Closed bartblaze closed 4 years ago
thank you for reporting! I will check it soon.
Can you share what was exactly the invalid result that you've got?
I run it and got valid PEs unpacked:
process_2456.zip (pass: infected)
I ran it again and now they are dumped. Perhaps it was an issue with my VM. I'll keep an eye on it should it happen again and will send you the logs. Thanks for looking into it so quickly! :+1:
PE-sieve version: v0.2.6 Hash: ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
Seems like PE-sieve can't read the remote PE at a specific offset - looks like an invalid address?
FYI, this is the new Bazar malware (loader module specifically): https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/