kienmanowar.wordpress.com
Open in
urlscan Pro
192.0.78.12
Public Scan
URL:
https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/
Submission: On April 04 via manual from PL — Scanned from PL
Submission: On April 04 via manual from PL — Scanned from PL
Form analysis 4 forms found in the DOM
GET https://kienmanowar.wordpress.com/
<form method="get" action="https://kienmanowar.wordpress.com/">
<input type="text" size="15" class="search-field" name="s" id="s" value="search this site" onfocus="if(this.value == 'search this site') {this.value = '';}" onblur="if (this.value == '') {this.value = 'search this site';}"><input type="submit"
value="" class="search-go">
</form>POST https://kienmanowar.wordpress.com/wp-comments-post.php
<form action="https://kienmanowar.wordpress.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div id="comment-form__verbum" class="transparent"></div>
<div class="verbum-form-meta"><input type="hidden" name="comment_post_ID" value="6434" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
<input type="hidden" name="highlander_comment_nonce" id="highlander_comment_nonce" value="b73af35837">
<input type="hidden" name="verbum_show_subscription_modal" value="">
</div>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="b1da32acee"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1712223358660">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div class="actnbr-follow-count">Join 168 other subscribers</div>
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="4708129">
<input type="hidden" name="source" value="https://kienmanowar.wordpress.com/2022/12/17/quicknote-vidarstealer-analysis/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="449f163f23">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
* Home
* About
* R4ndom’s Beginning Reverse Engineering Tutorials
* Tutorial #1 : What is Reverse Engineering
* Tutorial #2 : Intro To Olly Debug
* Tutorial #3: Using OllyDBG, Part 1
* Tutorial #4: Using Olly, Part 2
* Tutorial #5: Our First (Sort Of) Crack
* Tutorial #6: Our First (True) Crack
* Tutorial #7: More Crackmes
* Tutorial #8: Frame Of Reference
* Tutorial #9: No Strings Attached
* Tutorial #9: Solution
* Tutorial #10: The Levels Of Patching
* Tutorial #11: Breaking In Our Noob Skills
* Tutorial #12: A Tougher NOOBy Example
* Tutorial #13: Cracking a Real Program
* Tutorial #14: NAGS (And I don’t Mean Your Mother)
* Tutorial #15: Using The Call Stack
* Tutorial #16A: Dealing With Windows Messages
* Tutorial #16B: Self Modifying Code
* Tutorial #16C: Bruteforcing
* Tutorial #17: Working With Delphi Binaries
* Tutorial #18: Time Trials and Memory Breakpoints
* Tutorial #19: Patchers
* Tutorial #20A: Working With Visual Basic Binaries, Pt. 1
* Tutorial #20B: Working With Visual Basic Binaries, Pt 2
* Tutorial #21: Anti-Debugging Techniques
* Slugsnack’s Reversing Series by c0lo
* Slugsnack’s Reversing Series [1]
* Slugsnack’s Reversing Series [2]
* Slugsnack’s Reversing Series [3]
* Slugsnack’s Reversing Series [4]
* Slugsnack’s Reversing Series [5]
* Slugsnack’s Reversing Series [6]
0DAY IN {REA_TEAM}
Stay updated via RSS
--------------------------------------------------------------------------------
* LỊCH
December 2022 M T W T F S S 1234 567891011 12131415161718 19202122232425
262728293031
« Sep Jan »
* TÌM KIẾM
* RECENT POSTS – BÀI MỚI
* [QuickNote] Technical Analysis of recent Pikabot Core Module
* Unveiling Qakbot: Exploring one of the Most Active Threat Actors
* [QuickNote] Examining Formbook Campaign via Phishing Emails
* [Case study] Decrypt strings using Dumpulator
* [QuickNote] Uncovering Suspected Malware Distributed By Individuals
from Vietnam
* [QuickNote] Decrypting the C2 configuration of Warzone RAT
* [QuickNote] Another nice PlugX sample
* Diving into a PlugX sample of Mustang Panda group
* [Z2A]Bimonthly malware challege – Emotet (Back From the Dead)
* [QuickNote] VidarStealer Analysis
* BÌNH LUẬN GẦN NHẤT
kienmanowar on Cách dump PE file từ bộ nhớ bằ…Khổng on Cách dump PE file từ
bộ nhớ bằ…jackno on Diving into a PlugX sample of…ripsolo on REVERSING WITH
IDA FROM SCRATC…Week 02 – 2024… on [QuickNote] Technical Analysis…
* PAGES
* About
* R4ndom’s Beginning Reverse Engineering Tutorials
* Tutorial #1 : What is Reverse Engineering
* Tutorial #10: The Levels Of Patching
* Tutorial #11: Breaking In Our Noob Skills
* Tutorial #12: A Tougher NOOBy Example
* Tutorial #13: Cracking a Real Program
* Tutorial #14: NAGS (And I don’t Mean Your Mother)
* Tutorial #15: Using The Call Stack
* Tutorial #16A: Dealing With Windows Messages
* Tutorial #16B: Self Modifying Code
* Tutorial #16C: Bruteforcing
* Tutorial #17: Working With Delphi Binaries
* Tutorial #18: Time Trials and Memory Breakpoints
* Tutorial #19: Patchers
* Tutorial #2 : Intro To Olly Debug
* Tutorial #20A: Working With Visual Basic Binaries, Pt. 1
* Tutorial #20B: Working With Visual Basic Binaries, Pt 2
* Tutorial #21: Anti-Debugging Techniques
* Tutorial #3: Using OllyDBG, Part 1
* Tutorial #4: Using Olly, Part 2
* Tutorial #5: Our First (Sort Of) Crack
* Tutorial #6: Our First (True) Crack
* Tutorial #7: More Crackmes
* Tutorial #8: Frame Of Reference
* Tutorial #9: No Strings Attached
* Tutorial #9: Solution
* Slugsnack’s Reversing Series by c0lo
* Slugsnack’s Reversing Series [1]
* Slugsnack’s Reversing Series [2]
* Slugsnack’s Reversing Series [3]
* Slugsnack’s Reversing Series [4]
* Slugsnack’s Reversing Series [5]
* Slugsnack’s Reversing Series [6]
* CHUYÊN MỤC
* 2011 in review (1)
* Another malicious document with CVE-2017–11882 (1)
* Bruce Dang… (1)
* Common Macro Malware Techniques (1)
* Flare-on 2016 {Sad_but_True} (1)
* Flare-On7 (3)
* [Flare-On7] Chal7-re_crowd write-up (Eng) (1)
* [Flare-On7] Chal7-re_crowd write-up (Vie) (1)
* [Flare-On7] Chal9-crackinstaller write-up (1)
* Fun with x64dbg theme (1)
* IDA Pro section (69)
* Fentanyl (IDAPython script) (1)
* Free IDA Pro Binary Auditing Training Material for University Lectures
(1)
* Hex-Rays Decompiler Enhanced View (1)
* HexRaysCodeXplorer (1)
* IDA Patcher (1)
* IDA Plugin:labeless (1)
* IDA Pro Book (1)
* IDA Pro Python Editor v2 (1)
* IDA search string plugin (with source) (1)
* IDA Stealth Plugin (1)
* IDA Stingray (1)
* IDA Tutorial… (1)
* IDA Tutorials (50)
* Cách dump PE file từ bộ nhớ bằng IDA (1)
* Cracking basic with IDA Pro (1)
* Dùng thử IDA 5.2 và HexRays (1)
* Hex-Rays Decompiler Video Demo for IDA (1)
* IDA Pro Advanced changes our lif3! (1)
* IDA Pro Advanced_N0w 0r N3v3r (1)
* Keypatch (1)
* Make IDA Sig (1)
* Manual Unpacking with IDA Pro (Simple case) (1)
* Phân tích RCA crackme bằng Olly và IDA+HexRays (1)
* Reversing C++ programs with IDA pro and Hex-rays (1)
* REVERSING WITH IDA FROM SCRATCH (P1) (1)
* REVERSING WITH IDA FROM SCRATCH (P10) (1)
* REVERSING WITH IDA FROM SCRATCH (P11) (1)
* REVERSING WITH IDA FROM SCRATCH (P12) (1)
* REVERSING WITH IDA FROM SCRATCH (P13) (1)
* REVERSING WITH IDA FROM SCRATCH (P14) (1)
* REVERSING WITH IDA FROM SCRATCH (P15) (1)
* REVERSING WITH IDA FROM SCRATCH (P16) (1)
* REVERSING WITH IDA FROM SCRATCH (P17) (1)
* REVERSING WITH IDA FROM SCRATCH (P18) (1)
* REVERSING WITH IDA FROM SCRATCH (P19) (1)
* REVERSING WITH IDA FROM SCRATCH (P2) (1)
* REVERSING WITH IDA FROM SCRATCH (P20) (1)
* REVERSING WITH IDA FROM SCRATCH (P21) (1)
* REVERSING WITH IDA FROM SCRATCH (P22) (1)
* REVERSING WITH IDA FROM SCRATCH (P23) (1)
* REVERSING WITH IDA FROM SCRATCH (P24) (1)
* REVERSING WITH IDA FROM SCRATCH (P25) (1)
* REVERSING WITH IDA FROM SCRATCH (P26) (1)
* REVERSING WITH IDA FROM SCRATCH (P27) (1)
* REVERSING WITH IDA FROM SCRATCH (P28) (1)
* REVERSING WITH IDA FROM SCRATCH (P29) (1)
* REVERSING WITH IDA FROM SCRATCH (P3) (1)
* REVERSING WITH IDA FROM SCRATCH (P30) (1)
* REVERSING WITH IDA FROM SCRATCH (P31) (1)
* REVERSING WITH IDA FROM SCRATCH (P32) (1)
* REVERSING WITH IDA FROM SCRATCH (P33) (1)
* REVERSING WITH IDA FROM SCRATCH (P34) (1)
* REVERSING WITH IDA FROM SCRATCH (P35) (1)
* REVERSING WITH IDA FROM SCRATCH (P36) (1)
* REVERSING WITH IDA FROM SCRATCH (P37) (1)
* REVERSING WITH IDA FROM SCRATCH (P4) (1)
* REVERSING WITH IDA FROM SCRATCH (P5) (1)
* REVERSING WITH IDA FROM SCRATCH (P6) (1)
* REVERSING WITH IDA FROM SCRATCH (P7) (1)
* REVERSING WITH IDA FROM SCRATCH (P8) (1)
* REVERSING WITH IDA FROM SCRATCH (P9) (1)
* Understanding Code (1)
* [Crackme]Find-the-flag-by-ExtremeCoders (1)
* IDA-Pro 6.x Lowercase ARM Instructions (1)
* IDASkins – advanced skinning for IDA Pro (1)
* Malwarebytes crackme writeup (1)
