Closed hasherezade closed 3 years ago
Sample: 5c77d41394b0af55ecb0b458af391bbea9ac1b76555fe574bcaea0bc3851783b - Ursnif (unpacked)
This malware manually loads the payload: fda3439c3d23b729daea5b9d6c775b37318f1ab4052f3c07d068efba250a860d
The payload is detected and dumped with PE-sieve, yet, the dump is incomplete. The .bss section is missing (empty), because it was set as inaccessible:
.bss
However, x64dbg is able to read it:
This type of a content should be read by PE-sieve too.
As a result of changes, valid .bss section was dumped:
Sample: 5c77d41394b0af55ecb0b458af391bbea9ac1b76555fe574bcaea0bc3851783b - Ursnif (unpacked)
This malware manually loads the payload: fda3439c3d23b729daea5b9d6c775b37318f1ab4052f3c07d068efba250a860d
The payload is detected and dumped with PE-sieve, yet, the dump is incomplete. The
.bss
section is missing (empty), because it was set as inaccessible:However, x64dbg is able to read it:
This type of a content should be read by PE-sieve too.