1. Overview
Usually, to make it more difficult for analysts, malware authors will hide important strings and only decrypt these strings during runtime. The famous malwares like Emotet, QakBot or TrickBot often use the one or some functions to perform decrypting strings when needed.
However, on researching and analyzing some other malwares such as Conti, BlackMatter and BazarLoader, instead of using a separate function to decrypt strings, these malwares make it more difficult by saving the encrypted strings on the stack as stack strings. Then, strings are decrypted by XOR-ing with a key value (this value may not be fixed) or through quite complex computation. This technique consumes time of the analyst.
(more…)
0day in {REA_TEAM} 