Diving into a PlugX sample of Mustang Panda group

1. Hunting

Recently, in my free time, I continue hunting samples related to PlugX malware of the Mustang Panda group. Among the results returned by VirusTotal, there is a file submitted to VT from LV (Latvia ??) at 2022-12-06 06:39:03 UTC:

(more…)

[Z2A]Bimonthly malware challege – Emotet (Back From the Dead)

Summary

Sample hash is: fc345d151b44639631fc6b88a979462dfba3aa5c281ee3a526c550359268c694

This write-up of mine will be divided into three parts:

• Grab core Emotet Dll payload.
• Recover API functions that used by core payload.
• Decrypt strings

(more…)

[QuickNote] VidarStealer Analysis

Sample:

Loader: https://bazaar.abuse.ch/sample/816c4a2117b90dc75d91056ca32a36ffd32d561aa433ee3f97126ba490e6d60a/

Unpacked: 7bd942857a29e7f2931da2bd8fa1d118

Decrypt strings

Here is the the pseudo-code of the function that decodes the strings:

_BYTE *__usercall vdr_decrypt_strings@<eax>(uint32_t len@<ecx>, char *xor_key, const char *encStr)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  cnt = 0x208;
  v5 = Destination;
  do
  {
    *v5 = 0;
    v5 = (v5 + 1);
    --cnt;
  }
  while ( cnt );
  wcscat(Destination, L"Nor again is there anyone who loves or pursues or desires to obtain pain of itself, because it is pain");
  wcslen(Destination);
  wcslen(Destination);
  wcslen(Destination);
  wcslen(Destination);
  decStr = LocalAlloc(0x40u, len + 1);
  wcslen(Destination);
  wcslen(Destination);
  wcslen(Destination);
  wcslen(Destination);
  decStr[len] = 0;
  wcslen(Destination);
  wcslen(Destination);
  wcslen(Destination);
  wcslen(Destination);
  for ( i = 0; i < len; ++i )
  {
    wcslen(Destination);
    wcslen(Destination);
    decStr[i] = xor_key[i] ^ encStr[i % strlen(encStr)]; <-- xor loop
    wcslen(Destination);
    wcslen(Destination);
  }
  wcslen(Destination);
  wcslen(Destination);
  memset(Destination, 0, sizeof(Destination));
  return decStr;
}

(more…)