* RetDec — machine-code decompiler (1)
* REtypedef – Reverse typedef substitution for IDA Pro (1)
* [IDA Plugin] Snowman (1)
* [Plug-in]IDA Unicode strings v3.0 (1)
* Linux (11)
* Auto start vmware script (1)
* BackTrack 4 Beta is out (1)
* FluxBox cho BackTrack Beta 4 (2)
* Artwiz font (1)
* Hướng dẫn : Sử dụng chương trình Scuba để rà soát security cho Oracle
Database (1)
* Hướng dẫn cài đặt BackTrack (1)
* Installing Oracle 9i on RHEL5. (1)
* Linux RCE Starting Guide from SilkCut (1)
* Some tutor about using BackTrack (2)
* 1.4 Netcat The Almighty (1)
* 1.5 Using Wireshark (Ethereal) (1)
* Truy vấn thông tin các Patch đã được apply vào OracleDB (1)
* Movie (10)
* Die For Metal – Manowar (1)
* Feeling about Prison Break SE01 (1)
* Fifa 09 Advanced Skills Tutorial (1)
* Fifa 09 Standard Skills Tutorial (1)
* FIFA 09 Tricks Tutorials For PS2 (1)
* Heart Of Steel – Manowar (1)
* Kings Of Metal (1)
* SheepWolf! (1)
* Music (4)
* Cat's in the Cradle !! (Nghe và cảm nhận) (1)
* Cây và Gió – The Sand (1)
* Dế mèn-TheWall (1)
* Forever autumn_Lake of Tears (1)
* MustangPanda – Enemy At The Gate (1)
* My Tutorials (54)
* A Deep Dive into Zloader – the Silent Night (1)
* Command Line Plugin (1)
* Diving into a PlugX sample of Mustang Panda group (1)
* Fix Foxit Reader (1)
* Fix Foxit Reader_Part2 (1)
* How to crack BlackBerry App! (1)
* Just another CVE-2017-0199 sample in the wild world! (1)
* Keygen Tutorials (5)
* Kĩ thuật Internal Keygen (1)
* Kĩ thuật Internal Keygen_Ví dụ 2 (1)
* Phân tích ASM và code Keygen (1)
* Xây dựng Keygen Form trong VC++ (1)
* Đưa ảnh vào Keygen Form (1)
* Malware analysis “KẾ HOẠCH, NHIỆM VỤ TRỌNG TÂM NĂM 2020.doc” (1)
* Manual Unpacking IcedID Write-up (1)
* PE Tutorials (1)
* Phát hiện DDE Attack bằng công cụ Profiler (1)
* Phân tích nhanh một sample… (1)
* Quick analysis CobaltStrike loader and shellcode (1)
* Quick analysis note about DealPly (Adware) (1)
* Quick analysis note about GuLoader (or CloudEyE) (1)
* Sample nhắm vào “Tập đoàn Dầu khí Việt Nam” (1)
* Sử dụng IceSword để Remove Rootkits (1)
* Solution for KeyGenMe_by_ZeroTen_#1 (1)
* Solution for KLiZMA's UnpackMe #1 (1)
* Solution for NrZ0e1's CrackMe #1 (1)
* Solution for Zart's mishka tribute (1)
* SomeCrypto~01 (1)
* SomeCrypto~02 (1)
* Sublime Text (The latest build: 3059) (1)
* Tìm hiểu PE file qua các ví dụ cơ bản (1)
* Uncovering Suspected Malware Distributed By Individuals from Vietnam (1)
* Unprotecting-the-crypter (2)
* Thực hành với NtPacker (1)
* Unveiling Qakbot: Exploring one of the Most Active Threat Actors (1)
* [Case study] Decrypt strings using Dumpulator (1)
* [QuickNote.En] CobaltStrike SMB Beacon Analysis (1)
* [QuickNote] Analysis of malware suspected to be an APT attack targeting
Vietnam (1)
* [QuickNote] Analysis of Pandora ransomware (1)
* [QuickNote] Another nice PlugX sample (1)
* [QuickNote] CobaltStrike SMB Beacon Analysis (1)
* [QuickNote] Decrypting the C2 configuration of Warzone RAT (1)
* [QuickNote] Emotet epoch4 & epoch5 tactics (1)
* [QuickNote] Examining Formbook Campaign via Phishing Emails (1)
* [QuickNote] Technical Analysis of recent Pikabot Core Module (1)
* [QuickNote] Techniques for decrypting BazarLoader strings (1)
* [QuickNote] VidarStealer Analysis (1)
* [Write-up] Chal6 {Flareon4} (1)
* [Write-up] Chal7 {Flareon4} (1)
* [Z2A] Custom sample 1 challenge write-up (1)
* [Z2A]Bimonthly malware challege – Emotet (1)
* Đánh cờ vi diệu … (1)
* {note}-phan-tich-powershell-dược-nen-trong-mal-doc (1)
* OllyDbg Tutorials (48)
* OllyDbg tut_1 (1)
* OllyDbg tut_10 (1)
* OllyDbg tut_11 (1)
* OllyDbg tut_12 (1)
* OllyDbg tut_13 (1)
* OllyDbg tut_14 (1)
* OllyDbg tut_15 (1)
* OllyDbg tut_2 (1)
* OllyDbg tut_3 (1)
* OllyDbg tut_4 (1)
* OllyDbg tut_5 (1)
* OllyDbg tut_6 (1)
* OllyDbg tut_7 (1)
* OllyDbg tut_8 (1)
* OllyDbg tut_9 (1)
* OllyDBg_tut16 (1)
* OllyDbg_tut17 (1)
* OllyDbg_tut18 (1)
* OllyDbg_tut19 (1)
* OllyDbg_tut20 (1)
* OllyDbg_tut21 (1)
* OllyDbg_tut22 (1)
* OllyDbg_tut23 (1)
* OllyDBG_tut24 (1)
* OllyDBG_tut25 (1)
* OllyDbg_tut26 (1)
* OllyDbg_tut27 (1)
* OllyDbg_tut28 (1)
* OllyDbg_tut29 (1)
* OllyDbg_tut30 (1)
* OllyDbg_tut31 (1)
* OllyDbg_tut32 (1)
* Other Tutorials (76)
* A Method for Detecting Obfuscated Calls in Malicious Binaries (1)
* Advanced Windows Debugging – Part 1 (1)
* Advanced Windows Debugging – Part 2 (1)
* An Exercise in RSA Reversal (RSA128 + MD5) (1)
* Anti-Reverse Engineering Guide (1)
* Anti-Unpacker Tricks 2 – Part 8 (1)
* Armadillo – ECDSA Patching (1)
* Armadillo 5.xx – 8.xx (Password Patcher) (1)
* Armadillo 7.00 (CopyMem2 + Import Elimination + Strategic Code Splicing)
(1)
* Automatic Binary Deobfuscation (1)
* Basic of Reversing by c0lo!! (1)
* Basic types of software of protection (1)
* Code Obfuscation and Malware Detection (1)
* CodeBreakers Magazine Collections (1)
* CRACKING BẰNG PHƯƠNG PHÁP DÙNG POINT-H (1)
* Debug tutorial (1)
* Decompilers and Beyond (1)
* Discovering Variables in Executables (1)
* ExeCryptor 2.4.x (Tips and Tricks) (1)
* IDA Pro Demo Video (1)
* Inference and Analysis of Formal Models of Botnet (1)
* Introduction to File Infection Techniques (1)
* Java Reversing (1)
* Kernel Malware – The Attack from Within (1)
* Keygenning GameShield (1)
* Lần đầu với software của android OS (1)
* Malicious Software and its Underground Economy (1)
* Mass Malware Analysis – A Do It Yourself Kit (1)
* Olly Schemes-Căn chỉnh màu cho Olly (1)
* OllyEye plug-in (1)
* Primer on Android OS Reversing (1)
* Private exe Protector unpacking (1)
* Results of Bad Protection Implementation (1)
* Reverse Engineering of the Android File System (1)
* Reverse Engineering Technqiues (1)
* Reverse Engineering with OllySocketTrace (1)
* REVERSING GENERALS – PART III (1)
* REVERSING-GENERALS (Phần I) (1)
* REVERSING-GENERALS (Phần II) (1)
* RLPack 1.21 + WinLicense 2.0x (Unpacking) (1)
* Run TTProtect v1.05 in OllyDbg! (1)
* Silence's Unpacking Tour: The Enigma Protector (vol.1) (1)
* Theories and Methods of Code-Caves (1)
* TLS Callback in VC++ (1)
* Underhood on Armadillo License Removal (1)
* Unofficial Reversing On The S40 Revealed (Part 1) (1)
* Watch Your Hack V6.1 (1)
* Yahoo Archive Decode (1)
* [ARTUT] Manual Unpack and Fix of PECompact 2xx-3xx (1)
* [QuickNote] MountLocker – Some pseudo-code snippets (1)
* Practical Malware Analysis (1)
* RE Tools (65)
* Arma Raider 3.3 (1)
* Armadillo v6.xx Finger-Print-Patcher V0.1 (1)
* BitDiffer 1.3.0.13 – most cattle DLL Library comparison tool! (1)
* CodeWalker: Another AntiRootkit Tool (1)
* Delphi Decompiler 1.1.0.194 (1)
* Exeinfo for Win32 by A.S.L (1)
* FileAlyzer 1.6.0.4 (1)
* Msieve 1.39 + GUI 1.1 (1)
* OllyDbg – EvO_DBG (1)
* OllyDbg 2.0.1.1 (Final) (1)
* OllyDbg 2.01 (1)
* OllyDbg 2.01 alpha 4 (1)
* Ollydbg moded for Execryptor & THEMIDA (1)
* OllyDBG v2 (1)
* Oreans UnVirtualizer 1.3 (1)
* Oreans UnVirtualizer ODBG Plug-in (1)
* Overaly type detector/Extractor/Viewer (PEiD Plugin), Under SEH TM (1)
* P32Dasm (1)
* PatchDiff2 (1)
* PEiD v0.95 Build date: Oct 21, 2008 (1)
* PeStudio 8.01 (1)
* Phantom 1.45 (1)
* PROTECTiON iD v6.1.3 (1)
* ResEdit 1.4.4.16 (1)
* StrongOD v0.18 [2008.09.18] (1)
* Stud_PE 2.6.0.6 (1)
* Trial-Reset 3.4 Final (1)
* Universal Import Fixer (UIF) v1.2 (FINAL) (1)
* VB Decompiler (1)
* WinHex (1)
* x64 SEH & Explorer Suite Update (1)
* [Leaked]Hiew v8.40 (1)
* REA's Tutorials Archive (5)
* Palm Cracking Beginner (1)
* REA_Books (3)
* REA Unpacking Ebook (1)
* REA-cRaCkErTeAm Tutorials (1)
* Reverse Engineering of Object Oriented Code (1)
* Reversing.Kr {Some write-ups) (15)
* Chal1. Easy Crack Challenge (1)
* Chal10. CSHOP Challenge (1)
* Chal11. Direct3D_FPS Challenge (1)
* Chal12. Twist1 Challenge (1)
* Chal13. AutoHotkey1 Challenge (1)
* Chal14. HateIntel Challenge (1)
* Chal15. CSharp (1)
* Chal2. Easy Unpack Challenge (1)
* Chal3. Replace Challenge (1)
* Chal4. Easy Keygen Challenge (1)
* Chal5. Music Player Challenge (1)
* Chal6. ImagePrc Challenge (1)
* Chal7. Position Challenge (1)
* Chal8. Easy ELF Challenge (1)
* Chal9. Ransomware Challenge (1)
* Sysinternals (1)
* System Security and Binary Code Analysis (1)
* Things to REMEMBER… (1)
* Trà đá hacking #02 (1)
* Uncategorized (99)
* Dây rock! (1)
* Watch Your Hack (bản dịch Tiếng Việt) (1)
* [Note] Conditional BreakPoint with OllyDbg v1 & v2 (1)
* [x64dbg plugin] SlothBP (1)
* [x64dbg plugin] xAnalyzer (1)
* Đào tạo tại Sài Gòn (Trà_Đá_Hacking#7) (1)
* PEONIMUSHA BL0G
* An error has occurred; the feed is probably down. Try again later.
