A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #28638  by heart888
 Wed Jun 08, 2016 5:38 am
I was trying to de-obfuscate data created in registry key by Kovter mawalre. I tried to use JSDetox but failed. Have someone tried to do it?Iappreciate any help to decode it. thanks. I attached a sample.
Attachments
(1.04 KiB) Downloaded 32 times
 #28657  by EP_X0FF
 Fri Jun 10, 2016 9:13 am
There not so many RegSetValueEx calls in the final payload. Probably you should bp at them. This malware is a container type: VB crypter -> Dropper with encrypted payload in resource -> Actual Delphi Kovter with some encrypted stuff in resource (probably cfg). So get the actual malware from dropper and run under debugger.