Remcos RAT Unpacked From VB6 With x64dbg Debugger

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi folks and welcome to open analysis live so this is a quick video we're back from DEFCON and we're starting to make videos again and work on our special project so you should stay tuned for a couple more longer form videos that will be coming soon but this one is just a quick tip sort of refreshing an older video that we did on vv6 Packers so a friend of mine was having some trouble with this sample and he said he was following our tutorial and he couldn't quite get it he just wanted some pointers on what to do and I thought this would be a good opportunity just to take a couple minutes to refresh anyone in case anyone else was having the same sort of difficulty that he was so what we're going to do is we're going to look at a Remco sample today that is packed with vb6 and i'll link to our other video in the description of this video below where we talk about vv6 Packers in that case we actually used I to unpack it so in this case we use x64 debug it's a little bit faster but the same principles apply so just a little refresher vb6 is an interpreted language much like Java that you know you have the JVM a virtual machine that is interpreting the Java byte code so for vb6 you have a vb6 virtual machine that is interpreting P code which is an intermediate language and you can see this we were to open up one of these files in Ida you would see that there's no x86 assembly in there there's really very little stuff and it's all this kind of garbage code okay you can't really read you need a special D compiler for it now there are D compilers out there but usually BB six it's very old it's usually only used for packing it's not usually used for malware and in the rare case that is used for malware and it's unfortunate you're gonna have a bit of work on your hands but luckily this in this case it is just a packer so I'm gonna show you how to sort of circumvent this you don't have to look at the vb6 code at all and we're actually going to use our one breakpoint trick because this does due-process injection so they are doing they're creating a process they're gonna inject into it so much like our other quick tip unpacking videos we're going to with a breakpoint on create process internal and once we hit that we're just gonna let the PE run we're gonna set that breakpoint let it run once we hit that breakpoint we are then going to search in memory for PE file and executable that has been unpacked in memory and is ready to be written into the newly created process so this is what we call like a dump point and it's always good to have a certain set of dump points that you use where you know if you stop in that break point you didn't look for a PE file in memory now the big trick here is that in most of our other videos we like to use dump points on virtual Alex so what we do is we put a break point on the return from virtual Alec then we follow the newly allocated memory in our dump we run a little bit and we look and see if a PE file has been written into that newly allocated memory so that's the majority of our unpacking videos this one's a bit different though so because they're using vb6 vb6 like I said is a virtual machine and it's interpreting P code and spitting out x86 assembly that's run dynamically so what that means is they are allocating and freeing a lot of memory so if we were to try and use our trick of putting a breakpoint on virtual Alec we would see that that breakpoint is just hit repeatedly again and again and again and you kind of just get an overflow you know a firehose of breakpoints and it's not worth trying to figure out which one is gonna have a P file in it which one is just allocated for the virtual machine you could maybe do some scripting for this you know check the size of the allocated memory and whatever but you don't need to because there's a trick here so like I said the trick is to use a different dump point and in this case that's going to be the breakpoint on create process internal so without further ado let's get unpacking so here if we jump over to our VM let me drag this over into PE bear and take a look at the imports and here you can see that the it only the P file only has one import and that's Emma's MS vbv m60 r60 and so that tells me that this is Visual Basic 6 vb 6 so this is how you can tell very quickly whether the PU file is maybe 6 because they only have one import and it's gonna be the VM DLL this microsoft ideal so now that we got that out of the way let's open it up in the debugger and we'll use our trick here okay so the first thing we do is put that breakpoint on create process internal LW and and then we just run the binary so of course we hit the breakpoint on the entry point which is always said just ran past that now we hit on exception which is kind of interesting now this exception could be a bunch of different things could just be some sort of issue with the with vb6 where they have an exception handler for it or maybe it's some anti debugging trick where they expects where they check to see whether the exception has been intercepted by a debugger and if it has the exit out but in both those cases we don't have to do anything all we do is we just choose the advanced run option here and we choose passed the exception to the process and all this does is this passes the exception to the process as if there was no debugger running so whatever would normally happen a run time happens the reason why we do this is because this is what would happen if you were just running the process normally like they would expect so that's why we want to sort of mimic that behavior and you can see when we do that it runs fine there's no crash and then boom we hit our create process internal W breakpoint so now we want to do is want to go over to our memory map and we want to do a flying pattern and look for a string that is going to occur in the P file header now if you guys have looked at AP file which I'm sure you have or at least you've seen in our videos we look at them a lot there's a string that is usually there that says something like this process cannot be run in DOS or something like that there's some version of these there's a bunch of different strings that pop up for different reasons and what that is that's actually a Dass header that's a mini dos program that is part of the P structure I won't go into that too much but basically that string is usually there now there are some any debugging methods where they wipe that string out so it's hard to find the P file using this technique but in this case