ฝัง
- เผยแพร่เมื่อ 6 ส.ค. 2024
- Open Analysis Live! In this tutorial we unpack a new version of GlobeImposter ransomeware using the X32bg / X64dbg debugger.
-----
OALABS DISCORD
/ discord
OALABS PATREON
/ oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
www.unpac.me/#/
-----
Original packed sample:
malshare.com/sample.php?actio...
Malware Traffic Analysis sample:
www.malware-traffic-analysis.n...
The x64bdg debugger:
x64dbg.com/#start
The unpacked sample:
malshare.com/sample.php?actio...
OAPivot the chrome plugin for IOC searching:
chrome.google.com/webstore/de...
Great blog on unpacking an earlier version of GlobeImposter:
www.vkremez.com/2017/08/lets-l...
Video explaining some anti-debugging tricks:
• How To Defeat Anti-VM ...
Anti-debugging cheat sheet (PDF):
anti-reversing.com/Downloads/A...
*Special hat-tip to Alex for recommending x64dbg and showing me some tricks: / nullandnull
Feedback, questions, and suggestions are always welcome : )
Sergei / herrcore
Sean / seanmw
As always check out our tools, tutorials, and more content over at www.openanalysis.net
Great explanation! Please continue the good work, +1
Very informative and sophisticated!.. Thank you!
Nice one, appreciate the effort, keep up the good work! :)
very concise and yet only -300 likes.. This is great stuff, thank you.
As usual..Good one again!!!
really cool :)
Hi. Great video's. I would like to see also some technics with X32dbg and X64dbg about finding windows messages, serial numbers, patching programs, enable buttons, enable hidden features and such. I 've already subscribe and wait to see more of those great tutorials you do.
Hey thanks for the encouragement! We mainly use the IDA debugger but we could maybe do a few more tutorials with x32dbg/x64dbg. Someone just showed me this really cool plugin for x64dbg so maybe I'll take a look at using that github.com/ThunderCls/xAnalyzer
Excellent video, I feel I learned quite a bit. Nooby question - if the debugging comments were not there, how would you recognize when you are at the OEP? I have a similarly packed ransomware I'm unpacking, and it does a jmp [ebp+8] followed immediately by a jmp - I followed that rabbit hole and tried Syclla every few steps or start of what looked like a function, but it could not find the IAT.
Hash btw: fbeb92ac0acf03216f8430687734d2f72f57a85c994f0f0ea01e65c26e37d92d
The jmp is at 0x40BFBB inside the 0x40BF90 function.
Hey saw your tweet about this too so I made a quick unpack video for you! We are bug fans of ID-Ransomware keep up the good work!! th-cam.com/video/wkPsvYfA08g/w-d-xo.html
nice debugger, I should give it a try... could you do a short "IDA non-trivial tips" type clip ? You give some good tips in your longer videos but when I want to find a certain tip you gave I need to go through an hour long malware unpacking video. keep up the great videos anyway !
We could go thru his longer vids and just make a index table with links to various parts in the video explaining what they are about so he doesn't have to remake the same tips
EnduranceT this is actually a good idea, i went to the lazy solution immediately. I will have to learn how to do these.
Thanks! Check out the description of our IDA Tutorial video th-cam.com/video/qCQRKLaz2nQ/w-d-xo.html ... we have a sort of index there.
I also like EnduranceT's idea to create an index of all the the tips... that's maybe something we can maintain on our blog. Or maybe make a second playlist of all the individual clips? We will definitely figure something out though.
Thank you for your videos and explanations !looks easy when watching but I'm completely stucked when trying to do it.... is there a place where we can speak and get helped ? ;)
Hhhhhhhhh
It seems too easyyyy
But it isnt
Was just about to go to lunch but then saw this new vid... Lunch can wait 23 minutes. :D
Btw about those IDA Pro comments........
.....
IGOR IS PROUD!
😹😹😹😹
Hello, really useful lesson, thank you. Please tell me how to make the debugger write a comment with the name of the function, if it is taken from the stack? I only have comments if the argument is from register.
it works a bit different if the API address is on the stack.. the comment will appear in the stack view next to the address. You could also right click on the pointer to the value in the disassemble window and follow it in the Dump window. Then right click in the dump window and choose Addresses as the display option. You can see an example of both in this screenshot imgur.com/Hqa9T8o
@OALabs Thank you for the advice. But in the video at 13:41 you have comments (no comments at 11:33): "[ebp-28]:LoadLibraryA" and "[ebp-68]:GetProcAddress". I'm doing the same thing, but the comments don't show up.
Oh! That's not the API name (symbol) that's a string. Join our discord! It's easier to help when we can chat in real time instead of through TH-cam comments haha
can this unpacked file be executable on x64dbg again ?
Yes it should be : )
I got infected by GlobeImposter 2.0 ransomware , please do you have any solution ? please help
Hi Nader that really sucks, my sympathies. We don't provide malware removal advice here but I highly recommend checking out the bleeping computer forums, folks there are very helpful and can probably point you in the right direction www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/ good luck!
Hi can you do a video on wanna cry debug analysis
Thanks for the suggestion but I'm not sure we could add much to the excellent analysis Colin did in his two part series. I highly recommend his tutorials! th-cam.com/video/d_j8UUQbJsc/w-d-xo.html th-cam.com/video/d56g3wahBck/w-d-xo.html
Where to download x32dbg?
x64dbg.com/#start
How to learn malware analysis from scratch?
That's always a hard question to answer since the topic is so general but I think we cover some of the concept in our videos here, and I highly recommend these other channels too:
Colin Hardy th-cam.com/channels/ND1KVdVt8A580SjdaS4cZg.html
Malware Analysis for Hedgehogs th-cam.com/channels/VFXrUwuWxNlm6UNZtBLJ-A.html
Hasherezade th-cam.com/channels/NWVswPNgn5kutPNa5sprkg.html
Also for written content I think the Dr. Fu blog is amazing!
fumalwareanalysis.blogspot.com/p/malware-analysis-tutorials-reverse.html
Good luck! And feel free to drop any questions you have in the chat here.
@@OALABS Thanks a lot! :)
Any video about
Themida/winlicense 2.x
????????
say " really cool" one more time... I dare you!