DiscoverOALabsUnpacking Bokbot / IcedID Malware - Part 1
Unpacking Bokbot / IcedID Malware - Part 1

Unpacking Bokbot / IcedID Malware - Part 1

Update: 2018-10-26
Share

Description

We demonstrate how to unpack the first two stages of Bokbot / IcedID malware with x64dbg, PeBear, and IDA Pro. Expand for more...

Original sample:
0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e
https://cape.contextis.com/analysis/21237/

Stage1 (packed UPX):
7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4
https://cape.contextis.com/analysis/21240/

Stage2 (custom injector):
89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf
https://cape.contextis.com/analysis/21241/

Talos blog post on Bokbot injection method:
https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

Vitali Kremez analysis of IcedID:
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html

TUTORIAL - How to setup a FREE malware analysis VM
https://oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/

Stay tuned for PART 2 ...

Feedback, questions, and suggestions are always welcome : )

Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw

As always check out our tools, tutorials, and more content over at https://www.openanalysis.net
Comments 
In Channel
REvil Ransomware Unpacked - Cheeky Hack To Build Import Address Table

REvil Ransomware Unpacked - Cheeky Hack To Build Import Address Table

2019-07-3009:10

Reverse Engineering RC4 Crypto For Malware Analysis

Reverse Engineering RC4 Crypto For Malware Analysis

2019-06-1715:56

Disable ASLR For Easier Malware Debugging With x64dbg and IDA Pro

Disable ASLR For Easier Malware Debugging With x64dbg and IDA Pro

2019-06-1107:31

Reverse Engineering C++ Malware With IDA Pro

Reverse Engineering C++ Malware With IDA Pro

2019-06-0323:40

Reverse Engineering Quick Tip - Unpacking Process Injection With a Single Breakpoint

Reverse Engineering Quick Tip - Unpacking Process Injection With a Single Breakpoint

2019-04-1403:30

WinDbg Basics for Malware Analysis

WinDbg Basics for Malware Analysis

2019-02-1938:36

Malware Samples Crashing x64dbg Fixed!

Malware Samples Crashing x64dbg Fixed!

2019-01-2706:55

Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

2019-01-0728:05

OALabs Rewind 2018 - Reverse Engineering Bloopers

OALabs Rewind 2018 - Reverse Engineering Bloopers

2018-12-2903:38

Unpacking Quick Tip: Two Breakpoints to Unpack Hermes Ransomware

Unpacking Quick Tip: Two Breakpoints to Unpack Hermes Ransomware

2018-12-2802:37

Reverse Engineering IcedID / Bokbot Malware Part 2

Reverse Engineering IcedID / Bokbot Malware Part 2

2018-11-0937:59

Unpacking Bokbot / IcedID Malware - Part 1

Unpacking Bokbot / IcedID Malware - Part 1

2018-10-2615:58

How Do Packers Work - Reverse Engineering "FUD" Aegis Crypter

How Do Packers Work - Reverse Engineering "FUD" Aegis Crypter

2018-09-2217:41

Malware Analysis VM Setup Tutorial

Malware Analysis VM Setup Tutorial

2018-07-1614:12

Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python

Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python

2018-06-2027:52

Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg

Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg

2018-05-2019:23

Unpacking VB6 Packers With IDA Pro and API Hooks (Re-Upload)

Unpacking VB6 Packers With IDA Pro and API Hooks (Re-Upload)

2018-04-2929:23

Unpacking Princess Locker and Fixing Corrupted PE Header (OALabs x MalwareAnalysisForHedgehogs)

Unpacking Princess Locker and Fixing Corrupted PE Header (OALabs x MalwareAnalysisForHedgehogs)

2018-04-0834:03

Analyzing Adwind / JRAT Java Malware

Analyzing Adwind / JRAT Java Malware

2018-03-2633:23

Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request

Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request

2018-03-0431:30

loading
Google Play
Download from Google Play
Castbox
Download from App Store
usUnited States
00:00
00:00
x

0.5x

0.8x

1.0x

1.25x

1.5x

2.0x

3.0x

Sleep Timer

Off

End of Episode

5 Minutes

10 Minutes

15 Minutes

30 Minutes

45 Minutes

60 Minutes

120 Minutes

Unpacking Bokbot / IcedID Malware - Part 1

Unpacking Bokbot / IcedID Malware - Part 1

OALabs