* TOP POSTS
* [QuickNote] Decrypting the C2 configuration of Warzone RAT
* [QuickNote] Technical Analysis of recent Pikabot Core Module
* Tutorial #1 : What is Reverse Engineering
* About
* Diving into a PlugX sample of Mustang Panda group
* REVERSING WITH IDA FROM SCRATCH (P15)
* [QuickNote] Examining Formbook Campaign via Phishing Emails
* REVERSING WITH IDA FROM SCRATCH (P9)
* REVERSING WITH IDA FROM SCRATCH (P21)
* REVERSING WITH IDA FROM SCRATCH (P14)
* CÁC BÀI ĐÃ ĐĂNG
* January 2024 (1)
* September 2023 (1)
* July 2023 (1)
* May 2023 (1)
* April 2023 (1)
* March 2023 (1)
* January 2023 (1)
* December 2022 (3)
* September 2022 (1)
* June 2022 (2)
* April 2022 (1)
* March 2022 (1)
* February 2022 (1)
* January 2022 (2)
* December 2021 (1)
* September 2021 (1)
* August 2021 (1)
* July 2021 (1)
* May 2021 (2)
* February 2021 (1)
* December 2020 (1)
* October 2020 (4)
* September 2020 (1)
* August 2020 (1)
* July 2020 (1)
* June 2020 (4)
* April 2020 (1)
* March 2020 (1)
* February 2020 (2)
* December 2019 (3)
* November 2019 (2)
* October 2019 (3)
* September 2019 (1)
* August 2019 (2)
* July 2019 (3)
* June 2019 (2)
* May 2019 (2)
* April 2019 (2)
* March 2019 (7)
* February 2019 (4)
* January 2019 (2)
* December 2018 (1)
* November 2018 (2)
* October 2018 (1)
* September 2018 (1)
* August 2018 (1)
* July 2018 (1)
* June 2018 (1)
* March 2018 (1)
* January 2018 (1)
* December 2017 (3)
* November 2017 (1)
* October 2017 (3)
* July 2017 (1)
* May 2017 (2)
* April 2017 (1)
* February 2017 (2)
* November 2016 (2)
* October 2016 (1)
* September 2016 (1)
* August 2016 (1)
* July 2016 (1)
* May 2016 (3)
* April 2016 (1)
* January 2016 (13)
* December 2015 (1)
* November 2015 (1)
* October 2015 (4)
* September 2015 (3)
* August 2015 (2)
* May 2015 (4)
* April 2015 (2)
* March 2015 (1)
* February 2015 (1)
* December 2014 (7)
* November 2014 (7)
* October 2014 (4)
* August 2014 (1)
* July 2014 (8)
* May 2014 (1)
* April 2014 (2)
* March 2014 (2)
* February 2014 (3)
* January 2014 (5)
* December 2013 (4)
* November 2013 (2)
* October 2013 (2)
* September 2013 (2)
* August 2013 (2)
* July 2013 (6)
* June 2013 (2)
* February 2013 (1)
* November 2012 (1)
* June 2012 (1)
* April 2012 (3)
* March 2012 (6)
* February 2012 (1)
* January 2012 (5)
* December 2011 (3)
* October 2011 (1)
* September 2011 (2)
* August 2011 (2)
* July 2011 (3)
* May 2011 (4)
* January 2011 (1)
* December 2010 (1)
* October 2010 (1)
* September 2010 (3)
* August 2010 (3)
* July 2010 (1)
* June 2010 (4)
* May 2010 (1)
* April 2010 (5)
* March 2010 (4)
* February 2010 (5)
* January 2010 (19)
* December 2009 (8)
* November 2009 (1)
* August 2009 (1)
* July 2009 (1)
* May 2009 (2)
* April 2009 (6)
* March 2009 (17)
* February 2009 (10)
* January 2009 (13)
* December 2008 (11)
* November 2008 (12)
* October 2008 (17)
* September 2008 (51)
* BLOGROLL
*
* Benina Blog
*
*
*
* Levis's Bl0g
* ML(l4w) Blog
*
* Quyle's Bl0g
*
* RE Team
* TrietPTM's Blog
*
*
* Vic's Bl0g
*
* Yêu chim sẻ
* STATISTICS - LƯỢT TRUY CẬP
* 786,033 hits
[QUICKNOTE] VIDARSTEALER ANALYSIS
Posted: December 17, 2022 in My Tutorials, [QuickNote] VidarStealer Analysis
Tags: IDA, Malware Analysis, ReverseEngineering, Stealer, Vidar
1
i
Rate This
SAMPLE:
Loader:
https://bazaar.abuse.ch/sample/816c4a2117b90dc75d91056ca32a36ffd32d561aa433ee3f97126ba490e6d60a/
Unpacked: 7bd942857a29e7f2931da2bd8fa1d118
DECRYPT STRINGS
Here is the the pseudo-code of the function that decodes the strings:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
_BYTE *__usercall vdr_decrypt_strings@<eax>(uint32_t len@<ecx>, char *xor_key,
const char *encStr)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
cnt = 0x208;
v5 = Destination;
do
{
*v5 = 0;
v5 = (v5 + 1);
--cnt;
}
while ( cnt );
wcscat(Destination, L"Nor again is there anyone who loves or pursues or
desires to obtain pain of itself, because it is pain");
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
decStr = LocalAlloc(0x40u, len + 1);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
decStr[len] = 0;
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
wcslen(Destination);
for ( i = 0; i < len; ++i )
{
wcslen(Destination);
wcslen(Destination);
decStr[i] = xor_key[i] ^ encStr[i % strlen(encStr)]; <-- xor loop
wcslen(Destination);
wcslen(Destination);
}
wcslen(Destination);
wcslen(Destination);
memset(Destination, 0, sizeof(Destination));
return decStr;
}
List of all decoded strings:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
[*] Target function found at 0x404158
[+] Decrypted string: HAL9TH at 0x401136
[+] Decrypted string: JohnDoe at 0x40114d
[+] Decrypted string: LoadLibraryA at 0x401164
[+] Decrypted string: lstrcatA at 0x40117b
[+] Decrypted string: GetProcAddress at 0x401192
[+] Decrypted string: Sleep at 0x4011a9
[+] Decrypted string: GetSystemTime at 0x4011c0
[+] Decrypted string: ExitProcess at 0x4011d7
[+] Decrypted string: GetCurrentProcess at 0x4011ee
[+] Decrypted string: VirtualAllocExNuma at 0x401205
[+] Decrypted string: VirtualAlloc at 0x40121c
[+] Decrypted string: VirtualFree at 0x401233
[+] Decrypted string: lstrcmpiW at 0x40124a
[+] Decrypted string: LocalAlloc at 0x401261
[+] Decrypted string: GetComputerNameA at 0x401278
[+] Decrypted string: advapi32.dll at 0x40128f
[+] Decrypted string: GetUserNameA at 0x4012a6
[+] Decrypted string: kernel32.dll at 0x4012bd
[+] Decrypted string: Wallets at 0x4012dc
[+] Decrypted string: Plugins at 0x4012f2
[+] Decrypted string: keystore at 0x40130b
[+] Decrypted string: Ethereum" at 0x401322
[+] Decrypted string: \Ethereum\ at 0x401339
[+] Decrypted string: Electrum at 0x40134f
[+] Decrypted string: \Electrum\wallets\ at 0x401366
[+] Decrypted string: ElectrumLTC at 0x40137f
[+] Decrypted string: \Electrum-LTC\wallets\ at 0x401396
[+] Decrypted string: Exodus at 0x4013ad
[+] Decrypted string: \Exodus\ at 0x4013c3
[+] Decrypted string: exodus.conf.json at 0x4013da
[+] Decrypted string: window-state.json at 0x4013f1
[+] Decrypted string: \Exodus\exodus.wallet\ at 0x401408
[+] Decrypted string: passphrase.json at 0x40141f
[+] Decrypted string: seed.seco at 0x401436
[+] Decrypted string: info.seco at 0x40144d
[+] Decrypted string: ElectronCash at 0x401464
[+] Decrypted string: \ElectronCash\wallets\ at 0x40147b
[+] Decrypted string: default_wallet at 0x401492
[+] Decrypted string: MultiDoge at 0x4014a9
[+] Decrypted string: \MultiDoge\ at 0x4014bf
[+] Decrypted string: multidoge.wallet at 0x4014d6
[+] Decrypted string: Jaxx_Desktop_Old at 0x4014ed
[+] Decrypted string: \jaxx\Local Storage\ at 0x401504
[+] Decrypted string: file__0.localstorage at 0x40151b
[+] Decrypted string: Atomic at 0x401532
[+] Decrypted string: \atomic\Local Storage\leveldb\ at 0x401549
[+] Decrypted string: *.log at 0x401560
[+] Decrypted string: CURRENT at 0x401576
[+] Decrypted string: LOCK at 0x40158d
[+] Decrypted string: LOG at 0x4015a4
[+] Decrypted string: MANIFEST-000001 at 0x4015bb
[+] Decrypted string: 0000* at 0x4015d2
[+] Decrypted string: Binance at 0x4015e8
[+] Decrypted string: \Binance\ at 0x4015ff
[+] Decrypted string: app-store.json at 0x401616
[+] Decrypted string: Coinomi at 0x40162c
[+] Decrypted string: \Coinomi\Coinomi\wallets\ at 0x401643
[+] Decrypted string: *.wallet at 0x401659
[+] Decrypted string: *.config at 0x40166f
[+] Decrypted string: wallet_path at 0x401685
[+] Decrypted string: SOFTWARE\monero-project\monero-core at 0x40169c
[+] Decrypted string: \Monero\ at 0x4016b2
[+] Decrypted string: C:\ProgramData\ at 0x4016c9
[+] Decrypted string: .exe at 0x4016e0
[+] Decrypted string: RECYCLE.BIN at 0x4016f6
[+] Decrypted string: Config.Msi at 0x40170d
