Sample
- SHA256
-
7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d - Difficulty
- medium
- Platform
- Windows
- Tags
- cryptbot packed
- Likes
- 0
- Views
- 9
- Submitter
- struppigel
Analysis
Goal
Unpack the file using the debugger and breakpoints method
Description
cryptbot.zip
contains the file 7ccda59528c0151bc9f11b7f25f8291d99bcf541488c009ef14e2a104e6f0c5d
excluded.txt
kernel32;IsBadReadPtr
kernel32;IsBadWritePtr
winmm;timeGetTime
ucrtbase;malloc
ucrtbase;free
params.txt
kernel32;LoadLibraryW;1
kernel32;LoadLibraryA;1
kernel32;GetProcAddress;2
advapi32;RegQueryValueW;3
kernel32;CreateFileW;6
user32;FindWindowA;2
kernelbase;GetEnvironmentVariableA;3
kernelbase;GetEnvironmentVariableW;3
ucrtbase;strchr;2
kernel32;lstrcmpiA;2
kernel32;VirtualAlloc;4
ntdll;LdrGetProcedureAddress;4
kernel32;VirtualProtectEx;5
kernel32;WriteProcessMemory;5
kernel32;VirtualAllocEx;5
kernel32;CreateProcessA;10
ntdll;LdrLoadDll;4
kernel32;CreateRemoteThread;7
kernelbase;GetProcAddressForCaller;3
ucrtbase;strlen;1
ucrtbase;fputc;2
advapi32;RegOpenKeyA;3
kernel32;CreateFileA;7
TinyTracer.ini
ENABLE_SHORT_LOGGING=True
USE_DEBUG_SYMBOLS=False
FOLLOW_SHELLCODES=2
;FOLLOW_SHELLCODES:
; 0 : trace only the main target module
; 1 : follow only the first shellcode called from the main module
; 2 : follow also the shellcodes called recursively from the the original shellcode
; 3 : follow any shellcodes
FOLLOW_CHILDPROCESSES=False
TRACE_RDTSC=False
TRACE_INT=False
TRACE_SYSCALL=True
LOG_SECTIONS_TRANSITIONS=True
LOG_SHELLCODES_TRANSITIONS=True
LOG_INDIRECT_CALLS=False
HEXDUMP_SIZE=8
HOOK_SLEEP=False
SLEEP_TIME=0
STOP_OFFSET_TIME=30
;STOP_OFFSET_TIME (dec):
; For how many seconds the execution should pause on a stop offset (defined by stop_offsets.txt)
DISASM_START=0
;DISASM_START (hex):
; An RVA in the traced module from which the disasm should start
DISASM_STOP=0
;DISASM_STOP (hex):
; An RVA in the traced module on which the disasm should end
DISASM_CTX=False
;DISASM_CTX:
; When in disasm mode: show the registers changed by every instruction
ANTIDEBUG=1
;ANTIDEBUG: (Windows only)
; 0 : Disabled
; 1 : Standard
; 2 : Deep (may lead to some false positives)
ANTIVM=1
;ANTIVM: (Windows only)
; 0 : Disabled
; 1 : Standard
; Settings for ANTIVM enabled:
EMULATE_HYPERV=False
; Settings for ANTIDEBUG enabled:
EMULATE_SINGLE_STEP=True
;EMULATE_SINGLE_STEP:
; On True: when the trap flag was set, throw the SINGLE_STEP exception
; On False: the trap flag will be removed and ignored (no exception)
LOG_RETURN_VALUE=False
FOLLOW_ARGS_RETURN=False
PARSE_EXPORTS=False
;PARSE_EXPORTS:
; Enable manual exports parsing on module load (from a file). Helpful if in-memory headers were corrupt.
VOLUME_ID=0
;VOLUME_ID(hex) (Windows only)
; If set, the value will be used as VolumeSerialNumber
Recommended Tools
tiny tracer x64dbg
Comments
Please login to view and post comments.