Extraction of injected malicious PE from dynamic memory in windows (Remcos malware)
Background
Usually, malware comes packed by some packer which obfuscates the original code and helps it to evade AV software or general human suspicion. When executed the packed binary inject actual binary in the memory and runs it from there.
What we will cover in this write-up?
- Approach for setting break-point in packed binary to stop it in midst of injecting the malicious code and executing it.
- Bypassing malware’s “debugger bypass tricks”
- Locate and dump injected code from the memory.
- Do necessary patching.
Setup Environment :
_Operating_System _: Windows 10, Enterprise Evaluation 180914 Software_Arsenal : x32debugger, PE bear, Hexadecimal Editor HxD Malware_Binary : Remcos
What is Remcos RAT?
here you go —
Trojan.Remcos
Want to follow up with the article?
Here’s your malware, handle with care and caution.
https://malshare.com/sample.php?action=detail&hash=15fdc5c025e9d1645df07110c455aa09
Lab setup and Initial Inspection
We will be using our Windows 10 Virtual Machine. We have set networking to “HOST ONLY” to transfer the binary to VM via Python’s SimpleHTTPServer.
#code-injection #malware #binary-analysis #malware-analysis #data analysis
![Extracting packer injected malware from memory [Remcos RAT]](https://miro.medium.com/max/600/1*pjOOoq-wN6tIJEzDELYmFg.png)