5544e6c66cbf6503cddef2797acbff4fb81ededaef2334a596e6484cfaa0b8e8

Metadata

SHA256: 5544e6c66cbf6503cddef2797acbff4fb81ededaef2334a596e6484cfaa0b8e8
Difficulty: medium
Platform: Windows
Tags: dll sideloading packed shellcode
Likes: 0
Views: 29
Submitter: struppigel

Analysis

Goal

Unpack the payload. This can be done either with a debugger or using only static unpacking with binary refinery. Note: The payload is obfuscated with VMProtect, deobfuscating it is not part of the task.

Description

This a 7z archive with exe, dll and ini file. The ini contains encrypted shellcode, which in turn loads the payload. So you have two unpacking stages. You can unpack everything either with binary refinery and Ghidra alone or using breakpoints in a debugger

Recommended Tools

binary refinery x64dbg ghidra

Solutions

[Samplepedia Solution] Unveiling the Layers: Analyzing a Multi-Stage APT-Style Loader by m4n0w4r

Sample