Extraction of injected malicious PE from dynamic memory in windows (Remcos malware)
Usually, malware comes packed by some packer which obfuscates the original code and helps it to evade AV software or general human suspicion. When executed the packed binary inject actual binary in the memory and runs it from there.
Setup Environment :
_Operating_System _: Windows 10, Enterprise Evaluation 180914 Software_Arsenal : x32debugger, PE bear, Hexadecimal Editor HxD Malware_Binary : Remcos
here you go —
Here’s your malware, handle with care and caution.
https://malshare.com/sample.php?action=detail&hash=15fdc5c025e9d1645df07110c455aa09
We will be using our Windows 10 Virtual Machine. We have set networking to “HOST ONLY” to transfer the binary to VM via Python’s SimpleHTTPServer.
#code-injection #malware #binary-analysis #malware-analysis #data analysis