https://www.reverse.it/sample/90f22eada562c8d124211faa33337b5f8e8a43235605b8e8f12dab55f5962d3f?environmentId=100
but if you open it in IDA or x32dbg it's very difficult to analyze, it appears packed in some manner.
When viewing the memory strings in Process Hacker while it's running I saw this
It says Themida, which when I googled is
https://www.oreans.com/themida.php
Software protectors where created to keep an attacker from directly inspecting or modifying a compiled application. A software protector is like a shield that keeps an application encrypted and protected against possible attacks
So the attacker is using this legit packing software to hide his code from us malware analysts.
Of course, I'm new at this so if you have any corrections or tips for me, let me know. Thanks!
No comments:
Post a Comment