Reversing a StealC Infostealer

TL;DR - spoiler

Static analysis of a StealC infostealer that uses the Heaven’s Gate technique to transition from 32-bit to 64-bit mode, trying to bypassing EDR hooks. Features RC4-encrypted config strings, a custom “MZER” payload marker, and direct syscalls. Successfully extracted the C2 server, decryption key, and 150+ encrypted strings without dynamic execution.

Key artifacts:

  • C2: http://23¤94¤252¤171/60cdc8e27a6d4451.php
  • RC4 Key: 9vX9oFZSsq
  • Campaign ID: 30502a69951942c7
  • Family: StealC (builder v2)

Read More

malware

Reversing random stealer

Intro

It had been a while since I last took the time to reverse a real malware sample from scratch.
To avoid getting rusty (and because it’s genuinely fun), I gave myself a simple challenge: grab a completely random malware sample and see how far I could go analyzing it.
Off to MalShare, random click, download a binary without knowing what I was getting into.
Spoiler: it wasn’t a crappy crack — it was a fairly ambitious stealer, with password theft, Discord tokens, encryption, and the usual toolkit.

Read More

fuzzing

AFL - Introduction

This is a simple walkthrough to install, setup and run AFL against an open source dumb C program.

What is AFL

American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in the targeted binary. This substantially improves the functional coverage for the fuzzed code.
AFL website

Install AFL

Download

First, download the latest AFL source code:

Read More

reverse

Delitcrypt

Intro

This article is about reversing a rust pre-compilation macro that obfuscates strings in the compiled binary.
Another point that will be discussed is the development of a BinaryNinja plugin. I’m writing the article as I go along,
to capture the process as closely as possible, with its changes of direction, disappointments and achievements :)
The purpose of this story is not to provide a turnkey plugin, but rather to explain my reverse engineering methodologies and thoughts,
as well as to progress in the use of the Binary Ninja API. No more spoiler, let’s go!

First attempt

The target

Litcrypt is a Rust proc macro that obfuscates text using a basic XOR method.
Strings are xored at compile time to hide them, and then are “decrypted” at runtime.

Read More