{
	"id": "6aa53db0-a11e-4525-88ae-c3aae2498754",
	"created_at": "2026-04-06T01:31:49.482729Z",
	"updated_at": "2026-04-10T03:20:37.627146Z",
	"deleted_at": null,
	"sha1_hash": "941127caec9550dd92cab5026f065346179ba63d",
	"title": "Unpacking Clop",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1880653,
	"plain_text": "Unpacking Clop\r\nBy Sebdraven\r\nPublished: 2019-12-02 · Archived: 2026-04-06 01:04:01 UTC\r\n2 min read\r\nDec 2, 2019\r\nOn twitter, a good analysis of the ransomware Clop has done. But nothing on the unpacking.\r\nThe packer has three stages.\r\nThe first stage is an allocation and dexoring of the overlay in the function FUN_00401000\r\nlocal_c = (code *)VirtualAllocEx((HANDLE)0xffffffff,(LPVOID)0x0,0x1c20,DAT_0043f0dc,0x40)\r\nwhile (local_40 \u003c 900) {\r\nlocal_80 = DAT_00426260;\r\nuVar1 = *(int *)(\u0026DAT_00426264 + local_40 * 4) - local_40 ^ DAT_00426260;\r\nlocal_24 = local_24 + -0x438;\r\nlocal_84 = (uVar1 \u003c\u003c 7 | uVar1 \u003e\u003e 0x19) ^ DAT_00426260;\r\n*(uint *)(local_c + local_40 * 4) = local_84;\r\nlocal_40 = local_40 + 1;\r\n}\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/unpacking-clop-416b83718e0f\r\nPage 1 of 5\n\nthe dropper jump in the shellcode with:\r\n00401317 call dword ptr ds:[440D04]\r\nthe second stage is the execution of the shell code in six steps:\r\nGet Sebdraven’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe first step is to allocate a new page with Virtualloc.\r\nPress enter or click to view image in full size\r\nThe second step is decoded an compressed PE.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/unpacking-clop-416b83718e0f\r\nPage 2 of 5\n\nThe third step is a decompression of the payload without import table in 3B010.\r\nThe fourth step is reconstruction of the import table in 3B0910.\r\nThe fifth step is the wipe of the loader in memory.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@Sebdraven/unpacking-clop-416b83718e0f\r\nPage 3 of 5\n\nAnd the last stage is the copy of the real payload with the function 3B0910.\r\nPress enter or click to view image in full size\r\nAnd jump in the new entrypoint in dword ptr [ebp-58]=[0012FB84]=m.00407BB3\r\nhttps://medium.com/@Sebdraven/unpacking-clop-416b83718e0f\r\nPage 4 of 5\n\nPress enter or click to view image in full size\r\nNow you have the real malware clop for following the analysis of Minhee Lee\r\nSource: https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f\r\nhttps://medium.com/@Sebdraven/unpacking-clop-416b83718e0f\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f"
	],
	"report_names": [
		"unpacking-clop-416b83718e0f"
	],
	"threat_actors": [],
	"ts_created_at": 1775439109,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/941127caec9550dd92cab5026f065346179ba63d.pdf",
		"text": "https://archive.orkl.eu/941127caec9550dd92cab5026f065346179ba63d.txt",
		"img": "https://archive.orkl.eu/941127caec9550dd92cab5026f065346179ba63d.jpg"
	}
}