[+] Decrypted string: System Volume Information at 0x401724
[+] Decrypted string: msdownld.tmp at 0x40173b
[+] Decrypted string: Recovery at 0x401751
[+] Decrypted string: Local\Temp at 0x401768
[+] Decrypted string: Recycle.Bin at 0x40177e
[+] Decrypted string: MicrosoftEdge\Cookies at 0x401795
[+] Decrypted string: Local\Packages at 0x4017ac
[+] Decrypted string: Local\NuGet at 0x4017c2
[+] Decrypted string: Roaming\WinRAR at 0x4017d9
[+] Decrypted string: Local\Microsoft at 0x4017f0
[+] Decrypted string: fee_estimates at 0x401809
[+] Decrypted string: peers at 0x401820
[+] Decrypted string: mempool at 0x401836
[+] Decrypted string: banlist at 0x40184c
[+] Decrypted string: governance at 0x401863
[+] Decrypted string: mncache at 0x401879
[+] Decrypted string: mnpayments at 0x401890
[+] Decrypted string: netfulfilled at 0x4018a7
[+] Decrypted string: Login Data at 0x4018be
[+] Decrypted string: Cookies at 0x4018d4
[+] Decrypted string: Web Data at 0x4018eb
[+] Decrypted string: logins.json at 0x401901
[+] Decrypted string: formSubmitURL at 0x401917
[+] Decrypted string: usernameField at 0x40192d
[+] Decrypted string: encryptedUsername at 0x401944
[+] Decrypted string: encryptedPassword at 0x40195b
[+] Decrypted string: guid at 0x401972
[+] Decrypted string: SELECT origin_url, username_value, password_value FROM
logins at 0x401989
[+] Decrypted string: SELECT name, value FROM autofill at 0x4019a2
[+] Decrypted string: SELECT name_on_card, expiration_month, expiration_year,
card_number_encrypted FROM credit_cards at 0x4019b9
[+] Decrypted string: SELECT target_path, tab_url from downloads at 0x4019d0
[+] Decrypted string: SELECT url FROM urls at 0x4019e7
[+] Decrypted string: SELECT HOST_KEY, is_httponly, path, is_secure,
(expires_utc/1000000)-11644480800, name, encrypted_value from cookies at
0x4019fe
[+] Decrypted string: \AppData\Roaming\FileZilla\recentservers.xml at
0x401a15
[+] Decrypted string: <Host> at 0x401a2c
[+] Decrypted string: <Port> at 0x401a43
[+] Decrypted string: <User> at 0x401a5a
[+] Decrypted string: <Pass encoding="base64"> at 0x401a71
[+] Decrypted string: Soft: FileZilla
at 0x401a88
[+] Decrypted string: Mozilla Firefox at 0x401a9f
[+] Decrypted string: \Mozilla\Firefox\Profiles\ at 0x401ab6
[+] Decrypted string: Pale Moon at 0x401acd
[+] Decrypted string: \Moonchild Productions\Pale Moon\Profiles\ at 0x401ae4
[+] Decrypted string: Google Chrome at 0x401afa
[+] Decrypted string: \Google\Chrome\User Data\ at 0x401b11
[+] Decrypted string: Chromium at 0x401b28
[+] Decrypted string: \Chromium\User Data\ at 0x401b3f
[+] Decrypted string: Amigo at 0x401b56
[+] Decrypted string: \Amigo\User Data\ at 0x401b6d
[+] Decrypted string: Torch at 0x401b84
[+] Decrypted string: \Torch\User Data\ at 0x401b9b
[+] Decrypted string: Comodo Dragon at 0x401bb1
[+] Decrypted string: \Comodo\Dragon\User Data\ at 0x401bc8
[+] Decrypted string: Epic Privacy Browser at 0x401bdf
[+] Decrypted string: \Epic Privacy Browser\User Data\ at 0x401bf5
[+] Decrypted string: Vivaldi at 0x401c0c
[+] Decrypted string: \Vivaldi\User Data\ at 0x401c23
[+] Decrypted string: CocCoc at 0x401c3a
[+] Decrypted string: \CocCoc\Browser\User Data\ at 0x401c51
[+] Decrypted string: Cent Browser at 0x401c68
[+] Decrypted string: \CentBrowser\User Data\ at 0x401c7f
[+] Decrypted string: TorBro Browser at 0x401c96
[+] Decrypted string: \TorBro\Profile\ at 0x401cad
[+] Decrypted string: Chedot Browser at 0x401cc4
[+] Decrypted string: \Chedot\User Data\ at 0x401cdb
[+] Decrypted string: Brave_Old at 0x401cf2
[+] Decrypted string: \brave\ at 0x401d09
[+] Decrypted string: 7Star at 0x401d20
[+] Decrypted string: \7Star\7Star\User Data\ at 0x401d37
[+] Decrypted string: Microsoft Edge at 0x401d4e
[+] Decrypted string: \Microsoft\Edge\User Data\ at 0x401d65
[+] Decrypted string: 360 Browser at 0x401d7b
[+] Decrypted string: \360Browser\Browser\User Data\ at 0x401d92
[+] Decrypted string: QQBrowser at 0x401da9
[+] Decrypted string: \Tencent\QQBrowser\User Data\ at 0x401dc0
[+] Decrypted string: Opera at 0x401dd7
[+] Decrypted string: \Opera Software\Opera Stable\ at 0x401dee
[+] Decrypted string: OperaGX at 0x401e05
[+] Decrypted string: \Opera Software\Opera GX Stable\ at 0x401e1b
[+] Decrypted string: Local State at 0x401e31
[+] Decrypted string: Cookies at 0x401e48
[+] Decrypted string: TRUE at 0x401e5f
[+] Decrypted string: FALSE at 0x401e76
[+] Decrypted string: gdi32.dll at 0x401e8d
[+] Decrypted string: ole32.dll at 0x401ea4
[+] Decrypted string: user32.dll at 0x401ebb
[+] Decrypted string: psapi.dll at 0x401ed2
[+] Decrypted string: BCRYPT.DLL at 0x401ee9
[+] Decrypted string: BCryptCloseAlgorithmProvider at 0x401f00
[+] Decrypted string: BCryptDestroyKey at 0x401f17
[+] Decrypted string: BCryptOpenAlgorithmProvider at 0x401f2e
[+] Decrypted string: BCryptSetProperty at 0x401f45
[+] Decrypted string: BCryptGenerateSymmetricKey at 0x401f5c
[+] Decrypted string: BCryptDecrypt at 0x401f72
[+] Decrypted string: CRYPT32.DLL at 0x401f88
[+] Decrypted string: CryptUnprotectData at 0x401f9f
[+] Decrypted string: CryptStringToBinaryA at 0x401fb6
[+] Decrypted string: C:\ProgramData\nss3.dll at 0x401fcd
[+] Decrypted string: NSS_Init at 0x401fe4
[+] Decrypted string: NSS_Shutdown at 0x401ffb
[+] Decrypted string: PK11_GetInternalKeySlot at 0x402012
[+] Decrypted string: PK11_FreeSlot at 0x402028
[+] Decrypted string: PK11_Authenticate at 0x40203f
[+] Decrypted string: PK11SDR_Decrypt at 0x402056
[+] Decrypted string: RegOpenKeyExA at 0x40206c
[+] Decrypted string: RegQueryValueExA at 0x402083
[+] Decrypted string: RegCloseKey at 0x402099
[+] Decrypted string: RegOpenKeyExW at 0x4020af
[+] Decrypted string: RegGetValueW at 0x4020c6
[+] Decrypted string: RegEnumKeyExA at 0x4020dc
[+] Decrypted string: RegGetValueA at 0x4020f3
[+] Decrypted string: GetCurrentHwProfileA at 0x40210a
[+] Decrypted string: wininet.dll at 0x402120
[+] Decrypted string: InternetCloseHandle at 0x402137
[+] Decrypted string: InternetReadFile at 0x40214e
[+] Decrypted string: HttpSendRequestA at 0x402165
[+] Decrypted string: HttpOpenRequestA at 0x40217c
[+] Decrypted string: InternetConnectA at 0x402193
[+] Decrypted string: InternetOpenA at 0x4021a9
[+] Decrypted string: HttpAddRequestHeadersA at 0x4021c0
[+] Decrypted string: HttpQueryInfoA at 0x4021d7
[+] Decrypted string: InternetSetFilePointer at 0x4021ee
[+] Decrypted string: InternetOpenUrlA at 0x402205
[+] Decrypted string: InternetSetOptionA at 0x40221c
[+] Decrypted string: DeleteUrlCacheEntry at 0x402233
[+] Decrypted string: CreateCompatibleBitmap at 0x40224a
[+] Decrypted string: SelectObject at 0x402261
[+] Decrypted string: BitBlt at 0x402278
[+] Decrypted string: DeleteObject at 0x40228f
[+] Decrypted string: CreateDCA at 0x4022a6
[+] Decrypted string: GetDeviceCaps at 0x4022bc
[+] Decrypted string: CreateCompatibleDC at 0x4022d3
[+] Decrypted string: CoCreateInstance at 0x4022ea
[+] Decrypted string: CoUninitialize at 0x402301
[+] Decrypted string: GetDesktopWindow at 0x402318
[+] Decrypted string: ReleaseDC at 0x40232f
[+] Decrypted string: GetKeyboardLayoutList at 0x402346
[+] Decrypted string: CharToOemA at 0x40235d
[+] Decrypted string: GetDC at 0x402374
[+] Decrypted string: wsprintfA at 0x40238b
[+] Decrypted string: EnumDisplayDevicesA at 0x4023a2
[+] Decrypted string: GetSystemMetrics at 0x4023b9
[+] Decrypted string: GetModuleFileNameExA at 0x4023d0
[+] Decrypted string: GetModuleBaseNameA at 0x4023e7
[+] Decrypted string: EnumProcessModules at 0x4023fe
[+] Decrypted string: ibnejdfjmmkpcnlpebklmnkoeoihofec at 0x402414
