A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #29405  by lokus
 Fri Oct 14, 2016 1:39 am
I'm interested in analyzing XtremeRAT. The "server" sample I am looking at is the 3.6 Private version. I understand that this file was created using the builder and is a VB PE file. Does anyone have pointers on how to reverse/analyze VB malware? I'm beginning to read the legend of random's VB Ollydbg guides but I've been unsuccessful at finding any other good tutorials on analyzing VB malware. Does anyone have any recommendations, either through experience of analyzing XtremeRAT or other VB malware? Thanks!
 #29467  by 0x90
 Thu Oct 20, 2016 10:03 pm
Well to begin you seem to be way off to start analyzing .NET malwares, so I will point you on the right direction.

For .NET you don't need Olly, of course you will at some point, but not for the main analysis part, for main analysis, you're better of with dnSpy

Another great reversing tool is WinDBG, for .NET is amazing, as it helps greatly to dump files that are encrypted/decrypted in memory, don't get me wrong dnSpy can do all of this, however WinDBG could be an extra.
 #29686  by lokus
 Tue Dec 06, 2016 7:25 pm
0x90...Thanks for the response but I did not mean VB.NET. I ended up figuring out what was going on and am going to share my findings with the community.

Based on my research it appears, at least in my sample of XtremeRAT Private 3.6, that it is using RunPE/VBCrypter to hide the true XtremeRAT "Server" client that gets installed on the end host. I used the following information to aid in my analysis:

http://interestingmalware.blogspot.com/ ... runpe.html

First, open the sample in Ollydbg (I was using 1.10). Set appropriate Exception settings. I only had "All FPU Exceptions" enabled as I was noticing I kept on hitting Floating Point exceptions when attempting to step through the binary. I then set a breakpoint on CreateProcessW by selecting the E icon, right clicking Kernel32.dll, View Names and searching for "CreateProcessW". Set the breakpoint with F2. Hit the resume/continue button ("Play") on the menubar. Step over the CreateProcessW call until you return from the function. You'll notice when you hit the CreateProcessW function that one of the parameters is a flag to create it in a suspended state. Then go back to Kernel32.dll (or you could have done this while you were already there) and set a new breakpoint (F2) on WriteProcessMemory. Continue until you hit WriteProcessMemory but do not step over it. Once there, you will notice the "Buffer" parameter. Right click and select Follow in Dump. I then went to the dump window, right clicked and did Copy-->Select All. I right clicked again and did Backup-->Save data to file. I took that on a linux box and ran hachoir-subfile against it which identified an embedded executable. This executable ended up being UPX packed which you could easily unpack using upx -d <file>. After this was completed, I had a fully unpacked XtremeRAT "Server" sample that would be installed on the end target. The CFG file is stored in a resource and is itself encrypted.

I hope this helps others that come to this forum that may have a question about XtremeRAT. The blog post above was extremely helpful.
 #29701  by r3shl4k1sh
 Sat Dec 10, 2016 8:17 pm
XtremeRAT is written in Delphi not in VB (6).

The VB part is probably just the cryptor. Personally i don't spend much time on cryptors. Just run and dump the extracted data from memory (with Xtreme RAT it's even easier because most of the time it's going to be on the same memory address 0x10000000).

I think that VB malware are really challenging to RE. I wasn't able to find a decent tool that's able to map the Win32 API calls.