Open Analysis Live! We unpack TrickBot and extract it's configuration file using x64dbg and a Python script from the KevinTheHermit project. Expand for more...

Packed sample (download the zip file):
Sha256:
fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074
http://www.malware-traffic-analysis.net/2018/05/16/index.html

Unpacked Stage 2:
Sha256: 5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
https://malshare.com/sample.php?action=detail&hash=89ae5e21d6cf455f467cfaf62350848c

Unpacked Stage 3 (Trickbot payload):
Sha256: 54dd37adfb6917060392a89b539b8402c7166f452cd5534df6ea9df607908181
https://malshare.com/sample.php?action=detail&hash=442da27968cc93d780cfd96c2399950c

Kevin the hermit config extractors:
https://github.com/kevthehermit/RATDecoders

Modified standalone version of TrickBot extractor:
https://gist.github.com/herrcore/35ad5644f940012487e3aff5034bff74

Sysopfb github (more malware analysis scripts):
https://github.com/sysopfb

x64dbg:
https://x64dbg.com/#start

More TrickBot samples to practice unpacking:
http://www.malware-traffic-analysis.net/2018/05/24/index2.html
http://www.malware-traffic-analysis.net/2018/05/25/index2.html
http://www.malware-traffic-analysis.net/2018/05/15/index2.html
http://www.malware-traffic-analysis.net/2018/05/01/index2.html

Tutorial on self-injection unpacking:
https://www.youtube.com/watch?v=WthvahlAYFY


Feedback, questions, and suggestions are always welcome : )

Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw

As always check out our tools, tutorials, and more content over at http://www.openanalysis.net