[+] Decrypted string: TronLink at 0x40242b
[+] Decrypted string: nkbihfbeogaeaoehlefnkodbefgpgknn at 0x402441
[+] Decrypted string: MetaMask at 0x402458
[+] Decrypted string: fhbohimaelbohpjbbldcngcnapndodjp at 0x40246e
[+] Decrypted string: BinanceChainWallet at 0x402485
[+] Decrypted string: ffnbelfdoeiohenkjibnmadjiehjhajb at 0x40249b
[+] Decrypted string: Yoroi at 0x4024b2
[+] Decrypted string: jbdaocneiiinmjbjlgalhcelgbejmnid at 0x4024c8
[+] Decrypted string: NiftyWallet at 0x4024de
[+] Decrypted string: afbcbjpbpfadlkmhmclhkeeodmamcflc at 0x4024f4
[+] Decrypted string: MathWallet at 0x40250b
[+] Decrypted string: hnfanknocfeofbddgcijnmhnfnkdnaad at 0x402521
[+] Decrypted string: Coinbase at 0x402538
[+] Decrypted string: hpglfhgfnhbgpjdenjgmdgoeiappafln at 0x40254e
[+] Decrypted string: Guarda at 0x402565
[+] Decrypted string: blnieiiffboillknjnepogjhkgnoapac at 0x40257b
[+] Decrypted string: EQUALWallet at 0x402591
[+] Decrypted string: cjelfplplebdjjenllpjcblmjkfcffne at 0x4025a7
[+] Decrypted string: JaxxLiberty at 0x4025bd
[+] Decrypted string: fihkakfobkmkjojpchpfgcmhfjnmnfpi at 0x4025d3
[+] Decrypted string: BitAppWallet at 0x4025ea
[+] Decrypted string: kncchdigobghenbbaddojjnnaogfppfj at 0x402600
[+] Decrypted string: iWallet at 0x402617
[+] Decrypted string: amkmjjmmflddogmhpjloimipbofnfjih at 0x40262d
[+] Decrypted string: Wombat at 0x402644
[+] Decrypted string: nlbmnnijcnlegkjjpcfjclmcfggfefdm at 0x40265a
[+] Decrypted string: MewCx at 0x402671
[+] Decrypted string: nanjmdknhkinifnkgdcggcfnhdaammmj at 0x402687
[+] Decrypted string: GuildWallet at 0x40269d
[+] Decrypted string: fnjhmkhhmkbjkkabndcnnogagogbneec at 0x4026b3
[+] Decrypted string: RoninWallet at 0x4026c9
[+] Decrypted string: cphhlgmgameodnhkjdmkpanlelnlohao at 0x4026df
[+] Decrypted string: NeoLine at 0x4026f6
[+] Decrypted string: nhnkbkgjikgcigadomkphalanndcapjk at 0x40270c
[+] Decrypted string: CloverWallet at 0x402723
[+] Decrypted string: kpfopkelmapcoipemfendmdcghnegimn at 0x402739
[+] Decrypted string: LiqualityWallet at 0x402750
[+] Decrypted string: aiifbnbfobpmeekipheeijimdpnlpgpp at 0x402766
[+] Decrypted string: Terra_Station at 0x40277c
[+] Decrypted string: dmkamcknogkgcdfhhbddcghachkejeap at 0x402792
[+] Decrypted string: Keplr at 0x4027a9
[+] Decrypted string: fhmfendgdocmcbmfikdcogofphimnkno at 0x4027bf
[+] Decrypted string: Sollet at 0x4027d6
[+] Decrypted string: cnmamaachppnkjgnildpdmkaakejnhae at 0x4027ec
[+] Decrypted string: AuroWallet at 0x402803
[+] Decrypted string: jojhfeoedkpkglbfimdfabpdfjaoolaf at 0x402819
[+] Decrypted string: PolymeshWallet at 0x402830
[+] Decrypted string: flpiciilemghbmfalicajoolhkkenfel at 0x402846
[+] Decrypted string: ICONex at 0x40285d
[+] Decrypted string: fnnegphlobjdpkhecapkijjdkgcjhkib at 0x402873
[+] Decrypted string: Harmony at 0x40288a
[+] Decrypted string: aeachknmefphepccionboohckonoeemg at 0x4028a0
[+] Decrypted string: Coin98 at 0x4028b7
[+] Decrypted string: cgeeodpfagjceefieflmdfphplkenlfk at 0x4028cd
[+] Decrypted string: EVER Wallet at 0x4028e3
[+] Decrypted string: pdadjkfkgcafgbceimcpbkalnfnepbnk at 0x4028f9
[+] Decrypted string: KardiaChain at 0x40290f
[+] Decrypted string: imloifkgjagghnncjkhggdhalmcnfklk at 0x402925
[+] Decrypted string: Trezor Password Manager at 0x40293c
[+] Decrypted string: acmacodkjbdgmoleebolmdjonilkdbch at 0x402952
[+] Decrypted string: Rabby at 0x402969
[+] Decrypted string: bfnaelmomeimhlpmgjnjophhpkkoljpa at 0x40297f
[+] Decrypted string: Phantom at 0x402996
[+] Decrypted string: ejbalbakoplchlghecdalmeeeajnimhm at 0x4029ac
[+] Decrypted string: odbfpeeihdkbihmopkbjmoonfanlbfcl at 0x4029c2
[+] Decrypted string: BraveWallet at 0x4029d8
[+] Decrypted string: fhilaheimglignddkjgofkcbgekhenbh at 0x4029ee
[+] Decrypted string: Oxygen (Atomic) at 0x402a05
[+] Decrypted string: mgffkfbidihjpoaomajlbgchddlicgpn at 0x402a1b
[+] Decrypted string: PaliWallet at 0x402a32
[+] Decrypted string: aodkkagnadcbobfpggfnjeongemjbjca at 0x402a48
[+] Decrypted string: BoltX at 0x402a5f
[+] Decrypted string: hmeobnfnfcmdkdcmlblgagmfpfboieaf at 0x402a75
[+] Decrypted string: XdefiWallet at 0x402a8b
[+] Decrypted string: lpfcbjknijpeeillifnkikgncikgfhdo at 0x402aa1
[+] Decrypted string: NamiWallet at 0x402ab8
[+] Decrypted string: dngmlblcodfobpdpecaadgfbcggfjfnm at 0x402ace
[+] Decrypted string: MaiarDeFiWallet at 0x402ae5
[+] Decrypted string: lpilbniiabackdjcionkobglmddfbcjo at 0x402afb
[+] Decrypted string: WavesKeeper at 0x402b11
[+] Decrypted string: bhhhlbepdkbapadjdnnojkbgioiodbic at 0x402b27
[+] Decrypted string: Solflare at 0x402b3e
[+] Decrypted string: dkdedlpgdmmkkfjabffeganieamfklkm at 0x402b54
[+] Decrypted string: CyanoWallet at 0x402b6a
[+] Decrypted string: hcflpincpppdclinealmandijcmnkbgn at 0x402b80
[+] Decrypted string: KHC at 0x402b97
[+] Decrypted string: mnfifefkajgofkcjkemidiaecocnkjeh at 0x402bad
[+] Decrypted string: TezBox at 0x402bc4
[+] Decrypted string: ookjlbkiijinhpmnjffcofjonbfbgaoc at 0x402bda
[+] Decrypted string: Temple at 0x402bf1
[+] Decrypted string: jnkelfanjkeadonecabehalmbgpfodjm at 0x402c07
[+] Decrypted string: Goby at 0x402c1e
[+] Decrypted string: bhghoamapcdpbohphigoooaddinpkbai at 0x402c34
[+] Decrypted string: Authenticator at 0x402c4a
[+] Decrypted string: gaedmjdfmmahhbjefcbgaolhhanlaolb at 0x402c60
[+] Decrypted string: Authy at 0x402c77
[+] Decrypted string: oeljdldpnmdbchonielidgobddffflal at 0x402c8d
[+] Decrypted string: EOS Authenticator at 0x402ca4
[+] Decrypted string: ilgcnhelpchnceeipipijaljkblbcobl at 0x402cba
[+] Decrypted string: GAuth Authenticator at 0x402cd1
[+] Decrypted string: \com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
at 0x402ce8
[+] Decrypted string: Jaxx_Desktop at 0x402cff
[+] Decrypted string: \Daedalus Mainnet\wallets\ at 0x402d16
[+] Decrypted string: Daedalus Mainnet at 0x402d2d
[+] Decrypted string: she*.sqlite at 0x402d43
[+] Decrypted string: \Blockstream\Green\wallets\ at 0x402d5a
[+] Decrypted string: Blockstream Green at 0x402d71
[+] Decrypted string: \WalletWasabi\Client\Wallets\ at 0x402d88
[+] Decrypted string: Wasabi Wallet at 0x402d9e
[+] Decrypted string: \discord\ at 0x402db5
[+] Decrypted string: Discord at 0x402dcc
[+] Decrypted string: Local Storage at 0x402de2
[+] Decrypted string: leveldb at 0x402df9
[+] Decrypted string: Session Storage at 0x402e10
[+] Decrypted string: \Soft\Discord\discord_tokens.txt at 0x402e26
[+] Decrypted string: dQw4w9WgXcQ: at 0x402e3d
[+] Decrypted string: Discord Token: at 0x402e54
[+] Decrypted string: CreateThread at 0x402e6b
[+] Decrypted string: GlobalMemoryStatusEx at 0x402e82
[+] Decrypted string: IsWow64Process at 0x402e99
[+] Decrypted string: GetUserDefaultLocaleName at 0x402eb0
[+] Decrypted string: GetSystemInfo at 0x402ec6
[+] Decrypted string: WideCharToMultiByte at 0x402edd
[+] Decrypted string: LocalFree at 0x402ef4
[+] Decrypted string: HeapAlloc at 0x402f0b
[+] Decrypted string: GetProcessHeap at 0x402f22
[+] Decrypted string: CreateFileA at 0x402f38
[+] Decrypted string: GetFileSize at 0x402f4e
[+] Decrypted string: ReadFile at 0x402f65
[+] Decrypted string: CloseHandle at 0x402f7b
[+] Decrypted string: GetLogicalDriveStringsA at 0x402f92
[+] Decrypted string: lstrlenA at 0x402fa9
[+] Decrypted string: GetDriveTypeA at 0x402fbf
[+] Decrypted string: lstrcpyA at 0x402fd6
[+] Decrypted string: MultiByteToWideChar at 0x402fed
[+] Decrypted string: FindFirstFileA at 0x403004
[+] Decrypted string: FindNextFileA at 0x40301a
[+] Decrypted string: FindClose at 0x403031
[+] Decrypted string: GetLastError at 0x403048
[+] Decrypted string: lstrcpynA at 0x40305f
