A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #25829  by EP_X0FF
 Sat May 09, 2015 2:48 am
The call of payload decryption routine is in Form1.FormCreate method. Here also you can find this "antisandbox" feature representing a call to GetUsername, rofl. The huge size of dropper application is because they put on Form chaotic mosaic of heavy-weight components such as QuickReport. There is no obfuscation in dropper. It is just a Delphi VCL, 2015 people don't know how files produced by popular compiler looks like.
 #25841  by SomeUnusedName
 Mon May 11, 2015 8:02 am
So, it seems that the Rombertik malware is not an actual standalone malware at all, but an obfuscating wrapper applied to various crimeware.
I'm not sure they understood it either?
 #25870  by EP_X0FF
 Fri May 15, 2015 9:04 am
Another one report from security imbecile.

http://labs.lastline.com/exposing-rombe ... ve-malware
nformation Overload

Another significant obstacle that Rombertik throws at human reverse engineers is that it complicates static analysis by adding many (many!) different functions to its executable. These functions do not add meaningful logic to the program, but merely make finding relevant code-regions (that contain the actual, malicious payload) very tedious.


"Security Expert"



 #25871  by ebfe
 Fri May 15, 2015 10:47 am
These guys are spending its time to analyze packer(or Cryptor) written in Delphi. Unpacked EXE (which only is 25600 Bytes) is wrapped with this delphi packer.

The malware is old, I don't know why it is popped out now.

And actually there are different versions of packers they used in the past.

Here is the same malware packed with different packers/cryptors:
AutoIt: https://www.virustotal.com/en/file/cabf ... /analysis/
.Net: https://www.virustotal.com/en/file/6c18 ... /analysis/
VB: https://www.virustotal.com/en/file/72b5 ... /analysis/
 #25872  by R136a1
 Fri May 15, 2015 11:26 am
But as you can see, it works. Reading the comments on Cisco analysis made my day. :D
Great article. I'm interested in reverse engineering as well, so I'd like to know how the team mastered all the anti-analysis and anti-debugging techniques... It must have taken alot of time to perform analysis on this particular malware...
Excellent research and a well written article...
My favorite:
Brilliant article, showing clearly how on top of its game Talos is. The work that must have gone into unravelling that malware sounds enormous...
Also, SentinelOne did a brilliant analysis on this: http://www.sentinelone.com/rombertik-ma ... -record-2/
 #25876  by EP_X0FF
 Fri May 15, 2015 2:03 pm
ebfe wrote:These guys are spending its time to analyze packer(or Cryptor) written in Delphi. Unpacked EXE (which only is 25600 Bytes) is wrapped with this delphi packer.
The problem is that there is no cryptor here. They simple joined payload code (very small code block called in Form1.FormCreate method, including encrypted payload exe) with Delphi application. To make it friendly for static AV scans they put on Delphi form as much of heavy weight components as they can. This results in megabyte of dead runtime code which turns this code looks legitimate and harmless. This mimicry is not a something new and previously was in multiple malware, for example in Kelihos. Example in case of the above sample they use Delphi 7 application with the following modules included.
Code: Select all
3701h  Project1                          
4510h  NMFtp                             
C700h  System                            
8100h  SysInit                           
0210h  SysUtils                          
4B1Ch  Windows                           
5510h  Types                             
9D10h  SysConst                          
5E10h  Classes                           
2210h  RTLConsts                         
331Ch  Messages                          
4310h  Variants                          
2410h  VarUtils                          
5110h  TypInfo                           
7310h  ActiveX                           
8810h  Psock                             
2A1Ch  ShellAPI                          
A91Ch  WinSock                           
9110h  ExtCtrls                          
C710h  Consts                            
A010h  Dialogs                           
491Ch  Dlgs                              
1610h  Math                              
331Ch  CommDlg                           
281Ch  ShlObj                            
141Ch  CommCtrl                          
BB1Ch  RegStr                            
3F1Ch  WinInet                           
EF1Ch  UrlMon                            
2B10h  Graphics                          
2610h  Controls                          
B300h  Forms                             
B010h  Printers                          
571Ch  WinSpool                          
8F10h  FlatSB                            
DF10h  StdActns                          
B810h  Clipbrd                           
5910h  StrUtils                          
4510h  ActnList                          
7610h  Menus                             
8710h  Contnrs                           
CD10h  ImgList                           
6410h  StdCtrls                          
A510h  WinHelpViewer                     
5210h  HelpIntfs                         
C11Ch  Imm                               
A510h  MultiMon                          
CB10h  NMConst                           
A710h  WebAdapt                          
0410h  AutoAdap                          
C310h  WebDisp                           
3E10h  WebConst                          
B610h  WebScript                         
A210h  CopyPrsr                          
BD10h  WebComp                           
9810h  WbmConst                          
5610h  WebCntxt                          
3F10h  HTTPApp                           
E810h  BrkrConst                         
3D10h  Masks                             
CA10h  HTTPProd                          
1F10h  SiteConst                         
C210h  AscrLib                           
4610h  ComObj                            
7110h  ComConst                          
EC10h  StdVCL                            
9E10h  SiteComp                          
9810h  WebContnrs                        
4010h  WebScript_TLB                     
B010h  WebAuto                           
C510h  WebSess                           
5F10h  DateUtils                         
4410h  SessColn                          
0510h  SyncObjs                          
A510h  AdaptReq                          
2210h  MidItems                          
1410h  Provider                          
1D10h  MidConst                          
7710h  DBConsts                          
6110h  DBCommon                          
6410h  FMTBcd                            
B010h  DB                                
3510h  MaskUtils                         
7210h  SqlTimSt                          
ED10h  DataBkr                           
D110h  Midas                             
C910h  DBClient                          
E710h  DSIntf                            
C110h  DBWeb                             
5110h  AutoDisp                          
4810h  XMLBrokr                          
F310h  PagItems                          
4E10h  CompProd                          
9210h  MidProd                           
B210h  ScrptMgr                          
9C10h  MidComp                           
1210h  QuickRpt                          
5310h  QRCtrls                           
6210h  QRLablEd                          
6E10h  ComCtrls                          
A510h  ComStrs                           
0C10h  ExtActns                          
3010h  Mapi                              
B010h  ExtDlgs                           
C210h  Buttons                           
3810h  Registry                          
DD10h  IniFiles                          
971Ch  RichEdit                          
8610h  ToolWin                           
DF10h  ListActns                         
A310h  Mask                              
1810h  QRExprEd                          
A510h  QRExpBld                          
1810h  QRPrntr                           
C210h  QRPrev                            
D010h  QR3Const                          
1710h  DBTables                          
C310h  bdeconst                          
9610h  BDE                               
B810h  SMINTF                            
D310h  QRExtra                           
2A10h  QRCompEd                          
0910h  QRAbout                           
0D10h  OleCtrls                          
1010h  OleConst                          
C110h  AxCtrls                           
1110h  QREnvEd                           
C310h  QRExpr                            
5810h  Grids                             
DD10h  QRPrnSu                           
1B10h  QRPrgres                          
EE00h  Unit1                             
As you can see they put random heavy-weight palette of components which automatically adds to resulting file tons of dead rtl code and resources (especially QuickReport).

