Manual Unpacking IcedID Write-up
Published: 2020-08-16 · Archived: 2026-04-05 20:18:18 UTC
Sample hash:
SHA256: 76cd290b236b11bd18d81e75e41682208e4c0a5701ce7834a9e289ea9e06eb7e
Tools:
PE files static analysis: PortExAnalyzer; PE-bear
Debugger & plugin: x64dbg + ScyllaHide Anti-Anti-Debug
Aplib decompress: aplib-ripper
1. Static Analysis
Thow the sample to PortEx Analyzer, tool will analyse file with a special focus on malformation. We get the
results:
The section .text has high entropy, so may be the sample is packed:
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
Page 1 of 6

This sample is PE32 with ASLR enabled (can quickly disable this feature by using setdllcharacteristics):
This sample reveals information about the pdb path:
Some anomalies were identified by PortEx:
2. Dynamic Analysis
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
Page 2 of 6

Load specimen to x64dbg, for unpacking process, we set breakpoints at some common APIs:
VirtualAlloc
VirtualProtect
CreateProcessInternalW
WriteProcessMemory
After placing the breakpoints like above picture, press F9 to execute. First hit at VirtualAlloc :
Execute till Return ( Ctrl+F9 ) and Follow in dump the allocated memory (return in EAX register):
Continue run with F9 , hit the second call to VirtualAlloc and observe changes in the allocated memory. We
see new bytes value was written to this location and it is likely a shellcode:
Once again, Ctrl+F9 and Follow in dump the new allocated memory:
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
Page 3 of 6

Let’s continue execute and hit the third call to VirtualAlloc , some bytes were written to the new allocated
memory. They do not look like shellcode but could be some data that malicious code uses:
Continuing to execute the call to the VirtuallAlloc function, we have a newly allocated memory:
Press F9 , we break at VirtualProtect . The newly allocated device has been filled with bytes. I spotted a PE
file that has been compressed using aPlib because the PE magic bytes MZ become M8Z .
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
Page 4 of 6

Follow this section in the Memory Map and dump it to file:
3. Decompress dumped file
From the command line, simply need to pass dumped file to aprip.py . The tool will do its job and each
extracted file will be written to a file “dump0.bin”, “dump1.bin”, …
Check dump0.bin (21dd005162c62af26f3f59e2ebcb345c) with PE-bear: AddressOfEntryPoint = 0x0000163D
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
Page 5 of 6

Valid IATs:
End!
m4n0w4r
Source: https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
Page 6 of 6