{
	"id": "1832dd36-a75a-4939-bf25-1f885e984961",
	"created_at": "2026-04-06T00:07:32.220538Z",
	"updated_at": "2026-04-10T13:11:42.729474Z",
	"deleted_at": null,
	"sha1_hash": "a110bf6a45338c21fae5484ed6c4c33961beeeb7",
	"title": "Unpacking and Decrypting FlawedAmmyy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 28987,
	"plain_text": "Unpacking and Decrypting FlawedAmmyy\r\nBy Created by:Mike Downey\r\nArchived: 2026-04-05 16:36:34 UTC\r\nMalware authors commonly utilize packers (Roccia, 2017) as a method of concealing functionality and\r\ncharacteristics of their malicious code, making an analyst's job more difficult. Second stage executables may also\r\nbe encrypted, requiring the analyst to gather an understanding of how this code is manipulated. The ability to\r\nunpack and decrypt malicious software is a critical step in understanding intent and the scope of malware\r\ncapabilities. The goal of this paper is to provide real-world application of the unpacking and decoding techniques\r\nrequired to analyze a remote access Trojan (RAT) known as FlawedAmmyy. While basic static and dynamic\r\nanalysis will not be covered, this paper will focus on the step-by-step procedures to unpack and decrypt a\r\nFlawedAmmyy sample within a debugger.\r\nSource: https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930\r\nhttps://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930"
	],
	"report_names": [
		"unpacking-decrypting-flawedammyy-38930"
	],
	"threat_actors": [],
	"ts_created_at": 1775434052,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a110bf6a45338c21fae5484ed6c4c33961beeeb7.pdf",
		"text": "https://archive.orkl.eu/a110bf6a45338c21fae5484ed6c4c33961beeeb7.txt",
		"img": "https://archive.orkl.eu/a110bf6a45338c21fae5484ed6c4c33961beeeb7.jpg"
	}
}