Published on June 20th, 2018 📆 | 3156 Views ⚑
0Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
https://www.ispeech.org
Open Analysis Live! We unpack TrickBot and extract it's configuration file using x64dbg and a Python script from the KevinTheHermit project. Expand for more...
Packed sample (download the zip file):
Sha256:
fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074
http://www.malware-traffic-analysis.net/2018/05/16/index.html
Unpacked Stage 2:
Sha256: 5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
https://malshare.com/sample.php?action=detail&hash=89ae5e21d6cf455f467cfaf62350848c
Unpacked Stage 3 (Trickbot payload):
Sha256: 54dd37adfb6917060392a89b539b8402c7166f452cd5534df6ea9df607908181
https://malshare.com/sample.php?action=detail&hash=442da27968cc93d780cfd96c2399950c
Kevin the hermit config extractors:
https://github.com/kevthehermit/RATDecoders
Modified standalone version of TrickBot extractor:
https://gist.github.com/herrcore/35ad5644f940012487e3aff5034bff74
Sysopfb github (more malware analysis scripts):
https://github.com/sysopfb
x64dbg:
https://x64dbg.com/#start
More TrickBot samples to practice unpacking:
http://www.malware-traffic-analysis.net/2018/05/24/index2.html
http://www.malware-traffic-analysis.net/2018/05/25/index2.html
http://www.malware-traffic-analysis.net/2018/05/15/index2.html
http://www.malware-traffic-analysis.net/2018/05/01/index2.html
Tutorial on self-injection unpacking:
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
2018-06-20 13:00:02
source
Gloss