Failed reconstructing one of the Emotet's payloads

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Failed reconstructing one of the Emotet's payloads #33

Closed hasherezade closed 5 years ago

hasherezade commented 5 years ago

Test case

0a4962325cf05ea602081647da910866d0d747abbb5d3340dfa721cdd93e9ba5 - Emotet

Problem

Emotet has 2 payloads. One of them is reconstructed correctly, while another is not. dumped Both payloads are detected: Header from the payload that is not reconstructed is corrupt (we can see i.e. invalid Machine Id): invalid_hdr

hasherezade commented 5 years ago

After the changes, both payloads are reconstructed correctly. Report: rec1 Dumps: rec2