Open Analysis Live! We use IDA Pro and x64dbg to take a second look at Gootkit and determine how it uses files name checks to evade analysis. Expand for more...

Our original Gootkit unpacking video where we explain the packer and dumping from memory.
https://youtu.be/242Tn0IL2jE

Packed sample:
Sha256:
da336edead5e63d2759ebe1414575ce7f07162f28a99fa55a4d8badfc87b6720
https://malshare.com/sample.php?action=detail&hash=ef4cf20e80a95791d76b3df8d9096f60

Unpacked Gootkit (stage 1):
Sha256: b0d421e2d415e0e5a4b94e4adaa8a6625405db3739156e79b2e85ba2fb1d6067
https://malshare.com/sample.php?action=detail&hash=f92aa495c4f932a1f0a7dd7669d592e4

Excellent blog from @r3mrum on crc32 hashes and Gootkit:
https://r3mrum.wordpress.com/2018/02/15/string-hashing-reverse-engineering-an-anti-analysis-control/

Lastline CRC32 hashes for Gootkit:
https://www.lastline.com/labsblog/evasive-malware-tricks/

x64dbg:
https://x64dbg.com/#start

IDA:
https://www.hex-rays.com/products/ida/support/download_freeware.shtml

Feedback, questions, and suggestions are always welcome : )

Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw

As always check out our tools, tutorials, and more content over at http://www.openanalysis.net