[+] Decrypted string: GlobalLock at 0x403076
[+] Decrypted string: GlobalSize at 0x40308d
[+] Decrypted string: FreeLibrary at 0x4030a3
[+] Decrypted string: GetLocaleInfoA at 0x4030ba
[+] Decrypted string: GetCurrentProcessId at 0x4030d1
[+] Decrypted string: OpenProcess at 0x4030e7
[+] Decrypted string: GetFileSizeEx at 0x4030fd
[+] Decrypted string: GetTimeZoneInformation at 0x403114
[+] Decrypted string: TzSpecificLocalTimeToSystemTime at 0x40312b
[+] Decrypted string: CopyFileA at 0x403142
[+] Decrypted string: DeleteFileA at 0x403158
[+] Decrypted string: GetCurrentDirectoryA at 0x40316f
[+] Decrypted string: SetFilePointer at 0x403186
[+] Decrypted string: HeapFree at 0x40319d
[+] Decrypted string: SystemTimeToFileTime at 0x4031b4
[+] Decrypted string: GetLocalTime at 0x4031cb
[+] Decrypted string: SetFileTime at 0x4031e1
[+] Decrypted string: WriteFile at 0x4031f8
[+] Decrypted string: GetFileAttributesA at 0x40320f
[+] Decrypted string: GetFileAttributesW at 0x403226
[+] Decrypted string: LocalFileTimeToFileTime at 0x40323d
[+] Decrypted string: MapViewOfFile at 0x403253
[+] Decrypted string: UnmapViewOfFile at 0x40326a
[+] Decrypted string: FileTimeToSystemTime at 0x403281
[+] Decrypted string: CreateFileMappingA at 0x403298
[+] Decrypted string: GetFileInformationByHandle at 0x4032af
[+] Decrypted string: GetEnvironmentVariableA at 0x4032c6
[+] Decrypted string: SetEnvironmentVariableA at 0x4032dd
[+] Decrypted string: GetTickCount at 0x4032f4
[+] Decrypted string: OpenEventA at 0x40330b
[+] Decrypted string: CreateEventA at 0x403322
[+] Decrypted string: CreateToolhelp32Snapshot at 0x403339
[+] Decrypted string: Process32First at 0x403350
[+] Decrypted string: Process32Next at 0x403366
[+] Decrypted string: GetWindowsDirectoryA at 0x40337d
[+] Decrypted string: GetVolumeInformationA at 0x403394
[+] Decrypted string: shell32.dll at 0x4033aa
[+] Decrypted string: shlwapi.dll at 0x4033c0
[+] Decrypted string: dbghelp.dll at 0x4033d6
[+] Decrypted string: gdiplus.dll at 0x4033ec
[+] Decrypted string: CryptBinaryToStringA at 0x403403
[+] Decrypted string: RegEnumValueA at 0x403419
[+] Decrypted string: GetFileSecurityA at 0x403430
[+] Decrypted string: OpenProcessToken at 0x403447
[+] Decrypted string: DuplicateToken at 0x40345e
[+] Decrypted string: MapGenericMask at 0x403475
[+] Decrypted string: AccessCheck at 0x40348b
[+] Decrypted string: InternetCrackUrlA at 0x4034a2
[+] Decrypted string: CoInitialize at 0x4034b9
[+] Decrypted string: CreateStreamOnHGlobal at 0x4034d0
[+] Decrypted string: GetHGlobalFromStream at 0x4034e7
[+] Decrypted string: GetWindowRect at 0x4034fd
[+] Decrypted string: GetWindowDC at 0x403513
[+] Decrypted string: CloseWindow at 0x403529
[+] Decrypted string: ShellExecuteExA at 0x403540
[+] Decrypted string: SHFileOperationA at 0x403557
[+] Decrypted string: SHGetFolderPathA at 0x40356e
[+] Decrypted string: PathMatchSpecW at 0x403585
[+] Decrypted string: PathMatchSpecA at 0x40359c
[+] Decrypted string: StrCmpCA at 0x4035b3
[+] Decrypted string: StrCmpCW at 0x4035ca
[+] Decrypted string: StrStrA at 0x4035e1
[+] Decrypted string: PathFindFileNameA at 0x4035f8
[+] Decrypted string: SymMatchString at 0x40360f
[+] Decrypted string: GdipGetImageEncodersSize at 0x403626
[+] Decrypted string: GdipGetImageEncoders at 0x40363d
[+] Decrypted string: GdipCreateBitmapFromHBITMAP at 0x403654
[+] Decrypted string: GdiplusStartup at 0x40366b
[+] Decrypted string: GdiplusShutdown at 0x403682
[+] Decrypted string: GdipSaveImageToStream at 0x403699
[+] Decrypted string: GdipDisposeImage at 0x4036b0
[+] Decrypted string: GdipFree at 0x4036c7
[+] Decrypted string: sqlite3_open at 0x4036de
[+] Decrypted string: sqlite3_prepare_v2 at 0x4036f5
[+] Decrypted string: sqlite3_step at 0x40370c
[+] Decrypted string: sqlite3_column_text at 0x403723
[+] Decrypted string: sqlite3_finalize at 0x40373a
[+] Decrypted string: sqlite3_close at 0x403750
[+] Decrypted string: sqlite3_column_bytes at 0x403767
[+] Decrypted string: sqlite3_column_blob at 0x40377e
[+] Decrypted string: \Opera Software\ at 0x403795
[+] Decrypted string: \Opera Stable\ at 0x4037ac
[+] Decrypted string: \Opera GX Stable\ at 0x4037c3
[+] Decrypted string: \CryptoTab Browser\User Data\ at 0x4037da
[+] Decrypted string: CryptoTab Browser at 0x4037f1
[+] Decrypted string: \BraveSoftware\Brave-Browser\User Data\ at 0x403808
[+] Decrypted string: Brave at 0x40381f
[+] Decrypted string: \Thunderbird\Profiles\ at 0x403836
[+] Decrypted string: Thunderbird at 0x40384c
[+] Decrypted string: \Telegram Desktop\ at 0x403863
[+] Decrypted string: key_datas at 0x40387a
[+] Decrypted string: map* at 0x403891
[+] Decrypted string: D877F783D5D3EF8C* at 0x4038a8
[+] Decrypted string: A7FDF864FBC10B77* at 0x4038bf
[+] Decrypted string: A92DAA6EA6F891F2* at 0x4038d6
[+] Decrypted string: F8806DD0C461824F* at 0x4038ed
[+] Decrypted string: \Soft\Telegram\ at 0x403904
[+] Decrypted string: \passwords.txt at 0x40391b
[+] Decrypted string: "os_crypt":{"encrypted_key":" at 0x403932
[+] Decrypted string: Soft: at 0x403949
[+] Decrypted string: Host: at 0x403960
[+] Decrypted string: Login: at 0x403977
[+] Decrypted string: Password: at 0x40398e
[+] Decrypted string: Network at 0x4039a5
[+] Decrypted string: SELECT host, isHttpOnly, path, isSecure, expiry, name,
value FROM moz_cookies at 0x4039bc
[+] Decrypted string: SELECT url FROM moz_places at 0x4039d3
[+] Decrypted string: SELECT fieldname, value FROM moz_formhistory at
0x4039ea
[+] Decrypted string: History at 0x403a01
[+] Decrypted string: cookies.sqlite at 0x403a18
[+] Decrypted string: formhistory.sqlite at 0x403a2f
[+] Decrypted string: places.sqlite at 0x403a45
[+] Decrypted string: *.localstorage at 0x403a5c
[+] Decrypted string: \Authy Desktop\Local Storage\ at 0x403a73
[+] Decrypted string: \Soft\Authy Desktop Old\ at 0x403a8a
[+] Decrypted string: \Authy Desktop\Local Storage\leveldb\ at 0x403aa1
[+] Decrypted string: \Soft\Authy Desktop\ at 0x403ab8
[+] Decrypted string: Soft: WinSCP at 0x403acf
[+] Decrypted string: HostName at 0x403ae6
[+] Decrypted string: PortNumber at 0x403afd
[+] Decrypted string: UserName at 0x403b14
[+] Decrypted string: Password at 0x403b2b
[+] Decrypted string: Security at 0x403b42
[+] Decrypted string: UseMasterPassword at 0x403b59
[+] Decrypted string: Local Extension Settings at 0x403b70
[+] Decrypted string: Sync Extension Settings at 0x403b87
[+] Decrypted string: IndexedDB at 0x403b9e
[+] Decrypted string: kjmoohlgokccodicjjfebfomlbljgfhk at 0x403bb4
[+] Decrypted string: RoninWalletEdge at 0x403bcb
[+] Decrypted string: sqlite3.dll at 0x403be1
[+] Decrypted string: Version: at 0x403bf8
[+] Decrypted string: Date: at 0x403c11
[+] Decrypted string: MachineID: at 0x403c27
[+] Decrypted string: GUID: at 0x403c3d
[+] Decrypted string: HWID: at 0x403c53
[+] Decrypted string: Path: at 0x403c69
[+] Decrypted string: Work Dir: In memory at 0x403c80
[+] Decrypted string: Windows: at 0x403c97
[+] Decrypted string: Computer Name: at 0x403cae
[+] Decrypted string: User Name: at 0x403cc4
[+] Decrypted string: Display Resolution: at 0x403cdb
[+] Decrypted string: Display Language: at 0x403cf2
[+] Decrypted string: Keyboard Languages: at 0x403d09
[+] Decrypted string: Local Time: at 0x403d20
[+] Decrypted string: TimeZone: at 0x403d39
[+] Decrypted string: [Hardware] at 0x403d4f
[+] Decrypted string: Processor: at 0x403d65
[+] Decrypted string: CPU Count: at 0x403d7b
[+] Decrypted string: RAM: at 0x403d92
[+] Decrypted string: VideoCard: at 0x403da8
[+] Decrypted string: [Processes] at 0x403dbe
[+] Decrypted string: [Software] at 0x403dd4
