seems to be a cookie snatcher.

Also has some nice antitrace/debug..

Thanks quosego

I actually made it through the first routine (bp on 40135a) but i got stuck after it.

i can't seem to find where it "kicks me out".

Is there a chance you can explain to me how did you get to the last part before it launched the malware? (I'm trying to learn ).