WEBVTT 1 00:01.130 --> 00:02.600 Hello and welcome back. 2 00:02.630 --> 00:11.180 In the previous video, we have dumped this from memory, so now we can go and view it from here. 3 00:12.530 --> 00:18.680 Now note that your address where you dumped from might be different from mine, so just follow yours. 4 00:18.980 --> 00:24.680 So now we can go and analyze with PE Bear and see whether we need to map it. 5 00:24.710 --> 00:29.240 So just open FLARE Utilities and fire up PE Bear. 6 00:32.640 --> 00:36.810 And then just drag the Remcos dump into there. 7 00:39.110 --> 00:45.470 So now if we take a look at the plots, we can see that everything is in order. 8 00:45.470 --> 00:54.470 So there is nothing to fix. It's not necessary to do unmapping. So now we can analyze this. 9 00:54.500 --> 01:03.770 We'll use PE Studio. Go to FLARE, look for PE Studio, and fire PE Studio. 10 01:10.170 --> 01:10.410 All right. 11 01:10.410 --> 01:15.740 Taking a look at this, you can see that the entropy is low, 3.922. 12 01:15.750 --> 01:20.730 So that lends support that we have already successfully unpacked this. 13 01:21.450 --> 01:28.380 And look at the indicators now, so we can see some of the indicators here. 14 01:28.380 --> 01:33.900 The file contains another file in the overlay section over here. 15 01:34.440 --> 01:36.810 So that seems to be another embedded file here. 16 01:39.570 --> 01:43.210 Take a look at the directories. 17 01:44.160 --> 01:51.660 Sections, and you see they're all quite low entropy, less than seven, meaning that it is no longer packed. 18 01:56.150 --> 02:02.990 And see, this is some of the suspicious libraries like connecting to the Internet. 19 02:06.440 --> 02:10.910 Looking at imports, many imports used by Trojans. 20 02:11.330 --> 02:17.600 Enumerate service, open username, registry, creating registry, and so on. 21 02:20.920 --> 02:25.900 Connecting to the Internet, writing process memory, and allocating. 22 02:26.350 --> 02:28.510 All this is very highly suspicious. 23 02:32.640 --> 02:35.130 Set Windows Hook for keylogging. 24 02:40.010 --> 02:45.350 Here's for enumerating the processes which are running in the computer. 25 02:48.830 --> 02:55.850 Terminate process to stop processes, shell execute, and so on. 26 02:55.880 --> 03:04.730 Suspicious load library to get external functions. Copying the keyboard data. 27 03:04.880 --> 03:06.350 Stealing information. 28 03:15.570 --> 03:16.740 Recording sounds. 29 03:18.510 --> 03:19.200 And so on. 30 03:21.600 --> 03:27.220 Look at strings, and you can see some registry keys here as well. 31 03:27.760 --> 03:33.250 And these two, Event Viewer, and these are typically used for privilege escalation. 32 03:45.400 --> 03:48.160 And you can see here some scripting languages as well. 33 03:49.000 --> 03:50.080 Shell scripts. 34 03:50.560 --> 03:51.430 This one as well. 35 03:52.120 --> 03:53.890 All are highly suspicious. 36 03:55.180 --> 03:58.450 Look at that, running VBS, VBScript. 37 04:07.020 --> 04:12.870 We have managed to unpack successfully and got a lot of information about Remcos. 38 04:12.870 --> 04:20.220 So this completes our objectives, which is to learn how to unpack the Remcos using x64dbg. 39 04:20.760 --> 04:22.560 Thank you for watching. 40 04:22.840 --> 04:24.630 I'll see you in the next one.