OALabs | Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg @OALABS | Uploaded 6 years ago | Updated 2 hours ago
Open Analysis Live! We use IDA Pro and x64dbg to take a second look at Gootkit and determine how it uses files name checks to evade analysis. Expand for more...
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Our original Gootkit unpacking video where we explain the packer and dumping from memory.
youtu.be/242Tn0IL2jE
Packed sample:
Sha256:
da336edead5e63d2759ebe1414575ce7f07162f28a99fa55a4d8badfc87b6720
malshare.com/sample.php?action=detail&hash=ef4cf20e80a95791d76b3df8d9096f60
Unpacked Gootkit (stage 1):
Sha256: b0d421e2d415e0e5a4b94e4adaa8a6625405db3739156e79b2e85ba2fb1d6067
malshare.com/sample.php?action=detail&hash=f92aa495c4f932a1f0a7dd7669d592e4
Excellent blog from @r3mrum on crc32 hashes and Gootkit:
r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control
Lastline CRC32 hashes for Gootkit:
lastline.com/labsblog/evasive-malware-tricks
x64dbg:
x64dbg.com/#start
IDA:
hex-rays.com/products/ida/support/download_freeware.shtml
Feedback, questions, and suggestions are always welcome : )
Sergei twitter.com/herrcore
Sean twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
Open Analysis Live! We use IDA Pro and x64dbg to take a second look at Gootkit and determine how it uses files name checks to evade analysis. Expand for more...
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Our original Gootkit unpacking video where we explain the packer and dumping from memory.
youtu.be/242Tn0IL2jE
Packed sample:
Sha256:
da336edead5e63d2759ebe1414575ce7f07162f28a99fa55a4d8badfc87b6720
malshare.com/sample.php?action=detail&hash=ef4cf20e80a95791d76b3df8d9096f60
Unpacked Gootkit (stage 1):
Sha256: b0d421e2d415e0e5a4b94e4adaa8a6625405db3739156e79b2e85ba2fb1d6067
malshare.com/sample.php?action=detail&hash=f92aa495c4f932a1f0a7dd7669d592e4
Excellent blog from @r3mrum on crc32 hashes and Gootkit:
r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control
Lastline CRC32 hashes for Gootkit:
lastline.com/labsblog/evasive-malware-tricks
x64dbg:
x64dbg.com/#start
IDA:
hex-rays.com/products/ida/support/download_freeware.shtml
Feedback, questions, and suggestions are always welcome : )
Sergei twitter.com/herrcore
Sean twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
![What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]](https://i.ytimg.com/vi/SffxAVWmbk4/hqdefault.jpg "What The Security Industry Should Know About Reverse Engineering [ Reverse Engineering AMA ]
What is one thing you wish your peers in the security industry knew about reverse engineering?
Big thanks to all the reverse engineers who helped us put this together!
Rattle (Jesko)
https://twitter.com/huettenhain
https://github.com/binref/refinery
Jordan (psifertex)
https://twitter.com/psifertex
https://binary.ninja/
Karsten
https://twitter.com/struppigel
https://www.youtube.com/c/MalwareAnalysisForHedgehogs
Drakonia
https://twitter.com/dr4k0nia
https://dr4k0nia.github.io/
C3rb3ru5
https://twitter.com/c3rb3ru5d3d53c
https://c3rb3ru5d3d53c.github.io/
Josh
https://twitter.com/jershmagersh
https://pwnage.io/
Dodo
https://twitter.com/dodo_sec
https://github.com/dodo-sec
Washi
https://twitter.com/washi_dev
https://washi.dev/
OALABS PATREON
https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/")
![Control Flow Flattening Obfuscation Explained Practically [ Twitch Clip ]](https://i.ytimg.com/vi/SulC2l1Dvbo/hqdefault.jpg "Control Flow Flattening Obfuscation Explained Practically [ Twitch Clip ]
Twitch Clip - A practical explanation of control flow flattening obfuscation linking the concept to actual code in IDA Pro. See more on https://www.patreon.com/oalabs
OALABS DISCORD
https://discord.gg/6h5Bh5AMDU
OALABS PATREON
https://www.patreon.com/oalabs
Twitch
https://www.twitch.tv/oalabslive
OALABS GITHUB
https://github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/
Research notes with Deobfuscation code for IDA Pro and Dumpulator: https://research.openanalysis.net/pandora/ransomware/malware/unpacking/dumpulator/emulation/2022/03/19/pandora_ransomware.html
Sample: 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b")
