Jump to content
Tuts 4 You

Zbot Malware Unpacking

Pacman

By Pacman
in Malware Reverse Engineering

 Share

Recommended Posts

Pacman

Pacman

Posted
Posted (edited)

Hi everyone,

I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack.

I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. 

image.png

I've reached the marked address and I selected Analyze Code option.

Last state,

image.png.37b9017c7e15cf724a954b0ec5663868.png

and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more.

Can you help me please? I have tested known all of techniques. Have you an idea?

I'll attach unpacked program's IDA output as much as I can.

https://www.dosya.tc/server24/g6s9ux/Zbot.7z.html(IDA output)

 

8a0c95be8a40ae5419f7d97bb3e91b2b.ex~

 

Edited by Pacman

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...