Nov 9, 2021
Read a Malware as HEX File Using Notepad++
HEX, usually called “hexadecimal,” is a numerical mathematics system representing numbers using a radix (base) of 16. The typical way to read a file in HEX format is to use IDA, but IDA is not accessible for free. Well, there are many cracked versions of it. But, we can guarantee the safeness of that application.
We need to read something in HEX format because we usually face something dangerous for our systems, such as malware or something we don’t recognize at a time. Why? because in this digital age, sometimes we can get anything from many sources without knowing it’s safe or not. In this post, I want to share how to make your Notepad++ can be used to read a file as HEX.
Malware Source
Okay, let’s do the practice. You can follow this if you want or just read the article. One last reminder from me is that we are playing with malware, and if your computer is being infected, I can’t help. Take your own risk!
In this article, I will use Bitcoin miners’ malware as an example. I collect this malware from the fabricmagic72 repository. You can download it here. Remember never to execute it because we don’t know yet how it affects your system. Download and extract it, and if your download or extraction failed, maybe your antivirus is enabled; you should disable it first.
Configuration
Before
After getting the malware sample, open the BIN file using Notepad++, and you will see something like this.
As you can see right now, we can’t get any information from it because the file is shown as broken. FYI, in the first line, the word ‘MZ’ stands for ‘Mark Zbikowski.’ The word ‘MZ’ is a signature used by the MS-DOS relocatable 16-bit EXE format. It is just like a standard executable file (.exe) that is older. Usually, this signature is commonly referred to as Portable Executable (PE) used in malware.
For simplicity, if you execute this file, the program is running, which means the virus successfully penetrates your system. So be careful when facing a file like this.
Adding HEX Plugins
Notepad++ has features for reading HEX, but this feature, by default, is disabled. To activate it, open the Plugins tab and choose Plugin Admin.
Next, find HEX-Editor in the available tab; you can use the search column to make it easier; after that, click install.
This action is needed administrator privilege and will close the applications, so click Yes to continue the installation.
After the program is restarted, right now, in the plugins tab, you can see Hex-Editor; you can choose ‘View in HEX’ or just click Ctrl+Alt+Shift+H on the keyboard.
After
Tadaaaa Here is the visualization of your Notepad++ right now; it is more readable, right. The most important thing about reading a malware file in HEX mode is that the malware couldn’t infect your PC.
Using these plugins lets, you read anything with any extensions such as .exe, .bytes, .asm, etc.
Conclusion
Finally, we come into the final section; we have already installed plugins for Notepad++ to make it read malware in HEX mode. Well, because this article’s purpose is not for analyzing malware, we are done here. I believe you that read this article know what you do.
Stay safe and happy analyzing
Thanks!!!
