logo
Questions? +1 (202) 335-3939 Login
Set Up FREE Account Submit Release
Trusted News Since 1995
A service for global professionals · Friday, June 28, 2024 · 723,642,515 Articles · 3+ Million Readers
Got News to Share? Send 2 FREE Releases
News Search | All News Topics > ISO News Topics: By Country | By State ; Press Releases by Industry Channel > All ISO Press Releases

Themida and VMProtect-Protected Malware Can Be Analyzed to Expose Its Crucial Information

DUBAI, DUBAI, UNITED ARAB EMIRATE , June 18, 2024 /EINPresswire.com/ -- ANY.RUN, a leading provider of cybersecurity solutions, published research on the use of popular code protectors, Themida and VMProtect, in malware and their effectiveness in concealing malicious functionality.

๐“๐ก๐ž๐ฆ๐ข๐๐š ๐š๐ง๐ ๐•๐Œ๐๐ซ๐จ๐ญ๐ž๐œ๐ญ ๐ข๐ง ๐Œ๐š๐ฅ๐ฐ๐š๐ซ๐ž
Malware authors often employ protectors like Themida and VMProtect in an attempt to prevent analysts from reverse engineering malicious code.

These protectors allow malware developers to use sophisticated techniques to hide malicious functionality, including through code virtualization, obfuscation, anti-debugging, compression, and encryption.

๐€๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐จ๐Ÿ ๐๐ซ๐จ๐ญ๐ž๐œ๐ญ๐ž๐ ๐Œ๐š๐ฅ๐ฐ๐š๐ซ๐ž ๐’๐š๐ฆ๐ฉ๐ฅ๐ž๐ฌ ๐›๐ฒ ๐€๐๐˜.๐‘๐”๐ ๐ญ๐ž๐š๐ฆ
The research team at ANY.RUN analyzed six samples from different malware families that use Themida and VMProtect. The analysts found that none of the samples used code virtualization, making the analysis process much simpler.

Only one sample had anti-debugging enabled, and the malware code itself was largely unprotected, except for the initial stages of compression and decryption. This enabled the team to extract crucial information from malware samplesโ€™ code, including command-and-control (C2) addresses, important strings, etc.

๐ˆ๐ฆ๐ฉ๐ฅ๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐Ÿ๐จ๐ซ ๐‚๐ฒ๐›๐ž๐ซ๐ฌ๐ž๐œ๐ฎ๐ซ๐ข๐ญ๐ฒ ๐๐ซ๐จ๐Ÿ๐ž๐ฌ๐ฌ๐ข๐จ๐ง๐š๐ฅ๐ฌ
The research findings highlight a clear trend: most malware families overlook crucial features like virtualization, making reverse engineering significantly easier. In essence, these families use protectors as basic packers, providing minimal obstruction to analysis.

Learn more details about the research on ANY.RUNโ€™s blog.

๐€๐›๐จ๐ฎ๐ญ ๐€๐๐˜.๐‘๐”๐
ANY.RUN's suite of cybersecurity products includes an interactive sandbox and a Threat Intelligence portal. Serving 400,000 professionals around the world, the sandbox offers a streamlined approach to analyzing malware families that target both Windows and Linux systems. Meanwhile, ANY.RUN's Threat Intelligence services, which include Lookup, Feeds, and YARA Search, enable users to quickly gather information about threats and respond to incidents with greater speed and precision.

Veronika Trifonova
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
X
YouTube

Powered by EIN Presswire
Distribution channels: Companies, Electronics Industry, IT Industry, Technology


EIN Presswire does not exercise editorial control over third-party content provided, uploaded, published, or distributed by users of EIN Presswire. We are a distributor, not a publisher, of 3rd party content. Such content may contain the views, opinions, statements, offers, and other material of the respective users, suppliers, participants, or authors.

Submit your press release

ISO News Today by EIN Newsdesk & EIN Presswire (a press release distribution service)

Follow us on Facebook & Twitter and connect with us on LinkedIn

Newsmatics Inc., 1025 Connecticut Avenue NW, Suite 1000, Washington, DC 20036 · Contact · About

© 1995-2024 Newsmatics Inc., a publisher of EIN News · All Rights Reserved · Privacy Policy · User Agreement