Sunday, February 22, 2015

Quick analysis MSIL/Golroted (Stealer)

Golroted purpose is to steal various information from the victim machine (you can read the full description about it in the Microsoft Malware Protection Center).

This particular sample is obfuscated using Smart Assembly and packed inside a .NET based RunPE, after unpacking we can read the code of the malware.

This malware upload the information it steal from the victim through Email and\or FTP. The username and the password of the Email address and the FTP accounts stored in the file itself in an encrypted form.
Encrypted data

Decryption key
The encryption of the username and the password is based on Base64 + the Rfc2898DeriveBytes class.

Decryption routine

This particular sample is using FTP ( in order to upload the stolen data to the attacker server.
It seems though that not many people got infected:

FTP server logs

The analyzed sample MD5 hash is: 98b8d26c35f13d7265aa1a4689f97e09 (VirusTotal 23/57), interestingly my unpacked version has less detection score on VirusTotal with 17/57 (but we get the name of the malware).
You can download the original packed and the unpacked version from here (password: infected).

No comments:

Post a Comment