Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python

Open Analysis Live! We unpack TrickBot and extract it's configuration file using x64dbg and a Python script from the KevinTheHermit project. Expand for more...

-----
OALABS DISCORD
  / discord  

OALABS PATREON
  / oalabs  

OALABS TIP JAR
https://ko-fi.com/oalabs

OALABS GITHUB
https://github.com/OALabs

UNPACME - AUTOMATED MALWARE UNPACKING
https://www.unpac.me/#/

-----

Packed sample (download the zip file):
Sha256:
fa9ad80c0977cdbfe8419d27ca9ad909d34f1737df726f4d175f6b85b0670074
http://www.malware-traffic-analysis.n...

Unpacked Stage 2:
Sha256: 5609b3f916346146771b721ee20f7679ce87b7fc4b6a18bf6adf7201b98c5e22
https://malshare.com/sample.php?actio...

Unpacked Stage 3 (Trickbot payload):
Sha256: 54dd37adfb6917060392a89b539b8402c7166f452cd5534df6ea9df607908181
https://malshare.com/sample.php?actio...

Kevin the hermit config extractors:
https://github.com/kevthehermit/RATDe...

Modified standalone version of TrickBot extractor:
https://gist.github.com/herrcore/35ad...

Sysopfb github (more malware analysis scripts):
https://github.com/sysopfb

x64dbg:
https://x64dbg.com/#start

More TrickBot samples to practice unpacking:
http://www.malware-traffic-analysis.n...
http://www.malware-traffic-analysis.n...
http://www.malware-traffic-analysis.n...
http://www.malware-traffic-analysis.n...

Tutorial on self-injection unpacking:
   • Unpacking Princess Locker and Fixing Corru...  


Feedback, questions, and suggestions are always welcome : )

Sergei   / herrcore  
Sean   / seanmw  

As always check out our tools, tutorials, and more content over at http://www.openanalysis.net