we get lucky is you guys see so we just search for this process just that's was part of the string and we search a memory for it here it's going to take a minute and then we can see there's a bunch of hits here now this is exactly what we would expect we expect that every Microsoft DLL that's all those deals that are loaded at 75 address those are all going to have a PE header we would expect that the P file that were running then our the packed malware is going to have that header obviously it's a P file so that's probably to me the for something range and then there's probably any of you a few other ones that we're gonna have to check it so I'm going to show you here let's take a look at the first one just right click full and dump and then once we followed in dump we can confirm that it is a PE file so we can see that little M set right click follow in memory map and then we look at what it is so here we can see that this is actually a loaded file from disk and so you can see the loaded string path there so we don't have to carry about this this is not a in memory PE file this is Matt from disk and there's a path there so it's not the one we're looking for now we look at the next one here which is a little bit foreign something so it's probably our own PE file and if we look yeah it is that's our pack P file so we don't care about that one let's go to the next one following dump and then follow that dump in the memory map oh this looks at juicy so look at that there is no MZ there but there is that da string if we fall in memory map there you go this looks pretty good right so we have an execute read write section it's not linked to a P file but it has a P file header in it so let's dump that out to our desktop here and we'll take a look at it in a hex editor so load that file up and let's find that this program string again because that's wherever the start of the P file is so let's search for that there we go we found it now what we can do here is we can just delete all of the data that is in that memory section that occurs before the beginning of the P file now this is a trick that I have learned because I have some experience looking a P file so it's easy for me to see what's going on but I'll explain for you guys what I'm doing here so I noticed that there is no MZ so you guys know that P files always start with the two bytes and Zed and there is none here it's probably been wiped as an anti analysis feature so that's probably some sort of anti analysis trick that they use where they lay that out so I can't find it in memory but they left the DA string in here that this program cannot be run in DOS in DOS mode now if you look at the bytes before that you'll see the FF and then a couple bites and oh for blah blah blah and then oh nine and then the two nila bytes right where the cursor is there now this looks like the first row of bytes in a pea header now I just know that because that's the pattern that it looks like obviously I want to expect everyone to know that but what you can do is you can see that this beginning of this line aligns with the offset of the hex dump so you can see that the you know the am beside where where the m set would be is at the beginning of the hex dump line here now that's important because it usually will be aligned and the other thing is you can see that that's the first line that doesn't have zeros on it so you can see all the lines before that are all zeros then this line actually has a few care a few bytes in it that are nonzero so if I just had to randomly guess if I saw that da string and I had to randomly guess where does the Amazon start I would just kind of go line by line up until I found the last line that had some data on it before a big chunk of zeros doesn't always work but you know these are tricks that you can use that might work and they don't cost too much right so I'll show you here it takes five seconds to basically clear off the data how to downside and then check to see whether it's valid so let's clear this data off we'll just select it all and delete it and add the side here so we'll just put her in the textbox head and save that file edge so now we want to check to make sure it's a valid file best way to do this is to open it at PE bear make sure that the sections align with the actual data and a section data and make sure that the imports are valid so if both those are true then you probably have yourself a nice unpacked file so look at the section headers that looks good if you click on it there's definitely data there look at the imports all good all resolved there we go we've unpacked Ram Coast so that's all there is to it one very point hon for the P file in memory some of them might be corrupted but you can kind of recover it especially if they just knocked out the home side signature and once you have recovered it just double-check that it's valid in P bar and then you're good to go so in the description of the video below I have links to mal share so you can download the pack sample and you can download the unpack sample to sort of compare your results so I encourage you guys to try this out it's a super easy way to get started with debugging get started with unpacking and hopefully this helps you if you ever find yourself unpacking a vv6 packer it's not as daunting as it might look on the first pass so we'll see you soon with a longer format video look more in-depth hopefully next time and until then keep exposing mechanics behind an hour stay curious [Music] you [Music]
Info
Channel: OALabs
Views: 8,690
Rating: 4.9723182 out of 5
Keywords: unpacking, malware analysis, debugging, openanalysis.net, vb6
Id: DIH4SvKuktM
Channel Id: undefined
Length: 12min 14sec (734 seconds)
Published: Thu Aug 22 2019
Related Videos
Unpacking Emotet / Geodo (Stage 1) Using x64dbg - Subscriber Request
OALabs
17K
CRB Update Post Election and Exhausted EI
Nick’s Taxes
2.1K
Running a Buffer Overflow Attack - Computerphile
Computerphile
1.6M
DESTROYING 5 COMPUTERS IN THE SAME CALL CENTRE! [RAT + RANSOMWARE]
Scambaiter
1.1M
Analyzing Adwind / JRAT Java Malware
OALabs
8.8K
But how does bitcoin actually work?
3Blue1Brown
10M
Manually Unpacking the UPX Packer [Malware Analysis Techniques]
Kindred Security
6.6K
Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!
OALabs
12K
How to Make Your Own VPN (And Why You Would Want to)
Wolfgang's Channel
1.2M
iOS 15 Settings You Need To Turn Off Now
Payette Forward
1.2M
The Map of Particle Physics | The Standard Model Explained
DoS - Domain of Science
473K
The MOST private browser (2021)
Naomi Brockwell
328K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.