Unknown RAT/Keylogger

[Asentrix]

Unsure of the protection, just want it reversed
I checked it in Hxd and it looks like a 3 is just added to every byte
I also ran it in a debugger and themida popped up.
Checked on virustotal and it says packed with: BobSoft Mini Delphi -> BoB / BobSoft
Included are 3 files.
1. The original, which isn't an exe file
2. Renamed exe but not fixed
3. Fixed exe with digital signature

Thats as far as we got!

DEOB.zip

[kao]

8 hours ago, Asentrix said:

3. Fixed exe with digital signature

You didn't do that right. Try again.

Malware copies itself to %AppData%\Roaming\ProSoft\ProSoft.exe
Then it creates svchost.exe process, decrypts the actual password stealer and injects it there.
Password steal will connect to secure.jagexlaucher.top and send stolen data.

That's all you need to know to analyze it.

[Asentrix]

10 hours ago, kao said:

You didn't do that right. Try again.

Malware copies itself to %AppData%\Roaming\ProSoft\ProSoft.exe
Then it creates svchost.exe process, decrypts the actual password stealer and injects it there.
Password steal will connect to secure.jagexlaucher.top and send stolen data.

That's all you need to know to analyze it.

Would you mind providing me with the stealer?
I need it because I'm pursuing someone legally
If so it would be appreciated!

[kao]

I can't do that for several reasons. But with the information I gave you, you should be able to do it yourself.

[Asentrix]

Well could you at least submit it to virustotal and provide me the link for analysis?
Or preferably Hybrid-Analysis.com

[evlncrn8]

cant you just dump the process once its injected the stuff into it.. or even better, breakpoint on writeprocessmemory and grab it from there ?.. kao already said he cant... show some respect..

if you cant do it from the information he already provided then you cant be that much of a researcher.. or did you want it for some other nefarious purpose ?

[Asentrix]

3 hours ago, evlncrn8 said:

cant you just dump the process once its injected the stuff into it.. or even better, breakpoint on writeprocessmemory and grab it from there ?.. kao already said he cant... show some respect..

if you cant do it from the information he already provided then you cant be that much of a researcher.. or did you want it for some other nefarious purpose ?

Are you trolling or just stupid?

1. I asked 2 completely different things, firstly I asked for the sample which he said he couldn't provide , fair enough, asking if he can submit to for analysis is completely different
2. Never claimed to be a researcher you fµcktard lol learn to read?
3. What possible "nefarious" purpose could I use it for? Literally give me an example, I will pay you for a logical example of how I could use someone else's malware to benefit myself

Go for a shower and wash that brown nose of yours, moron

Edited May 6, 2018 by Asentrix

[kao]

Oh, please play nice, both of you!

The main reason why I can't do it - I'm on a vacation for next week or so. Can't do much on a mobile.

Second reason-if you really are pursuing someone legally, what will be your argument? "A random guy on the Internet sent me this malware and told me it was in my file?"  That won't stand up in the court or police.

I already told you what you did wrong (for some reason you failed to decrypt it correctly. Subtracting 3 from every byte is hard!). So, if you do that yourself and then yourself submit the resulting exe to hybrid-analysis, then you might have a valid argument. Or better, hire an expert who knows how to handle that all, including legal matters.