This post is part of the series of Practical Malware Analysis Exercises.
This was was detected as malicious by 38 scanners.
Lab01-03.exe
- MD5:
9c5c27494c28ed0b14853b346b113145 - SHA256:
7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4f050f0aec - File name: Lab01-03.exe
- Detection ratio: 38 / 47
- Analysis date: 2013-11-13 05:48:45 UTC ( 1 hour, 40 minutes ago )
This is packed. The only imports are LoadLibrary and GetProcAddress, the PE sections are
nameless, the virtual size of sections are much larger than the disk size, and PEiD
identified the packer as FSG 1.0.
Found manual processes for unpacking FSG 1.0, and references to "EP tricks." It's possible with more work.
PEiD: FSG v1.00 (Eng) -> dulek/xt
FSG 1.0 unpacking:
The only visible imports are used for unpacking.
KERNEL32.DLL
- LoadLibraryA
- GetProcAddress
Can't find anything useful.
Strings analysis shows OLE related contents.
0000000011C5 0000004041C5 0 ole32.vd
0000000011F4 0000004041F4 0 }OLEAUTLA
OLEAUT32.DLL is for OLE technologies. Header hashes? Can't get much more than that without going deeper.