{ "id": "e04cc4cd-8763-4b4c-aae1-a15fb1a79666", "created_at": "2026-04-06T00:22:38.754788Z", "updated_at": "2026-04-10T03:20:36.34313Z", "deleted_at": null, "sha1_hash": "b8c93be93e78b20dfb884e9c275da779ba20368f", "title": "Manual Unpacking IcedID Write-up", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1072747, "plain_text": "Manual Unpacking IcedID Write-up\r\nPublished: 2020-08-16 · Archived: 2026-04-05 20:18:18 UTC\r\nSample hash:\r\nSHA256: 76cd290b236b11bd18d81e75e41682208e4c0a5701ce7834a9e289ea9e06eb7e\r\nTools:\r\nPE files static analysis: PortExAnalyzer; PE-bear\r\nDebugger \u0026 plugin: x64dbg + ScyllaHide Anti-Anti-Debug\r\nAplib decompress: aplib-ripper\r\n1. Static Analysis\r\nThow the sample to PortEx Analyzer, tool will analyse file with a special focus on malformation. We get the\r\nresults:\r\nThe section .text has high entropy, so may be the sample is packed:\r\nhttps://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nPage 1 of 6\n\nThis sample is PE32 with ASLR enabled (can quickly disable this feature by using setdllcharacteristics):\r\nThis sample reveals information about the pdb path:\r\nSome anomalies were identified by PortEx:\r\n2. Dynamic Analysis\r\nhttps://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nPage 2 of 6\n\nLoad specimen to x64dbg, for unpacking process, we set breakpoints at some common APIs:\r\nVirtualAlloc\r\nVirtualProtect\r\nCreateProcessInternalW\r\nWriteProcessMemory\r\nAfter placing the breakpoints like above picture, press F9 to execute. First hit at VirtualAlloc :\r\nExecute till Return ( Ctrl+F9 ) and Follow in dump the allocated memory (return in EAX register):\r\nContinue run with F9 , hit the second call to VirtualAlloc and observe changes in the allocated memory. We\r\nsee new bytes value was written to this location and it is likely a shellcode:\r\nOnce again, Ctrl+F9 and Follow in dump the new allocated memory:\r\nhttps://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nPage 3 of 6\n\nLet’s continue execute and hit the third call to VirtualAlloc , some bytes were written to the new allocated\r\nmemory. They do not look like shellcode but could be some data that malicious code uses:\r\nContinuing to execute the call to the VirtuallAlloc function, we have a newly allocated memory:\r\nPress F9 , we break at VirtualProtect . The newly allocated device has been filled with bytes. I spotted a PE\r\nfile that has been compressed using aPlib because the PE magic bytes MZ become M8Z .\r\nhttps://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nPage 4 of 6\n\nFollow this section in the Memory Map and dump it to file:\r\n3. Decompress dumped file\r\nFrom the command line, simply need to pass dumped file to aprip.py . The tool will do its job and each\r\nextracted file will be written to a file “dump0.bin”, “dump1.bin”, …\r\nCheck dump0.bin (21dd005162c62af26f3f59e2ebcb345c) with PE-bear: AddressOfEntryPoint = 0x0000163D\r\nhttps://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nPage 5 of 6\n\nValid IATs:\r\nEnd!\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nhttps://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/" ], "report_names": [ "manual-unpacking-icedid-write-up" ], "threat_actors": [], "ts_created_at": 1775434958, "ts_updated_at": 1775791236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b8c93be93e78b20dfb884e9c275da779ba20368f.pdf", "text": "https://archive.orkl.eu/b8c93be93e78b20dfb884e9c275da779ba20368f.txt", "img": "https://archive.orkl.eu/b8c93be93e78b20dfb884e9c275da779ba20368f.jpg" } }