REvil Ransomware Unpacked - Cheeky Hack To Build Import Address Table
Update: 2019-07-30
Description
Just a quick tutorial on how to unpack sodinokibi (revil) ransomware and a neat hack to build a fake import address table for a binary that has dynamically resolved imports. We use x64dbg, scylla, and IDA free.
Packed ransomware:
bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9
https://malshare.com/sample.php?action=detail&hash=61c19e7ce627da9b5004371f867a47d3
Clean dump of unpacked ransomware:
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
https://malshare.com/sample.php?action=detail&hash=890a58f200dfff23165df9e1b088e58f
Unpacked ransomware with hacked IAT:
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea
https://malshare.com/sample.php?action=detail&hash=fb9d11c5ff87dd9071ab44f4c562ca3e
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at https://www.openanalysis.net
#x64dbg #Ransomware #MalwareAnalysis
Packed ransomware:
bf7114f025fff7dbc6b7aff8e4edb0dd8a7b53c3766429a3c5f10142609968f9
https://malshare.com/sample.php?action=detail&hash=61c19e7ce627da9b5004371f867a47d3
Clean dump of unpacked ransomware:
5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93
https://malshare.com/sample.php?action=detail&hash=890a58f200dfff23165df9e1b088e58f
Unpacked ransomware with hacked IAT:
ffae85401d87052ef22aaabf8e941c5f9096056e0b586f0b463cc6b0254463ea
https://malshare.com/sample.php?action=detail&hash=fb9d11c5ff87dd9071ab44f4c562ca3e
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at https://www.openanalysis.net
#x64dbg #Ransomware #MalwareAnalysis
Comments
In Channel
Download from Google Play
Download from App Store
United States00:00
00:00
1.0x