[+] Decrypted string: \information.txt at 0x403deb
[+] Decrypted string: %APPDATA% at 0x403e02
[+] Decrypted string: %LOCALAPPDATA% at 0x403e19
[+] Decrypted string: %USERPROFILE% at 0x403e2f
[+] Decrypted string: %DESKTOP% at 0x403e46
[+] Decrypted string: %DOCUMENTS% at 0x403e5c
[+] Decrypted string: %PROGRAMFILES% at 0x403e73
[+] Decrypted string: %PROGRAMFILES_86% at 0x403e8a
[+] Decrypted string: %RECENT% at 0x403ea1
[+] Decrypted string: %DRIVE_FIXED% at 0x403eb7
[+] Decrypted string: %DRIVE_REMOVABLE% at 0x403ece
[+] Decrypted string: *%RECENT%* at 0x403ee4
[+] Decrypted string: *%DRIVE_FIXED%* at 0x403efb
[+] Decrypted string: *%DRIVE_REMOVABLE%* at 0x403f12
[+] Decrypted string: C:\Windows\ at 0x403f28
[+] Decrypted string: C:\\Windows\ at 0x403f3f
[+] Decrypted string: C:\\\Windows\ at 0x403f55
[+] Decrypted string: Software\Valve\Steam at 0x403f6c
[+] Decrypted string: SteamPath at 0x403f83
[+] Decrypted string: ssfn* at 0x403f9a
[+] Decrypted string: config.vdf at 0x403fb0
[+] Decrypted string: DialogConfig.vdf at 0x403fc7
[+] Decrypted string: DialogConfigOverlay*.vdf at 0x403fde
[+] Decrypted string: libraryfolders.vdf at 0x403ff5
[+] Decrypted string: loginusers.vdf at 0x40400c
[+] Decrypted string: Binance Desktop at 0x404023
[+] Decrypted string: simple-storage.json at 0x40403a
[+] Decrypted string: .finger-print.fp at 0x404051
[+] Decrypted string: Bitcoin Core at 0x404068
[+] Decrypted string: \Bitcoin\wallets\ at 0x40407f
[+] Decrypted string: Bitcoin Core Old at 0x404096
[+] Decrypted string: \Bitcoin\ at 0x4040ad
[+] Decrypted string: wallet.dat at 0x4040c3
[+] Decrypted string: *wallet*.dat at 0x4040da
[+] Decrypted string: Dogecoin at 0x4040f1
[+] Decrypted string: \Dogecoin\ at 0x404107
[+] Decrypted string: Raven Core at 0x40411d
[+] Decrypted string: \Raven\ at 0x404134
[+] Decrypted string: Ledger Live at 0x40414a
The global variables are renamed corresponding to the decoded strings as
follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
// #STR: "MNLNPK", "YPFTTRV", "G6MUFPYIQNJQ", "BNQBVR82", ".=%053Ls",
"DPKUO540BD4R2J", "RMPZX", "U6869B6N6IOTC", "VZS0W2FKU7H", "MS2Y26EV53O6FTKSR"
const CHAR *__stdcall vdr_decrypt_strings_wrap()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
str_HAL9TH = vdr_decrypt_strings(6u, &xor_key, "MNLNPK");
str_JohnDoe = vdr_decrypt_strings(7u, byte_43802C, "YPFTTRV");
str_LoadLibraryA = vdr_decrypt_strings(0xCu, str_Y1903, "G6MUFPYIQNJQ");
str_lstrcatA = vdr_decrypt_strings(8u, ".=%053Ls", "BNQBVR82");
str_GetProcAddress = vdr_decrypt_strings(0xEu, byte_43807C, "DPKUO540BD4R2J");
str_Sleep = vdr_decrypt_strings(5u, byte_438094, "RMPZX");
str_GetSystemTime = vdr_decrypt_strings(0xDu, byte_4380AC, "U6869B6N6IOTC");
str_ExitProcess = vdr_decrypt_strings(0xBu, byte_4380C8, "VZS0W2FKU7H");
str_GetCurrentProcess = vdr_decrypt_strings(0x11u, str_6F,
"MS2Y26EV53O6FTKSR");
str_VirtualAllocExNuma = vdr_decrypt_strings(0x12u, byte_438110,
"R8SXT26D010WUN981T");
str_VirtualAlloc = vdr_decrypt_strings(0xCu, str_4, "QJIVAD2YIH2N");
str_VirtualFree = vdr_decrypt_strings(0xBu, byte_438150, "HLKX3WPT306");
str_lstrcmpiW = vdr_decrypt_strings(9u, ":11<[!!9o", "VBEN8LQP8");
str_LocalAlloc = vdr_decrypt_strings(0xAu, byte_438180, "N93IJ58O45");
str_GetComputerNameA = vdr_decrypt_strings(0x10u, byte_4381A0,
"UYKNTPM7TMTH00NX");
str_advapi32_dll = vdr_decrypt_strings(0xCu, str_5QFUX, "T504N1249IRB");
str_GetUserNameA = vdr_decrypt_strings(0xCu, str_R, "N7XAZ7FHKXV8");
result = vdr_decrypt_strings(0xCu, "=+D-**zq\x1B3 (", "VN6COFIC5WLD");//
kernel32.dll
str_kernel32_dll = result;
return result;
}
RENAME GLOBAL VARS RELATED TO API FUNCTIONS
Next, vidar will use the GetProcAddress function to get the addresses of all the
APIs it uses during execution. We can write an IDAPython script to parse the
list of decrypted API functions and perform renaming of global variables.
Here are the results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
[*] Trying to rename global var to API function name:
[+] Set API name: NSS_Init at 0x414ae3
[+] Set API name: NSS_Shutdown at 0x414afa
[+] Set API name: PK11_GetInternalKeySlot at 0x414b11
[+] Set API name: PK11_FreeSlot at 0x414b28
[+] Set API name: PK11_Authenticate at 0x414b3f
[+] Set API name: PK11SDR_Decrypt at 0x414b56
[+] Set API name: PK11SDR_Decrypt at 0x41a9b3
[+] Set API name: PK11SDR_Decrypt at 0x41a9b3
[+] Set API name: Sleep at 0x41a9d1
[+] Set API name: GetSystemTime at 0x41a9e8
[+] Set API name: ExitProcess at 0x41a9ff
[+] Set API name: GetCurrentProcess at 0x41aa16
[+] Set API name: VirtualAllocExNuma at 0x41aa2d
[+] Set API name: VirtualAlloc at 0x41aa44
[+] Set API name: VirtualFree at 0x41aa5b
[+] Set API name: lstrcmpiW at 0x41aa72
[+] Set API name: LocalAlloc at 0x41aa89
[+] Set API name: GetComputerNameA at 0x41aaa0
[+] Set API name: GetComputerNameA at 0x41aaa0
[+] Set API name: GetUserNameA at 0x41aac8
[+] Set API name: CreateThread at 0x41aaeb
[+] Set API name: GlobalMemoryStatusEx at 0x41ab02
[+] Set API name: IsWow64Process at 0x41ab19
[+] Set API name: GetUserDefaultLocaleName at 0x41ab30
[+] Set API name: GetSystemInfo at 0x41ab47
[+] Set API name: WideCharToMultiByte at 0x41ab5e
[+] Set API name: LocalFree at 0x41ab75
[+] Set API name: HeapAlloc at 0x41ab8c
[+] Set API name: GetProcessHeap at 0x41aba3
[+] Set API name: CreateFileA at 0x41abba
[+] Set API name: GetFileSize at 0x41abd1
[+] Set API name: ReadFile at 0x41abe8
[+] Set API name: CloseHandle at 0x41abff
[+] Set API name: GetLogicalDriveStringsA at 0x41ac16
[+] Set API name: lstrlenA at 0x41ac2d
[+] Set API name: GetDriveTypeA at 0x41ac44
[+] Set API name: lstrcpyA at 0x41ac5b
[+] Set API name: MultiByteToWideChar at 0x41ac72
[+] Set API name: FindFirstFileA at 0x41ac89
[+] Set API name: FindNextFileA at 0x41aca0
[+] Set API name: FindClose at 0x41acb7
[+] Set API name: GetLastError at 0x41acce
[+] Set API name: lstrcpynA at 0x41ace5
[+] Set API name: GlobalLock at 0x41acfc
[+] Set API name: GlobalSize at 0x41ad13
[+] Set API name: FreeLibrary at 0x41ad2a
[+] Set API name: GetLocaleInfoA at 0x41ad41
[+] Set API name: GetCurrentProcessId at 0x41ad58
[+] Set API name: OpenProcess at 0x41ad6f
[+] Set API name: GetFileSizeEx at 0x41ad86
[+] Set API name: GetTimeZoneInformation at 0x41ad9d
[+] Set API name: TzSpecificLocalTimeToSystemTime at 0x41adb4
[+] Set API name: CopyFileA at 0x41adcb
[+] Set API name: DeleteFileA at 0x41ade2
[+] Set API name: GetCurrentDirectoryA at 0x41adf9
[+] Set API name: SetFilePointer at 0x41ae10
[+] Set API name: HeapFree at 0x41ae27
[+] Set API name: SystemTimeToFileTime at 0x41ae3e
[+] Set API name: GetLocalTime at 0x41ae55
[+] Set API name: SetFileTime at 0x41ae6c
[+] Set API name: WriteFile at 0x41ae83
[+] Set API name: GetFileAttributesA at 0x41ae9a
[+] Set API name: GetFileAttributesW at 0x41aeb1
[+] Set API name: LocalFileTimeToFileTime at 0x41aec8
[+] Set API name: MapViewOfFile at 0x41aedf
[+] Set API name: UnmapViewOfFile at 0x41aef6
[+] Set API name: FileTimeToSystemTime at 0x41af0d
[+] Set API name: CreateFileMappingA at 0x41af24
[+] Set API name: GetFileInformationByHandle at 0x41af3b
[+] Set API name: GetEnvironmentVariableA at 0x41af52
[+] Set API name: SetEnvironmentVariableA at 0x41af69
[+] Set API name: GetTickCount at 0x41af80
[+] Set API name: OpenEventA at 0x41af97
[+] Set API name: CreateEventA at 0x41afae
[+] Set API name: CreateToolhelp32Snapshot at 0x41afc5
[+] Set API name: Process32First at 0x41afdc
[+] Set API name: Process32Next at 0x41aff3
[+] Set API name: GetWindowsDirectoryA at 0x41b00a
[+] Set API name: GetVolumeInformationA at 0x41b021
