Malware Analysis [Video] Unpacking Ageostealer built with Electron Framework

struppigel · Jul 2, 2023

I made a short malware analysis instruction video based on the file posted here: Suspicious "game"

Description:
We investigate a "game" named crazydown.exe. The application was written in JavaScript and built with Electron Framework resulting in a huge Portable Executable. Where do we find the malware code in a 150 MB application?

Sample: Triage | Malware sandboxing report by Hatching Triage
Asar Plugin: Asar7z
Electron: Introduction | Electron

00:00 Intro, what is Electron Framework
00:50 Triage on VirusTotal
03:44 Unpacking Nullsoft
04:09 Unpacking .asar archive
06:52 Decrypting the JavaScript stealer

cruelsister · Jul 2, 2023

Very nice and informative video! Although I didn't dive deeply into this thingy, an executable that engages in DNS tunneling, packages personal data (Documents, Photos, etc) in an archive,, and also uses a Get Autofills command (among other nasties) is rarely a good thing.

Trident · Jul 2, 2023

The process of finding the needle in the haystack is completed by malware analysis pilot @struppigel . In the coming days I will create a new thread where we will look at the distribution and why it went under the radar.

Sandbox Breaker - DFIR · Jul 2, 2023

Trident said:
The process of finding the needle in the haystack is completed by malware analysis pilot @struppigel . In the coming days I will create a new thread where we will look at the distribution and why it went under the radar.

@struppigel Is actually one of my role models. I aspire to be like you. I love your work. The industry needs more like you to make armies like Tridents and Sandbox Breakers and more. Hail @struppigel

Just getting a thanks from you made me JAM.

@struppigel

likeastar20 · Jul 3, 2023

@struppigel The malware has been updated. Downloaded from the original itchio page, which is marked as suspicious, but you can still download things. Now there are no errors when running the sample. It is detected by Kaspersky by behaviour + domain. Avast missed both, not good(CyberCapture intervened twice, both times deemed safe). I was expecting at least the domain to be blocked, shame...

53fb66327411d80dc985b6434cea4da46016f33ac8f037f0845ba26000b9469d | Triage

Check this report malware sample 53fb66327411d80dc985b6434cea4da46016f33ac8f037f0845ba26000b9469d, with a score of 7 out of 10.

tria.ge

VirusTotal

www.virustotal.com

Intelix Portal

intelix.sophos.com

https://www.hybrid-analysis.com/sample/53fb66327411d80dc985b6434cea4da46016f33ac8f037f0845ba26000b9469d/64a24ec05d798281fa06ef56

Trident · Jul 3, 2023

likeastar20 said:
Now there are no errors when running the sample

So someone learned recently how to use try, catch and finally in JavaScript to handle their exceptions. Good on them.

upnorth · Jul 3, 2023

likeastar20 said:
The malware has been updated.

Padded?

Also with these type of error messages, I wouldn't personal automatic confirm the sample fully works.

likeastar20 · Jul 3, 2023

upnorth said:
Padded?

View attachment 276851

Also with these type of error messages, I wouldn't personal automatic confirm the sample fully works.

Seems like they didn't fix everything. I didn't see any errors on my VM.

Search

Search

Malware Analysis [Video] Unpacking Ageostealer built with Electron Framework

struppigel

Super Moderator

cruelsister

Level 43

Trident

From Hawk Eye

Sandbox Breaker - DFIR

Level 12

likeastar20

Level 9