search

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
https://hshrzd.wordpress.com/pe-sieve/
BSD 2-Clause "Simplified" License
3.01k stars 421 forks source link

Could not read the remote PE #58

Closed bartblaze closed 4 years ago

bartblaze commented 4 years ago

PE-sieve version: v0.2.6 Hash: ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7

Seems like PE-sieve can't read the remote PE at a specific offset - looks like an invalid address?

FYI, this is the new Bazar malware (loader module specifically): https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/

hasherezade commented 4 years ago

thank you for reporting! I will check it soon.

hasherezade commented 4 years ago

Can you share what was exactly the invalid result that you've got?

hasherezade commented 4 years ago

I run it and got valid PEs unpacked:

unpacked_bazar

process_2456.zip (pass: infected)

bartblaze commented 4 years ago

I ran it again and now they are dumped. Perhaps it was an issue with my VM. I'll keep an eye on it should it happen again and will send you the logs. Thanks for looking into it so quickly! :+1: