Malware Analysis [Video] Unpacking Ageostealer built with Electron Framework

Status
Not open for further replies.
struppigel

struppigel

Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
656
I made a short malware analysis instruction video based on the file posted here: Suspicious "game"

Description:
We investigate a "game" named crazydown.exe. The application was written in JavaScript and built with Electron Framework resulting in a huge Portable Executable. Where do we find the malware code in a 150 MB application?



Sample: Triage | Malware sandboxing report by Hatching Triage
Asar Plugin: Asar7z
Electron: Introduction | Electron

00:00 Intro, what is Electron Framework
00:50 Triage on VirusTotal
03:44 Unpacking Nullsoft
04:09 Unpacking .asar archive
06:52 Decrypting the JavaScript stealer
 
  • +Reputation
  • Like
  • Applause
Reactions: B-boy/StyLe/, Zartarra, I Walk MY Way and 19 others
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,148
Very nice and informative video! Although I didn't dive deeply into this thingy, an executable that engages in DNS tunneling, packages personal data (Documents, Photos, etc) in an archive,, and also uses a Get Autofills command (among other nasties) is rarely a good thing.
 
  • Like
  • Thanks
Reactions: Nevi, likeastar20, [correlate] and 7 others
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
Trident said:
The process of finding the needle in the haystack is completed by malware analysis pilot @struppigel . In the coming days I will create a new thread where we will look at the distribution and why it went under the radar.
Click to expand...
@struppigel Is actually one of my role models. I aspire to be like you. I love your work. The industry needs more like you to make armies like Tridents and Sandbox Breakers and more. Hail @struppigel

Just getting a thanks from you made me JAM.🥳 @struppigel
 
  • Like
  • Thanks
Reactions: Nevi, Trident, struppigel and 1 other person
L

likeastar20

Level 8
Verified
Mar 24, 2016
361
@struppigel The malware has been updated. Downloaded from the original itchio page, which is marked as suspicious, but you can still download things. Now there are no errors when running the sample. It is detected by Kaspersky by behaviour + domain. Avast missed both, not good(CyberCapture intervened twice, both times deemed safe). I was expecting at least the domain to be blocked, shame...

53fb66327411d80dc985b6434cea4da46016f33ac8f037f0845ba26000b9469d | Triage

Check this report malware sample 53fb66327411d80dc985b6434cea4da46016f33ac8f037f0845ba26000b9469d, with a score of 7 out of 10.
tria.ge tria.ge

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

Intelix Portal

intelix.sophos.com intelix.sophos.com


YES.PNG
 
Last edited:
  • Like
Reactions: Zartarra, simmerskool, Kongo and 4 others
Status
Not open for further replies.

Similar threads

struppigel
    • Applause
    • +Reputation
    • Like
Malware Analysis [Video] 3CX SmoothOperator C2 extraction
Replies
1
Views
716
Malware Analysis
Trident
Trident
jmoreno12
    • Like
  • Locked
Infected with plankjock.com trojan
Replies
4
Views
4,027
Windows Malware Removal Help & Support
nasdaq
nasdaq
Bot
    • Like
  • Locked
Announcing Windows 10 Insider Preview Build 17704
Replies
0
Views
1,594
OS Archive
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top