In 2023, threat actors exploited a zero-day vulnerability in WinRAR, tracked as CVE-2023-38831, to distribute weaponized ZIP archives containing various malware strains, including DarkMe, GuLoader, and Remcos RAT. Once extracted and executed, the payloads deployed multi-stage malware designed to evade detection, establish persistence, and communicate with remote command-and-control (C2) servers.
This walkthrough focuses on dissecting one such malicious ZIP archive to analyze its infection chain and uncover its obfuscation techniques. The lab involves investigating the initial execution script, understanding its decryption mechanisms, and tracing the malware’s dropped payloads. By reverse-engineering its multi-stage execution, we can determine how the malware dynamically deciphers and executes its shellcode, bypassing security mechanisms.
Throughout the analysis, we will leverage tools like VSCode, CyberChef, and scdbg to inspect the malware’s behavior, extract critical indicators of compromise (IOCs), and identify its network communication methods. The goal is to understand how the malware conceals its malicious intent, where it drops its secondary payloads, and how it ultimately connects to an external attacker-controlled infrastructure.
By the end of this walkthrough, we will have deconstructed the malware’s execution flow, identified key decryption techniques, and revealed how it attempts to evade detection. This deep-dive analysis will provide valuable insights into modern malware delivery tactics and reinforce best practices for malware analysis and threat hunting.