Decoding Malware Payload encoded in a PNG part 2 - "W.H.O.bat"
· β˜• 7 min read · ✍️ suidroot
This post is a sequel to the post covering the sample β€œBank Statement.bat.” I had received this message before the Bank Statement message, but I found the sample in the previous post was less obfuscated and easier to reverse engineer. In this post, I will cover the different ways that this sample hid the decoding routes and how I was able to gather the data to run the same decoding script I used before to extract the payload from the PNG data within this sample.

Decoding Malware Payload encoded in a PNG - "Bank Statement.bat"
· β˜• 7 min read · ✍️ suidroot
When looking through my Spam folder, I have run across a few messages with β€œ.bat” files attached to them. Most messages have had different content in the message to entice a victim to open the attachment. I started to investigate each of the attachments and found they were Windows Binaries, and at least two had PNG files in the resources. After doing this initial triage, I wanted to see if the payload of these pieces of malware is encoded in this PNG data and how it was encoded.