.With "More advanced unpacking - Part II" i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways.
1. Manual unpacking + import fixing
2. Manual unpacking + Auto import fixing
3. Auto unpacking/import fixing
Stage 2 introduces a nice tool called "Universal Import Fixer" and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.
http://www.reconstructer.org/papers/More%20advanced%20unpacking%20-%20Part%20II.zip
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}