Unpacking Gootkit Malware With IDA Pro and X64dbg [OA Labs]

Forum for analysis and discussion about malware.
Post Reply
Posts: 19
Joined: Tue Jun 16, 2015 6:15 am

Mon Mar 05, 2018 12:55 pm

An Youtube Video Demonstration by OA Labs : Unpacking Gootkit Malware With IDA Pro and X64dbg

Open Analysis Live!
They use IDA Pro and x64dbg to unpack a recently packed Gootkit malware (stage1).

Video bookmarks to skip ahead:
- Deobfuscating strings with IDA Python 5:15
- Identify anti-analysis tricks after string deobfuscation 9:03
- Mutex trick 14:40 - CreateFile ShareMode trick 17:33
- Fully unpacking with x64dbg 20:25
- Searching for PE in memory using x64dbg 23:24
- Carving PE files from a memory dump with a hex editor 26:24
- Final overview of the whole process 27:59

Packed sample:
Sha256: 38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
Post Reply