Crack The BAT - Identifying Compression, Packers & Googling for IOCs

In this video I show you an interesting sample sent to me via Twitter, which is a password-protected malware sample. Our goal is to obtain the true malware indicators and first of all crack the password. It turns out, this wasn't hard at all; some simple malware initial assessment (using PEStudio) enabled me to find a ZLIB compressed resource. Inflating that yielded what looked to be an MD5 hash; simply Googling for that hash yields the password.

Then, using the password we can run the malware, obtain additional indicators and identify the tool the adversary used to create their malware. We then turn the same tool back on the malware to decompile it into its true source. RESULT!

The aim of this video is to showcase that you don't have to understand every single line of assembly code to understand what malware is doing and to bypass security-evasion techniques that adversaries often use.

Peace,
@cybercdh

SAMPLE
=======
You can get the sample and follow along here
https://app.any.run/tasks/d2547910-3a16-467c-9251-63cb60a7a6c7/

TOOLS
=====
Here are the key tools I used
PeStudio - https://www.winitor.com
x64dbg - https://x64dbg.com/#start
UPX - https://upx.github.io
BAT2EXE - https://documentation.help/BAT2EXE/en.html

THANKS
=======
I had a lot of fun making this video and I really enjoy this community. If you enjoyed watching please LIKE and SUBSCRIBE for more content.

FOLLOW
=======
You can also find me on https://twitter.com/cybercdh

Видео Crack The BAT - Identifying Compression, Packers & Googling for IOCs канала cybercdh