The following screenshot shows GetTickcount() API which can be used to detect. While debugging through the top layer packer, we discovered some anti-debugging tricks. This article talks about one of the latest Here are some key information which the malware might try to steal from the victim machine:Ĭredit card information saved in browsersĬredentials and other information stored on Instant MessengersĪpart from stealing the information, the malware is capable of downloading other malwares which may be ransomwares, executing commandsĪnd periodically sending information about the victim machine to the CnC server. Or also on a subscription basis ($100/month). Redline Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) set_name ( global_var, "Str" + sanitize_string ( dectypred_data ), SN_NOWARN ) ea = idc. print_insn_mnem ( ea ) = "mov" and ( idc. set_cmt ( ea, dectypred_data, 1 ) if idc. append ( dectypred_data ) addrs = if idc. get_bytes ( addrs, length ) dectypred_data = X0r ( key, data, length ) string_list. get_operand_value ( ea, 0 ))) if len ( addrs ) = 3 : length = addrs data = idc. capitalize () def X0r ( key, data, length ): res = "" for i in range ( length ): res += chr ( key ^ data ) return res start_Addrs = end_Addrs = string_list = dectypred_data = b '' addrs = for i in range ( len ( start_Addrs )): ea = start_Addrs end = end_Addrs while ea <= end : if idc. Import string def sanitize_string ( name ): return "". We use idapython script to get those strings and rename the variables to make reversing easier We can although see that the xor function is refrenced in another function which i renamed as Decrypt_String_2 if the malware passes the checks which we will see soon it decrypt those string which contanis strings needed for the malware to steal sensitive data. Now we can see a clear view, after reversing and renamingįirst Mars get a handle to kernel32.dll by parsing InLoadOrderModuleList then it passes the handle to a fucntion that loops over the exported functions of the DLL to get the address of the LocalAlloc() and VirtualProtect() functions.Īfter that it decrypts some strings used for some checks, the decryption is a simple xor function Import idc ea = 0 while True : ea = min ( ida_search. The deobfuscation is simple, we just need to patch the first conditional jump to an absolute jump and nop out the second jump, we can use IDAPython to achieve this: However, disassemblers are tricked into thinking that there is a fall-through branch if the second jump is not taken (which is impossible as one of them must be taken) and tries to disassemble the unreachable instructions (often invalid) resulting in garbage code. Depending on the value of the Zero flag (ZF), the execution will follow the first or second branch. This obfuscation simply takes an absolute jump (JMP) and transforms it into two conditional jumps (JZ/JNZ). Opening mars stealer in ida we can see an anti-analysis trick called Opaque Predicates it’s a commonly used technique in program obfuscation, intended to add complexity to the control flow. I saw alot of tweets recently about it so i decided to write an analysis of the newer version V8. Mars Stealer is an improved copy of Oski Stealer.
0 Comments
Leave a Reply. |