Researchers analyzed six malware families that are the usage of the protectors Themida and VMProtect. No longer one amongst the samples faded code virtualization, severely simplifying the analysis, as easiest one pattern had anti-debugging enabled. 

The malware code itself used to be largely unprotected, excluding for the initial phases of compression and decryption. While practically all samples had encrypted/obfuscated strings, easiest two obfuscated their C2 servers.

RisePro is stealer malware that makes utilize of protectors love Themida and VMProtect. Examining RisePro samples crammed with Themida and VMProtect confirmed that these protectors had been faded for simple packing and supplied faded security. 

The researchers had been ready to unpack the samples the usage of breakpoints and debuggers. The unpacked code printed readable code and functionalities love loading encrypted strings and C2 verbal exchange.Â

The analysis additionally concluded that the string security performance belonged to RisePro itself, no longer the protectors, and observed an identical unpacking ideas for diverse malware families, much like PrivateLoader, Amadey, Arkei, and Lumma.

The PrivateLoader pattern, in difference to RisePro, makes utilize of a easy XOR algorithm to decrypt the C2 server address in discipline of storing it straight in the dump, which is attainable by simulating the code or stepping thru it with a debugger. 

Arkei samples are crammed with VMProtect, a packer that hinders analysis, and unpacking the pattern reveals readable code accountable for loading capabilities from external libraries. 

The unpacked recordsdata comprises the C2 server address, significant for attacker verbal exchange, which implies that Arkei is a malicious program designed to be in contact with a expose and alter server.

Lumma, a malware pattern crammed with VMProtect, employs obfuscation ideas. The unpacked code reveals alter movement flattening, dividing the just into numbered blocks. 

A loop iterates, selecting which block to pause with every pass, making it complicated to investigate the code’s dazzling performance. Additionally, a C2 server address during the dump indicates the malware’s verbal exchange capabilities.

The Amadey malware pattern, crammed with Themida, hides strings in memory unless kernel.appcore.dll hundreds, which additionally employs anti-debugging mechanisms. By the usage of a debugger with performance love TitanHide, we are able to bypass these tests and attain the kernel.appcore.dll loading stage. 

After that, well-liked memory dump ideas could even be faded. On the other hand, the extracted strings are encrypted and base64-encoded, however additional decryption (the usage of Amadey’s custom shuffling algorithm) and base64 decoding are required to present the usual recordsdata. 

Examining malware samples crammed with Themida and VMProtect printed a pattern: they continually lack stepped forward components love virtualization, making them more straightforward to reverse engineer, which depend on total packers that provide minimal obfuscation.Â

Who is ANY.RUN?

In step with ANY.RUN, the most well-known challenges to malware analysis stem from the obfuscation ideas employed by the malware itself, much like string obfuscation and C2 concealment, in discipline of the packing tools themselves.

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that aim every Dwelling windows and Linux programs. Our threat intelligence products, TI Search for, Yara Search, and Feeds,reduction you find IOCs or recordsdata to be taught more in regards to the threats and answer to incidents faster. Â