And here is what all the skids from "security experts" analysing few weeks -> Form1.
Code: Select all
// <DFM>  TFORM1 = class(TForm);

object Form1: TForm1
  Left = 483
  Top = 195
  Width = 604
  Height = 450
  AlphaBlend = True
  Color = clBtnFace
  Font.Charset = DEFAULT_CHARSET
  Font.Color = clWindowText
  Font.Height = -11
  Font.Name = 'MS Sans Serif'
  Font.Style = []
  OldCreateOrder = False
  OnCreate = FormCreate
  PixelsPerInch = 96
  TextHeight = 13
  object Image1: TImage
    Left = 128
    Top = 168
    Width = 105
    Height = 105
  object Button2: TButton
    Left = 96
    Top = 256
    Width = 75
    Height = 25
    Caption = 'Button2'
    TabOrder = 0
  object Button3: TButton
    Left = 104
    Top = 376
    Width = 75
    Height = 25
    Caption = 'Button3'
    TabOrder = 1
  object CheckBox2: TCheckBox
    Left = 96
    Top = 304
    Width = 97
    Height = 17
    Caption = 'CheckBox2'
    TabOrder = 2
  object Button1: TButton
    Left = 72
    Top = 32
    Width = 75
    Height = 25
    Caption = 'Button1'
    TabOrder = 3
  object ComboBox1: TComboBox
    Left = 416
    Top = 128
    Width = 145
    Height = 21
    ItemHeight = 13
    TabOrder = 4
    Text = 'ComboBox1'
  object QRDBRichText1: TQRDBRichText
    Left = 304
    Top = 136
    Width = 100
    Height = 100
    Frame.Color = clBlack
    Frame.DrawTop = False
    Frame.DrawBottom = False
    Frame.DrawLeft = False
    Frame.DrawRight = False
    Size.Values = (
    Alignment = taLeftJustify
    AutoStretch = False
    Color = clWindow
    Font.Charset = DEFAULT_CHARSET
    Font.Color = clWindowText
    Font.Height = -11
    Font.Name = 'MS Sans Serif'
    Font.Style = []
  object ImageList1: TImageList
    Left = 240
    Top = 304
  object NMFTP1: TNMFTP
    Port = 21
    ReportLevel = 0
    Vendor = 2411
    ParseList = False
    ProxyPort = 0
    Passive = False
    FirewallType = FTUser
    FWAuthenticate = False
    Left = 432
    Top = 256
  object EndUserAdapter1: TEndUserAdapter
    Left = 296
    Top = 120
    object TAdapterDefaultActions
    object TAdapterDefaultFields
  object ColorDialog1: TColorDialog
    Ctl3D = True
    Left = 160
    Top = 48
  object FindDialog1: TFindDialog
    Left = 144
    Top = 152
And there how it looks like -> Image

You will never see it because payload is located in Form1.FormCreate method, which is called, as named, during Form1 create phase.

The absense of reverse-enginering skills is not a really problem. The problem is that all these so called "analysts" are just monkeys pushing buttons in their tools. They never were a programmers (and I hope will never be) and they don't know what they see. This forces them as skids generate tons of bullshit you can read in their articles.
 #25878  by t4L
 Fri May 15, 2015 5:12 pm
:lol: :lol: :lol: :lol: :lol: :lol:

For these so-called "Security Experts"