Researchers analyzed six malware families that are using the protectors Themida and VMProtect. None of the samples used code virtualization, significantly simplifying the analysis, as only one sample had anti-debugging enabled.
The malware code itself was largely unprotected, except for the initial stages of compression and decryption. While almost all samples had encrypted/obfuscated strings, only two obfuscated their C2 servers.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
RisePro is stealer malware that uses protectors like Themida and VMProtect. Analyzing RisePro samples packed with Themida and VMProtect showed that these protectors were used for simple packing and offered weak protection.
The researchers were able to unpack the samples using breakpoints and debuggers. The unpacked code revealed readable code and functionalities like loading encrypted strings and C2 communication.
Try all features of ANY.RUN Sandbox for free - Request a 14-day trial
The analysis also concluded that the string protection functionality belonged to RisePro itself, not the protectors, and observed similar unpacking techniques for other malware families, such as PrivateLoader, Amadey, Arkei, and Lumma.
The PrivateLoader sample, in contrast to RisePro, uses a straightforward XOR algorithm to decrypt the C2 server address rather than storing it directly in the dump, which is possible by simulating the code or stepping through it with a debugger.
Arkei samples are packed with VMProtect, a packer that hinders analysis, and unpacking the sample reveals readable code responsible for loading functions from external libraries.
The unpacked data contains the C2 server address, crucial for attacker communication, which suggests that Arkei is a malicious program designed to communicate with a command and control server.
Lumma, a malware sample packed with VMProtect, employs obfuscation techniques. The unpacked code exhibits control flow flattening, dividing the function into numbered blocks.
A loop iterates, selecting which block to execute with each pass, making it difficult to analyze the code’s true functionality. Additionally, a C2 server address within the dump indicates the malware’s communication capabilities.
The Amadey malware sample, packed with Themida, hides strings in memory until kernel.appcore.dll loads, which also employs anti-debugging mechanisms. By using a debugger with functionality like TitanHide, we can bypass these checks and reach the kernel.appcore.dll loading stage.
After that, standard memory dump techniques can be used. However, the extracted strings are encrypted and base64-encoded, but further decryption (using Amadey’s custom shuffling algorithm) and base64 decoding are required to reveal the original data.
Analyzing malware samples packed with Themida and VMProtect revealed a trend: they often lack advanced features like virtualization, making them easier to reverse engineer, which rely on basic packers that provide minimal obfuscation.
Who is ANY.RUN?
According to ANY.RUN, the primary challenges to malware analysis stem from the obfuscation techniques employed by the malware itself, such as string obfuscation and C2 concealment, rather than the packing tools themselves.
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search, and Feeds,help you find IOCs or files to learn more about the threats and respond to incidents faster.
Easily analyze malware in ANY.RUN sandbox - Register for Free.