Home Artists Posts Import Register
Patreon importer is back online! Tell your friends ✅

Content

In this Twitch stream we continue our triage of this new loader that uses AMSI bypasses to avoid detection. In this part we focus on the injected X64 shell code. The shell code uses relative offsets to access data within itself which poses some challenges for IDA, and it contains multiple encrypted strings as well as another PE file.

Sample

43cc6ed0dcd1fa220283f7bbfa79aaf6342fdb5e73cdabdde67debb7e2ffc945

Notes

AMSI Bypass In The Wild - Taking a close look at this asyncrat loader with an AMSI bypass

Files

Live Stream VOD: AMSI Bypass Loader Part 2

This is "Live Stream VOD: AMSI Bypass Loader Part 2" by OALABS on Vimeo, the home for high quality videos and the people who love them.

Comments

m4n0w4r

My Python script for recovering API from hashes: https://github.com/m4now4r/shellcode-analysis_recover-api-from-hashes