Extracting and viewing bundled malware in EXE file

Introduction

This tutorial will guide you through the process of extracting and analyzing potentially bundled malware from an executable file. By following these steps, you'll learn how to identify malicious components, utilize various tools for analysis, and safely extract the desired executable while avoiding harmful malware.

Step 1: Identify the Executable Type

• Download the suspicious executable file, such as video_editor_x64.exe.
• Right-click the file and check its properties:
  • Look for missing details under the "Details" tab, which may indicate a problem.
• Use PEiD to determine if it is a valid Portable Executable (PE) file:
  • Open PEiD and load the executable.
  • Check for signs of a Nullsoft self-extracting executable, which could indicate potential malware.

Step 2: Analyze with Virus Scanners

• Upload the executable to VirusTotal:
  • Check for detection rates and read comments related to its status.
  • Take note of any hits, especially if it’s classified as a Nullsoft executable.
• Use Hybrid Analysis for deeper insights:
  • Review the report for indicators of malicious behavior, such as file drops or network activity.
  • Pay attention to any flagged URLs or suspicious DLL files.

Step 3: Extract Contents Safely

• Use 7-Zip to extract files from the executable:
  • Open the executable with 7-Zip to see its contents.
  • Look for DLLs and any files that may be part of the original program.
• Identify the original executable file from the extracted contents:
  • Rename any suspicious files if necessary to match common executable formats (e.g., rename B to B.exe).

Step 4: Examine the Extraction Script

• Utilize Universal Extractor to pull out the installation script:
  • Run Universal Extractor on the executable and output the script files.
• Analyze the script using Notepad++ or similar tools:
  • Look for any commands that indicate malicious behavior or unwanted installation processes.

Step 5: Analyze DLL Files

• Open extracted DLL files in CFF Explorer:
  • Check the PE header and characteristics to confirm file types.
  • Look for any suspicious functions or exported methods that might indicate malware.
• Use Ghidra for deeper analysis of the DLL files:
  • Load the DLL files to analyze their code and structure.
  • Search for strings and functions to understand their purpose and behavior.

Step 6: Confirm Malicious Behavior

• Re-upload the DLL files to VirusTotal for additional scanning:
  • Check for any detections or associations with known malware.
• Research any suspicious file names or functionalities:
  • Use online resources to gather information about specific malware types flagged during analysis.

Conclusion

By following these steps, you can effectively extract and analyze bundled malware within executable files. This process not only helps in identifying malicious components but also ensures you recover the original executable safely. For future prevention, always scan downloaded files and be cautious of executables that lack proper documentation or show signs of unusual behavior. Consider diving deeper into malware analysis techniques and tools to enhance your skills further.