By Sean Wilson

UnpacMe 8.5.0 – Lightning Fast MalwareID Mode

With the release of version 8.5.0, we introduce a new analysis mode for rapid triage of malware that doesn’t require unpacking. Using MalwareID, we provide malware identification and extracted configurations within seconds.

Release 8.5.0 Highlights

  • New MalwareID analysis mode for fast malware identification and configuration extraction when unpacking is not required
  • New import hash search and PIVOTs
  • Updated extracted scripts view with download option and new script name search and PIVOTs
  • Detect It Easy updates with additional file information
  • Yara Hunt Updates

Malware ID Mode

With the introduction of MalwareID, UnpacMe now offers two modes when uploading a sample for analysis.

  • Analyze mode (default) automatically determines the optimal path for analysis, including unpacking, malware identification, and configuration extraction.
  • MalwareID mode provides faster malware identification and configuration extraction for samples that do not require unpacking.

MalwareID completes analysis in seconds, making it ideal for rapid sample enrichment at either the beginning or end of an analyst's workflow. On the front end, it filters out Zombieware samples, preventing their inclusion in more resource-intensive analysis processes. On the back end, MalwareID can quickly identify samples generated by traditional analysis processes, such as sandboxes.

Malware ID API Access

MalwareID mode is accessible through the UnpacMe API for users with public API access. However, for enterprise customers needing rapid bulk processing, we also offer a dedicated MalwareID API. 

Samples submitted via the dedicated API are ephemeral, and processed within the duration of a typical HTTP request. MalwareID is so fast that the analysis results are returned in the HTTP response, enabling synchronous communication and allowing the service to be used inline.

Request More Info

New PIVOTs For Hunting Scripts and Imports

Release 8.5.0 also adds new search terms and PIVOTs for imports and extracted scripts.

Import Hash PIVOTs

Remcos samples identified via shared imports

Import hashes are now available for samples with imports providing the ability to both search for samples with the same imports, and PIVOT between similar samples.

Extracted Scripts

Script extraction has been updated to allow downloading of the scripts, along with the addition of PIVOTs for script names and hashes. These new PIVOTs enable analysts to search for samples containing the same scripts and, more importantly, facilitate the search for common script names.

Detect It Easy Updates

The Detect It Easy (DiE) ruleset has been updated to version 3.09, along with improvements in file processing. These updates offer enhanced detection of commercial packers, particularly the latest versions of VMProtect. Additionally, the DiE interface has been updated with a dropdown view, allowing for quick access to detection details.

Yara Hunt

This release includes several minor bug fixes and enhancements for YARA Hunt, aimed at improving overall hunt speeds. Additionally, YARA-X has been upgraded to version 0.7.0, ensuring that analysts can continue to test rules and conduct hunts with the latest version.

Happy Hunting!