Discussion on reverse-engineering and debugging.
4 posts • Page 1 of 1
I was trying to de-obfuscate data created in registry key by Kovter mawalre. I tried to use JSDetox but failed. Have someone tried to do it?Iappreciate any help to decode it. thanks. I attached a sample.
You do not have the required permissions to view the files attached to this post.
- Global Moderator
- Posts: 4884
- Joined: Sun Mar 07, 2010 5:35 am
- Location: Russian Federation
There not so many RegSetValueEx calls in the final payload. Probably you should bp at them. This malware is a container type: VB crypter -> Dropper with encrypted payload in resource -> Actual Delphi Kovter with some encrypted stuff in resource (probably cfg). So get the actual malware from dropper and run under debugger.
Ring0 - the source of inspiration