Results 1 to 9 of 9

Thread: Another unknown packer in malware

  1. #1

    Another unknown packer in malware

    I just found this trojan. By the name of the executable section I suppose the packer's name is STPack.
    But I found nothing about it.

    Password: malware
    Attached Files Attached Files
    Last edited by Cthulhu; January 29th, 2009 at 13:51.

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,520
    Blog Entries
    1
    mostly trojans are packed with custom-packer/crypters commonly named by AV as TR/CRYPT..
    so, don't warry about them..
    except if you find some interesting pack/prot methods

  3. #3
    Quote Originally Posted by Cthulhu View Post
    I just found this trojan. By the name of the executable section I suppose the packer's name is STPack.
    But I found nothing about it.

    Password: malware
    Thnx for sharing, unpacking process not that hard just few SEH chains.

    Microsoft: PWS:Win32/Yessim.gen
    AVG: PSW.Banker5.CSX

  4. #4
    I'm trying all day long to unpack this trojan without success
    If I step over the calls olly throws a message saying there was an access violation at [00000000].
    So I set a breakpoint at the exeception handler at 4AB35C and everytime It breaks I can execute the function without the access violation.
    After that I passed the place where it resolves some api addresses, I got here:

    Code:
    0043F000     B8 CCCF4700         MOV EAX,Proc_324.0047CFCC
    0043F005     50                  PUSH EAX
    0043F006     64:FF35 00000000    PUSH DWORD PTR FS:[0]
    0043F00D     64:8925 00000000    MOV DWORD PTR FS:[0],ESP
    0043F014     33C0                XOR EAX,EAX
    0043F016     8908                MOV DWORD PTR DS:[EAX],ECX                                ; Proc_324.004AB35C
    0043F018     50                  PUSH EAX
    0043F019     45                  INC EBP
    0043F01A     43                  INC EBX
    0043F01B     6F                  OUTS DX,DWORD PTR ES:[EDI]                                ; I/O command
    0043F01C     6D                  INS DWORD PTR ES:[EDI],DX                                 ; I/O command
    0043F01D     70 61               JO SHORT Proc_324.0043F080
    0043F01F     637432 00           ARPL WORD PTR DS:[EDX+ESI],SI
    0043F023     39D4                CMP ESP,EDX                                               ; ntdll.7C9037D8
    0043F025     895F CE             MOV DWORD PTR DS:[EDI-32],EBX
    0043F028     3322                XOR ESP,DWORD PTR DS:[EDX]
    0043F02A     D1FA                SAR EDX,1
    0043F02C     24 47               AND AL,47
    0043F02E     A3 E3D99372         MOV DWORD PTR DS:[7293D9E3],EAX
    0043F033     40                  INC EAX
    0043F034     62FD                BOUND EDI,EBP                                             ; Illegal use of register
    0043F036     2243 E3             AND AL,BYTE PTR DS:[EBX-1D]
    0043F039     D4 60               AAM 60
    0043F03B     2A40 E7             SUB AL,BYTE PTR DS:[EAX-19]
    0043F03E     0AA3 61E1EB1D       OR AH,BYTE PTR DS:[EBX+1DEBE161]
    0043F044     4A                  DEC EDX                                                   ; ntdll.7C9037D8
    0043F045     41                  INC ECX                                                   ; Proc_324.004AB35C
    0043F046     08E8                OR AL,CH
    0043F048     B2 0A               MOV DL,0A
    0043F04A     C2 B8D4             RETN 0D4B8
    Now I'm stuck because at this function I got a lot of exceptions and I could not find a way to bypass them.
    As you said this is easy to unpack I may be missing something very obvious
    Can someone point me to the right direction?

  5. #5
    Forget the previous post. I managed to unpack it

  6. #6
    tbarabasz
    Guest

    Unpacking

    Could you please tell us how you did it?
    I've just got one malware with the same characteristics. I'm trying to unpack it but I couldn't go to far... it would be great if you can give some help!

    Thanks in advance
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,520
    Blog Entries
    1
    upload it, if hard tricks you see in unpack

  8. #8
    enlighten us

  9. #9
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,147
    Blog Entries
    5
    What's with the PECompact2 string in the above code? Bogus? Double packed?

Similar Threads

  1. An unknown packer
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: December 9th, 2007, 09:31
  2. unknown packer
    By chlankboot in forum Malware Analysis and Unpacking Forum
    Replies: 19
    Last Post: January 19th, 2004, 05:33
  3. IAT rebuilding for unknown packer ??
    By SilSaLaMaTa in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: August 27th, 2002, 18:07
  4. unknown crypter/packer
    By Rip in forum Advanced Reversing and Programming
    Replies: 4
    Last Post: February 2nd, 2002, 16:01
  5. Help with unknown packer
    By Timmy in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: November 7th, 2000, 06:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •