Malware reversing #1

So here comes my very first post on an ongoing series about reverse engineering of malware and various other security related topics.

Today I will start with a .NET stealer which is spreading around via phishing attacks.

With the tool dnSpy it’s possible to decompile the Executable and access the source code as you can see in the Screenshot below:


The malware basically loaded parts of an image with injected code stored in the resources as array and loads this code as assembly. So we know that the hidden code inside the image must be some assembly code.

Loaded image: (the weird stuff at the top is the assembly code)


Fortunately dnSpy has a build-in debugging feature. By setting up a breakpoint after the code gets loaded into the array will reveal us the hidden code, when dumping the array data to the disk.


By analyzing that dump it became clear that the application does the following:

  • Steal .rdp files .
  • Steal wallet.dat files .
  • Steal credentials from FTP clients like SmartFTP, FileZilla, TotalCommander, WinSCP, and CoreFTP .
  • Steal credentials from Pidgin, PSI, LiveMessenger, and others .
  • Steal cookies and passwords from Firefox, Chrome, Thunderbird, and Outlook

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s