Taking a look at Baldr stealer
File type: PE, Visual C++
Baldr is a relatively new stealer that became available on some forums early 2019. It was previously analyzed by MalwareBytes (https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/ ). However since MB’s analysis did not include deobfuscation I will be including a deobfuscated version of the malware as well as an analysis of that, which will make things a lot clearer.
The packer relies on a shellcode which’s decryption begins at around 0x42F8D1 with the VirtualProtect call. Interestingly, a giant array (which is most likely the encrypted shellcode) is assembled on stack, which IDA refuses to decompile as the function is too big, and Ghidra freezes when decompilation is attempted.
It is regardless relatively simple to unpack, and is of the variant that uses a new section to store it’s data (from this point on I shall refer to all such variants as section crypter for the sake of simplicity). By setting a memory breakpoint on the last section and running the sample, we easily are able to find the decryption function and obtain the decrypted payload (which can alternatively be reached directly by setting a hardware breakpoint at 0042CC2E since the decryption function is inside a shellcode that is decrypted at runtime).
After that, we are rewarded with the Baldr payload that customers are given by the developer: a PE file which loads the CLR runtime and then execute the final .NET payload. Instead of wasting time reverse engineering this, it was much more simple to use MegaDumper to obtain the payload. The MD5 of the CLR loader is 183E0610403FB07B88B809A26354CB2E, and the final payload is CAB810FFA40EC642FBCED82E07B9D593 (both available on VirusBay and VirusTotal).
The .NET payload is obfuscated with a modded variant of ConfuserEx with extra mutations. A deobfuscated file is included at the end of the article, which was cleaned by Wadu. The configuration for the file is as follow:
public static string gate_address = “http://184.108.40.206/gate.php”;
public static string baldr_version = “v3.0”;
public static string baldr_name = “Baldr”;
public static 64b30ed2 features = new 64b30ed2
telegram_steal = true,
autofill_steal = true,
cards_steal = true,
cookies_steal = true,
execution_time = 0,
ftp_steal = true,
grabber_steal = true,
history_steal = true,
jabber_steal = true,
passwords_steal = true,
screenshot_grabber = true,
self_delete = true,
vpn_steal = true
The functions operate as follow:
The telegram stealer operates by finding processes with the name “Telegram” and obtain the directory it is running from. It attempts to find the D877F783D5D3EF8C directory (the directory where Telegram stores it’s data) and steals the files D877F783D5D3EF8C\map0, D877F783D5D3EF8C\map1, D877F783D5D3EF8C0 and D877F783D5D3EF8C1.
Baldr obtains autofill information by reading moz_formhistory from Firefox’s formhistory.sqlite. In addition to this, it also recovers history by reading moz_places from places.sqlite and cookies from the table moz_cookies in cookies.sqlite. Passwords are recovered from logins.json. I’ll avoid going into the details of other browsers because anyone can google for 5 minutes and find out how browsers store data.
The screenshot grabber (as most .NET screenshot grabbers do) creates a bitmap the size of the screen and then use Graphics.CopyFromScreen, which uses BitBlt underneath. As such, this function can be monitored to detect screengrabbing attempts (although it is likely that BitBlt is used by legitimate applications as well).
Then, the file is uploaded as screen.jpeg. Strangely enough, the string “screen.jpeg” is base64 encoded, seemingly for no reason.
The FTP Stealer retrieves recentservers.xml and sitemanager.xml for FileZilla and wcx_ftp.ini for GHISLER/Total Commander.
The jabber steals the files “\\.purple\\accounts.xml” (Pidgin) and “\\Psi+\\profiles\\default\\accounts.xml” (Psi+) from the Application Data directory.
The VPN stealer is capable of stealing from ProtonVPN and NordVPN.
The file sleeps for 1000 times the entry of this in milliseconds. Strangely enough, the author called this “ExectuionTime” [sic].
That’s about all that Baldr stealer has to offer, however if you notice something that I left out do leave a comment and I will add it to the article. The deobfuscated file’s hash is 22F1E14D938A1DBC8B501050D5CFAA55FF7B4FD9 and it can be found on VirusBay.