This blog post will walk you through on how to reverse-engineer a .NET formbook infostealer trojan. The sample used in this writeup can be obtained from the open source repository abuse[.]ch.
Tools used:
EXEINFO PE
DIE (detect it easy)
DNSPY
DE4DOT
BABEL-DEOBFUSCSATOR
X64 DBG
Disclaimer
Disclaimer *** You are dealing with a real malware sample. Run and Analyze it in a controlled environment (sandbox) with no connections to the internal network or internet. I am not responsible for any consequences or damages.
Hash:
MD5 -cdb79c6eee195332d11b14ba3cee3ada.
Analysis:
ExeInfo PE and Detect it Easy verify that this is a 32 bit malware that is .NET assembled.
Opening the malware with DNSPY you will see "new form 1" entry function. Under this is the "initialize component which has buttons and labels" and of interest is the method "name" in line 376. Here we also find a object tokenizer, "oOaid" which is located under resource as a bitmap that does encoding or decoding. Line 420 has "IteractionCount" which is some decrypting method that has the arguments "IG class" and "Unity3D" method. We add breakpoints to line 411 and 428 so as to see unity 3D when loaded in memory
Start debugging (start button 2 run) both breakpoints, "BUNIFU.UI.exe" should be loaded in memory as observed in the modules window. Save this module that has been loaded from memory.
Loading BUNIFU.UI.exe shows its a 32 bit DLL and uses dot net reflector for obfuscation. Use De4Dot to deobfuscate the code.
Load the Stage 1 " BUNIFU.UI.exe" pulled from Unity3D resources into DNSPY for further debugging. The Bunifu Textbox method in this one looks deobfuscated and use this deobfuscated resource to replace the one in the original sample ie patching
On the original sample, delete Unity3D resource located under resources. Create a new empty resource with type array called Unity3D and load it with the decoded and deobfuscated resource
To patch the code, go to main module,> form 1> initialize component > line 420 on interationCount method remove the code that decodes the data and dumps it as it's no longer needed as data is already decoded. Finally save the module sample as Patched.exe
Checking the new Unity3D resource confirms it has a MZ header (PE) but it's decoded and patched.
To debug this deobfuscated sample, repeat initial debugging steps by going to main > new form1 > initialize component > put a break point on line 428 again and run the program. Upon reaching breakpoint, check the modules window (located under debugs tab> windows> modules window) and find Bunifu, double click on it to load and navigate to Bunifu.UI, Bunifu.ui textbox and place a breakpoint on line with Thread.Sleep. Once you reach breakpoint, place another breakpoint on line with bitmap and run program again. method 0 observed gets resource oOaid and returns a bitmap. Place a breakpoint on the "Interaction.CallbyName" method which has entry point parameter and run program. The modules window should have exe that was loaded into memory. Save it for further debugging
The stage2 PE is obfuscated by BABEL obfuscator. Babel Deobfuscator is used to deobfuscate as DE4DOT cannot deobfuscate the PE. You have to compile the deobfuscator before using it
Once deobfuscated, use DE4DOT.exe to clean up the rest of the obfuscation and will be able to analyze and see what it's doing such as checking the VM environment, VirtualBox etc as seen by method 2. Persistence via scheduled tasks -method 4,
Thanks for reading!
Comments
Post a Comment