hacking, reversing and other stuff

Mar 30, 2017 - 1 minute read - malware Ransomware dfir gif exe hide

Trojan-Ransom.Win32.Foreign hides payload exe in gif file

i have written a go commandline tool to extract the exe from the gif file as used by this malware.

As a sample input file you can use SHA1:724fa6b4a6a9cff08cae34cc079ef70d80378b32 the resulting exe file should be SHA1:83f7ce3f6c0a7a92d9b225eb6a2953b761601c58. Both files are available from VirusTotal.

You can download the sample gif with the hidden exe also locally. Use infected as a password for the zip file.