A sample analysis walkthrough with RETouch

Here is an example how to analyze a malware with RETouch. The malware's hash (SHA256) is 63eaddbbe91031cb1d8f38cdbc679adacd232f97bbc061f02073d909c11c1594 and it can be found from VirusTotal. First I open datafile 63eaddbbe91031cb1d8f38cdbc679adacd232f97bbc061f02073d909c11c1594.bin (Word document). If I didn't know the SHA256, I would get the checksums first.

RETouch can calculate most commonly used hashes: MD5, SHA1 and SHA256.

Next, I check the strings that this binary file contains.

One string catches the attention: "powershell". Following strings look a lot like Base64 encoded data.

To extract Base64 data, I open binary file in hex view mode. After locating string "powershell", I select following text until I found '='-character.

I paste the text I copied from the hex view and convert Base64 to binary data.

Converted data's hex dump seems to have value zero in almost every second value. This indicates that hex dump could be Unicode encoded text.

The text really was Unicode encoded. Now I have PowerShell code which builds a string from numeric char values. I select only string building part of the code and execute the PowerShell code.

This gets the final unobfuscated code.

What the code actually does is not relevant now. The relevant thing in here is that RETouch has done its job.