Unpacking (AutoIT) a Persistent RemcosRAT
RemcosRAT is packed using AutoIT in this case and we will be using x64db to unpack the sample. Packed Sample – d017b85238bc37936397fca235c6a004b659dda441cfd34cc8d00710e47b0496 We’ll be setting the initial Breakpoints in below calls to detect possible code injection and bypass debugger detection: VirtualProtectVirtualAllocIsDebuggerPresentCreateProcessInternalW IsDebuggerPresent gets hit multiple times and we can bypass it by changing the return […]