Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Zbot Malware Unpacking

Pacman
Pacman
in Malware Reverse Engineering

Featured Replies

Posted

Hi everyone,

I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack.

I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. 

image.png

I've reached the marked address and I selected Analyze Code option.

Last state,

image.png.37b9017c7e15cf724a954b0ec5663868.png

and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more.

Can you help me please? I have tested known all of techniques. Have you an idea?

I'll attach unpacked program's IDA output as much as I can.

https://www.dosya.tc/server24/g6s9ux/Zbot.7z.html(IDA output)

 

8a0c95be8a40ae5419f7d97bb3e91b2b.ex~

 

Edited by Pacman

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.