Our analysts disassembled an information stealer malware purchased on cybercrime forums and reported on the command and control feature.
DeepCode receives a request from a law enforcement organization to acquire, analyze and report on a popular infostealer malware sold on cybercrime forums. After purchasing an unobfuscated copy of the malware, our analysts setup a command and control server based on the seller’s instructions and set up the proper virtual machines to simulate a compromise. Using Ghidra and OllyDbg, we analyzed the binary and network traffic to identify the obfuscation techniques implemented, commands and URLs used by the malware.