Unpacking Bokbot / IcedID Malware - Part 1

We demonstrate how to unpack the first two stages of Bokbot / IcedID malware with x64dbg, PeBear, and IDA Pro. Expand for more... ----- OALABS DISCORD   / discord   OALABS PATREON   / oalabs   OALABS TIP JAR https://ko-fi.com/oalabs OALABS GITHUB https://github.com/OALabs UNPACME - AUTOMATED MALWARE UNPACKING https://www.unpac.me/#/ ----- Original sample: 0ca2971ffedf0704ac5a2b6584f462ce27bac60f17888557dc8cd414558b479e https://cape.contextis.com/analysis/2... Stage1 (packed UPX): 7f463bd55aa360032fbd6489b4e34455178a35254ff66c1cd98d0775437074b4 https://cape.contextis.com/analysis/2... Stage2 (custom injector): 89a0325379e1e868b668955ed41ba0faa724845028bc961a0691f19e5213dedf https://cape.contextis.com/analysis/2... Talos blog post on Bokbot injection method: https://blog.talosintelligence.com/20... Vitali Kremez analysis of IcedID: https://www.vkremez.com/2018/09/lets-... TUTORIAL - How to setup a FREE malware analysis VM https://oalabs.openanalysis.net/2018/... Stay tuned for PART 2 ... Feedback, questions, and suggestions are always welcome : ) Sergei   / herrcore   Sean   / seanmw   As always check out our tools, tutorials, and more content over at https://www.openanalysis.net

Join Today
IDA Pro Malware Analysis Tips
▶︎

IDA Pro Malware Analysis Tips

Reverse Engineering Anti-VM Detections in Malware - Subscriber Request Part 2
▶︎

Reverse Engineering Anti-VM Detections in Malware - Subscriber Request Part 2

HashDB - Malware API Hashing Obfuscation Solved Forever (Not Clickbait)
▶︎

HashDB - Malware API Hashing Obfuscation Solved Forever (Not Clickbait)

KOVTER Malware Analysis - Fileless Persistence in Registry
▶︎

KOVTER Malware Analysis - Fileless Persistence in Registry

Unpacking GlobeImposter Ransomware With x32dbg
▶︎

Unpacking GlobeImposter Ransomware With x32dbg

Everything is a watch window | RADDBG with Ryan
▶︎

Everything is a watch window | RADDBG with Ryan

Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra
▶︎

Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra

MALWARE ANALYSIS - VBScript Decoding & Deobfuscating
▶︎

MALWARE ANALYSIS - VBScript Decoding & Deobfuscating

The Man Who Worked At Subway, Then Solved An "Impossible" Problem
▶︎

The Man Who Worked At Subway, Then Solved An "Impossible" Problem

How Do Packers Work - Reverse Engineering "FUD" Aegis Crypter
▶︎

How Do Packers Work - Reverse Engineering "FUD" Aegis Crypter

Linux Full Course for Beginners | Learn Linux System Administration
▶︎

Linux Full Course for Beginners | Learn Linux System Administration

#8 How to Manually Unpack Malware
▶︎

#8 How to Manually Unpack Malware

I Made an Antivirus That Secretly Attacks Scammers
▶︎

I Made an Antivirus That Secretly Attacks Scammers

Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg
▶︎

Unpacking Gootkit Part 2 - Debugging Anti-Analysis Tricks With IDA Pro and x64dbg

WinDbg Basics for Malware Analysis
▶︎

WinDbg Basics for Malware Analysis

Harder Drive: Hard drives we didn't want or need
▶︎

Harder Drive: Hard drives we didn't want or need

Unpacking Emotet / Geodo (Stage 1) Using x64dbg - Subscriber Request
▶︎

Unpacking Emotet / Geodo (Stage 1) Using x64dbg - Subscriber Request

UnpacMe Automated Malware Unpacking - How We Built It and Why
▶︎

UnpacMe Automated Malware Unpacking - How We Built It and Why

How SpaceX Humiliated Wall Street
▶︎

How SpaceX Humiliated Wall Street

Malware Analysis Part #1: Basic Static Analysis
▶︎

Malware Analysis Part #1: Basic Static Analysis