[+] Set API name: BCryptCloseAlgorithmProvider at 0x41b0fb
[+] Set API name: BCryptDestroyKey at 0x41b112
[+] Set API name: BCryptOpenAlgorithmProvider at 0x41b129
[+] Set API name: BCryptSetProperty at 0x41b140
[+] Set API name: BCryptGenerateSymmetricKey at 0x41b157
[+] Set API name: BCryptDecrypt at 0x41b16e
[+] Set API name: CryptUnprotectData at 0x41b189
[+] Set API name: CryptBinaryToStringA at 0x41b1a0
[+] Set API name: CryptStringToBinaryA at 0x41b1b7
[+] Set API name: RegOpenKeyExA at 0x41b1d6
[+] Set API name: RegQueryValueExA at 0x41b1ed
[+] Set API name: RegCloseKey at 0x41b204
[+] Set API name: RegOpenKeyExW at 0x41b21b
[+] Set API name: RegGetValueW at 0x41b232
[+] Set API name: RegEnumKeyExA at 0x41b249
[+] Set API name: RegGetValueA at 0x41b260
[+] Set API name: GetUserNameA at 0x41b277
[+] Set API name: GetCurrentHwProfileA at 0x41b28e
[+] Set API name: RegEnumValueA at 0x41b2a5
[+] Set API name: GetFileSecurityA at 0x41b2bc
[+] Set API name: OpenProcessToken at 0x41b2d3
[+] Set API name: DuplicateToken at 0x41b2ea
[+] Set API name: MapGenericMask at 0x41b301
[+] Set API name: AccessCheck at 0x41b318
[+] Set API name: InternetCloseHandle at 0x41b337
[+] Set API name: InternetReadFile at 0x41b34e
[+] Set API name: HttpSendRequestA at 0x41b365
[+] Set API name: HttpOpenRequestA at 0x41b37c
[+] Set API name: InternetConnectA at 0x41b393
[+] Set API name: InternetOpenA at 0x41b3aa
[+] Set API name: HttpAddRequestHeadersA at 0x41b3c1
[+] Set API name: HttpQueryInfoA at 0x41b3d8
[+] Set API name: InternetSetFilePointer at 0x41b3ef
[+] Set API name: InternetOpenUrlA at 0x41b406
[+] Set API name: InternetSetOptionA at 0x41b41d
[+] Set API name: DeleteUrlCacheEntry at 0x41b434
[+] Set API name: InternetCrackUrlA at 0x41b44b
[+] Set API name: CreateCompatibleBitmap at 0x41b46a
[+] Set API name: SelectObject at 0x41b481
[+] Set API name: BitBlt at 0x41b498
[+] Set API name: DeleteObject at 0x41b4af
[+] Set API name: CreateDCA at 0x41b4c6
[+] Set API name: GetDeviceCaps at 0x41b4dd
[+] Set API name: CreateCompatibleDC at 0x41b4f4
[+] Set API name: CoCreateInstance at 0x41b50f
[+] Set API name: CoUninitialize at 0x41b526
[+] Set API name: CoInitialize at 0x41b53d
[+] Set API name: CreateStreamOnHGlobal at 0x41b554
[+] Set API name: GetHGlobalFromStream at 0x41b56b
[+] Set API name: GetDesktopWindow at 0x41b58a
[+] Set API name: ReleaseDC at 0x41b5a1
[+] Set API name: GetKeyboardLayoutList at 0x41b5b8
[+] Set API name: CharToOemA at 0x41b5cf
[+] Set API name: GetDC at 0x41b5e6
[+] Set API name: wsprintfA at 0x41b5fd
[+] Set API name: EnumDisplayDevicesA at 0x41b614
[+] Set API name: GetSystemMetrics at 0x41b62b
[+] Set API name: GetWindowRect at 0x41b642
[+] Set API name: GetWindowDC at 0x41b659
[+] Set API name: CloseWindow at 0x41b670
[+] Set API name: GetModuleFileNameExA at 0x41b68b
[+] Set API name: GetModuleBaseNameA at 0x41b6a2
[+] Set API name: EnumProcessModules at 0x41b6b9
[+] Set API name: ShellExecuteExA at 0x41b6d4
[+] Set API name: SHFileOperationA at 0x41b6eb
[+] Set API name: SHGetFolderPathA at 0x41b702
[+] Set API name: PathMatchSpecW at 0x41b721
[+] Set API name: PathMatchSpecA at 0x41b738
[+] Set API name: StrCmpCA at 0x41b74f
[+] Set API name: StrCmpCW at 0x41b766
[+] Set API name: StrStrA at 0x41b77d
[+] Set API name: PathFindFileNameA at 0x41b794
[+] Set API name: SymMatchString at 0x41b7af
[+] Set API name: GdipGetImageEncodersSize at 0x41b7ce
[+] Set API name: GdipGetImageEncoders at 0x41b7e5
[+] Set API name: GdipCreateBitmapFromHBITMAP at 0x41b7fc
[+] Set API name: GdiplusStartup at 0x41b813
[+] Set API name: GdiplusShutdown at 0x41b82a
[+] Set API name: GdipSaveImageToStream at 0x41b841
[+] Set API name: GdipDisposeImage at 0x41b858
[+] Set API name: GdipFree at 0x41b86f
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
FARPROC __stdcall vdr_retrieve_addr_of_kernel32_advapi32_API_funcs()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
kernel32_dll_hdl = LoadLibraryA(str_kernel32_dll);
g_kernel32_dll_hdl = kernel32_dll_hdl;
if ( kernel32_dll_hdl )
{
LoadLibraryA_1 = GetProcAddress(kernel32_dll_hdl, str_LoadLibraryA);
GetProcAddress_0 = GetProcAddress(g_kernel32_dll_hdl, str_GetProcAddress);
lstrcatA = GetProcAddress_0(g_kernel32_dll_hdl, str_lstrcatA);
Sleep_1 = GetProcAddress_0(g_kernel32_dll_hdl, str_Sleep);
GetSystemTime = GetProcAddress_0(g_kernel32_dll_hdl, str_GetSystemTime);
ExitProcess_1 = GetProcAddress_0(g_kernel32_dll_hdl, str_ExitProcess);
GetCurrentProcess_1 = GetProcAddress_0(g_kernel32_dll_hdl,
str_GetCurrentProcess);
VirtualAllocExNuma = GetProcAddress_0(g_kernel32_dll_hdl,
str_VirtualAllocExNuma);
VirtualAlloc = GetProcAddress_0(g_kernel32_dll_hdl, str_VirtualAlloc);
VirtualFree = GetProcAddress_0(g_kernel32_dll_hdl, str_VirtualFree);
*lstrcmpiW = GetProcAddress_0(g_kernel32_dll_hdl, str_lstrcmpiW);
LocalAlloc_1 = GetProcAddress_0(g_kernel32_dll_hdl, str_LocalAlloc);
GetComputerNameA = GetProcAddress_0(g_kernel32_dll_hdl,
str_GetComputerNameA);
}
result = LoadLibraryA_1(str_advapi32_dll);
g_advapi32_dll_hdl = result;
if ( !result )
{
return result;
}
result = GetProcAddress_0(result, str_GetUserNameA);
GetUserNameA_1 = result;
return result;
}
Some of other VidarStealer codes here:
https://github.com/m4now4r/VidarStealer/tree/main/some%20pseudo-code
End!
m4n0w4r
SHARE THIS:
* Share
*
* Facebook
* Twitter
* Print
* Email
*
Like Loading...
RELATED
[QUICKNOTE] TECHNIQUES FOR DECRYPTING BAZARLOADER STRINGS
1. Overview Usually, to make it more difficult for analysts, malware authors
will hide important strings and only decrypt these strings during runtime. The
famous malwares like Emotet, QakBot or TrickBot often use the one or some
functions to perform decrypting strings when needed. However, on researching and
analyzing some…
February 24, 2022
In "My Tutorials"
[QUICKNOTE] ANALYSIS OF MALWARE SUSPECTED TO BE AN APT ATTACK TARGETING VIETNAM
Recently, on the twitter of Shadow Chaser Group, they tweet information about
malware sample that targeting Vietnam. Sample info: SHA-256:
341dee709285286bc5ba94d14d1bce8a6416cb93a054bd183b501552a17ef314ITW: Bien ban
thong nhat ke hoach dao tao_VPB.Voffice.docxSubmitted from VN: 2022-01-24
02:52:14 UTC Cause this sample related to Vietnam, so I decided to taking time
to perform a quick…
January 26, 2022
In "My Tutorials"
[QUICKNOTE] EXAMINING FORMBOOK CAMPAIGN VIA PHISHING EMAILS
1. Initial foothold The attacker sent an email with an attachment named
“brochure-for-2023-elite-events.rar”. This rar file contains only one lnk
(shortcut) file named: brochure-for-2023-elite-events.pdf.lnk. If the user does
not pay attention and extracts the file, it will be displayed as a PDF icon like
the following: The analysis of this…
July 6, 2023
In "My Tutorials"
Comments
1. Week 51 – 2022 – This Week In 4n6 says:
December 18, 2022 at 6:16 PM
0
0
i
Rate This
[…] 0day in {REA_TEAM}[QuickNote] VidarStealer Analysis […]
LEAVE A COMMENT
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
MustangPanda – Enemy At The Gate
[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)
--------------------------------------------------------------------------------
Create a free website or blog at WordPress.com.
* Comment
* Reblog
* Subscribe Subscribed
* 0day in {REA_TEAM}
Join 168 other subscribers
Sign me up
* Already have a WordPress.com account? Log in now.
* Privacy
* * 0day in {REA_TEAM}
* Customize
* Subscribe Subscribed
* Sign up
* Log in
* Copy shortlink
* Report this content
* View post in Reader
* Manage subscriptions
* Collapse this bar
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
%d