Monday, January 22, 2018

Themida packing

This sample on Hybrid Analysis

https://www.reverse.it/sample/90f22eada562c8d124211faa33337b5f8e8a43235605b8e8f12dab55f5962d3f?environmentId=100

but if you open it in IDA or x32dbg it's very difficult to analyze, it appears packed in some manner.
When viewing the memory strings in Process Hacker while it's running I saw this


It says Themida, which when I googled is
https://www.oreans.com/themida.php
Software protectors where created to keep an attacker from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks

So the attacker is using this legit packing software to hide his code from us malware analysts.

Of course, I'm new at this so if you have any corrections or tips for me, let me know. Thanks!

No comments:

Post a Comment