Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Monday, October 30th 2017

Remember ACE files?

Published: 2017-10-29
Last Updated: 2017-10-29 17:34:15 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader submitted a malicious attachment:

We can see that this is an ACE file. I remember ACE files, it's an archive format that back in the days (2000) yielded higher compression ratios than RAR.

I found a Python library/tool to decompress ACE files: Looking in the source code, I notice it could read from stdin, and that I should be able to pipe the output of oledump into acefile. Unfortunately, this generated an error, and I had to extract the file to disk:

This .bat file is actually an executable:

Sample 3e58ec4fe08d93dd6ec20c7553519d47 was compiled with Visual Basic 6.0.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: ace malware
0 comment(s)
Diary Archives