Jump to content
Tuts 4 You

Zbot Malware Unpacking


Recommended Posts

Hi everyone,

I have tried to unpack the Zbot malware but I cannot fully unpack because packed as Aspack.

I have found last loaded dll and import function by setting LoadLibraryA/W and GetProcAddress functions(loaded last dll is ntmarta.dll and last function is GetMartaExtensionInterface). I have continued to exit from unpacking stub. 


I've reached the marked address and I selected Analyze Code option.

Last state,


and I was dumping debugged process using OllyDump but this address may not OEP also IAT could not be fully repaired. I cannot progress more.

Can you help me please? I have tested known all of techniques. Have you an idea?

I'll attach unpacked program's IDA output as much as I can.

https://www.dosya.tc/server24/g6s9ux/Zbot.7z.html(IDA output)




Edited by Pacman
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...