 In this video I want to demonstrate how you can use my tools to extract information from malware. We are going to take the latest malware, ransomware, the Petia not Petia, and this malware had very little string obfuscation, so we can use my tools to extract some interesting strings. So with our research we can use regular expression to search into the sample. It has a dictionary of some regular expressions, for example we can search for email addresses. Now the sample it's not a text file but a binary file, an executable, so we are going to use option F to do a full read, and then we have the sample here. And as you can see here we can immediately see the email address. With our research we can also look for Bitcoin addresses. So there is a regular expression in there to identify Bitcoin addresses, and also associated with that regular expression is a Python function that will check the checksum of the Bitcoin address, so that we only extract valid Bitcoin addresses. Like this, this is the Bitcoin address. And then with the base 64 dump we can look for all kinds of encoded strings like base 64 but also hexadecimal. Inside is executable, so we are going to look for all possible encodings that are supported by base 64 dump in this sample. And here you can see, okay, that's long sequences of these. That's not very interesting, but there is also an option in base 64 dump, that's option Z, and allows you to ignore null bytes. So that is a workaround to handle unicode strings. So let's do this. And now we can see here that we have something else, something that indeed could be a base 64 string and 306 strings long. And also you see that its representation starts with a zero. So zero, that is 30 hexadecimal. And that is interesting because that could indicate an ASN data structure. So let's take a look. So we are going to look for base 64 encodings, at least 200 bytes long. And let's ignore the null bytes in the unicode strings. Okay, so here we have one. Let me select this one and do an ASCII dump. And you can see here indeed it starts with a 30 and then 82 1A. So this strongly resembles an abstract syntax notation. And here at the end we see 0 1 0 0 0 1. Again, this here is very similar to the modulus of a key, an RSA key. So this is probably an RSA key. And now we are going to pipe this into OpenSSL to make sure. So I'm going to do a dump now, a binary dump, not an ASCII dump. And I pipe this into OpenSSL. ASN 1 parse. That's a command. And the inform is there. And indeed we can see that it is an RSA key. A sequence of two integers. This is the modulus here and this is here the long key.