OALabs | Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg @OALABS | Uploaded 6 years ago | Updated 2 hours ago
Open Analysis Live! We use IDA Pro and x64dbg to take a second look at Gootkit and determine how it uses files name checks to evade analysis. Expand for more...
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Our original Gootkit unpacking video where we explain the packer and dumping from memory.
youtu.be/242Tn0IL2jE
Packed sample:
Sha256:
da336edead5e63d2759ebe1414575ce7f07162f28a99fa55a4d8badfc87b6720
malshare.com/sample.php?action=detail&hash=ef4cf20e80a95791d76b3df8d9096f60
Unpacked Gootkit (stage 1):
Sha256: b0d421e2d415e0e5a4b94e4adaa8a6625405db3739156e79b2e85ba2fb1d6067
malshare.com/sample.php?action=detail&hash=f92aa495c4f932a1f0a7dd7669d592e4
Excellent blog from @r3mrum on crc32 hashes and Gootkit:
r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control
Lastline CRC32 hashes for Gootkit:
lastline.com/labsblog/evasive-malware-tricks
x64dbg:
x64dbg.com/#start
IDA:
hex-rays.com/products/ida/support/download_freeware.shtml
Feedback, questions, and suggestions are always welcome : )
Sergei twitter.com/herrcore
Sean twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
Open Analysis Live! We use IDA Pro and x64dbg to take a second look at Gootkit and determine how it uses files name checks to evade analysis. Expand for more...
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Our original Gootkit unpacking video where we explain the packer and dumping from memory.
youtu.be/242Tn0IL2jE
Packed sample:
Sha256:
da336edead5e63d2759ebe1414575ce7f07162f28a99fa55a4d8badfc87b6720
malshare.com/sample.php?action=detail&hash=ef4cf20e80a95791d76b3df8d9096f60
Unpacked Gootkit (stage 1):
Sha256: b0d421e2d415e0e5a4b94e4adaa8a6625405db3739156e79b2e85ba2fb1d6067
malshare.com/sample.php?action=detail&hash=f92aa495c4f932a1f0a7dd7669d592e4
Excellent blog from @r3mrum on crc32 hashes and Gootkit:
r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control
Lastline CRC32 hashes for Gootkit:
lastline.com/labsblog/evasive-malware-tricks
x64dbg:
x64dbg.com/#start
IDA:
hex-rays.com/products/ida/support/download_freeware.shtml
Feedback, questions, and suggestions are always welcome : )
Sergei twitter.com/herrcore
Sean twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net