To start Analysis, I put updater.exe in %LOCALAPPDATA%. Uncheck "DLL can move" in DllCharacteristics. Load malware inside x32dbg

Checking the strings of malware, C2 server's http address can be seen: And as it can be seen from strings, malware utilizes third string as user_agent.

Now the important part for us is, CreateProcessW which creates another process of itself from same directory. My guess is, it is used for avoiding detection, later current process will write memory of child process:

in our case, 0x43C is handle to child process and 0x3FC0E60 is address of the data that will be written into 0x400000 and size is 0x400, this WriteProcessMemory will happen a lot of times in a row, especially in 7 times a row:

I dont want to list all WriteMemoryProcess as later we can just check 0x400000 in child process if needed. The last WriteProcessMemory address is 0xE4F008 (changes everytime).

as we move along, ResumeThread function is called in parent process, which will start the logger (child process). I attach debugger to child process and continue process in parent process.

After checking strings of child process, it can be seen, it needs 149 functions from these dlls: kernel32, ntdll, advapi32, user32, gdi32, shell32, ole32, ws2_32, shlwapi, wininet, bcrypt, dbghelp, msvcrt

Now the important part starts for us at 0x417210, analyzing this process step by step is a little difficult because of so many unnecessary/necessary jumps, there is just a lot, so it doesn't help. Even just putting breakpoints over the functions that process will call, can be easier.

Later in process, a new directory will be created under C:\ProgramData\ with random name. (in my case y5ppz)

InternetCrackUrlA will be called to crack https://t.me/l793oy into components

InternetConnectA used to connect t.me using handle returned by InternetOpenA

HttpOpenRequestA sends request using handle to t.me:

After t.me, process will do same things for https://e.mx.goldenloafuae.com which I suspect is C2. some sandboxes, analyzers didn't specify this url and at the moment this server is down.

As https://e.mx.goldenloafuae.com is still up, it was obvious that malware was sending, getting encrypted data. Such paths that were queried by malware were:

"C:\Users\eyes\AppData\Local\Google\Chrome\User Data\." "C:\Users\eyes\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\."

Later the files that were found would be copied into the folder that was created by malware:

CopyFileA (function used) 1: "C:\Users\eyes\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\000004.log" 2: "C:\ProgramData\y5ppz\jmgvk6ppph4e"

After sending files to attackers, malware deletes files.

I will also attach 1 example file that was copied (which is hard to make sense).

Also don't forget, in my case only Chrome was installed, so it only stole its logs. The malware looks for:

  1. Microsoft Edge

    • Path: \Microsoft\Edge Beta\User Data

  2. Google Chrome

    • Path: \Google\Chrome SxS\User Data

  3. Microsoft Edge SxS

    • Path: \Microsoft\Edge SxS\User Data

  4. Epic Privacy Browser

    • Path: \Epic Privacy Browser\User Data

  5. CocCoc Browser

    • Path: \CocCoc\Browser\User Data

and the reason it checks extensions is:

  1. TON Wallet

  2. MyTonWallet

  3. Alephium Wallet

  4. Solflare

  5. Trust Wallet

  6. Hashpack

  7. Leap Terra

  8. Authenticator

  9. Bitwarden

  10. Oxygen (Atomic)

  11. Ecto Wallet

  12. Morphis Wallet

  13. GeroWallet

  14. UniSat Wallet

  15. Pontem Wallet

  16. Xverse Wallet

  17. Venom Wallet

  18. PaliWallet

  19. Fluvi Wallet

  20. Backpack Wallet

  21. OKX Web3 Wallet

  22. HAVAH Wallet

  23. OpenMask Wallet

  24. Rainbow Wallet

  25. SafePal Wallet

  26. KardiaChain

  27. RoninWalletEdge

  28. NamiWallet

  29. KeePass Tusk

  30. Frontier Wallet

  31. Bitget Wallet

  32. CyanoWallet

  33. Ronin Wallet

  34. MetaMask

  35. Talisman Wallet

as it was clear how malware was functioning, I stopped analyzing. There were other notable functionalities of malware such as mapping hostnames of AVs to 127.0.0.1 so user will not be able to use any AV (Download or online check)

My suspicion is "https://t.me/l793oy" and "https://steamcommunity.com/profiles/76561199829660832" are used for C2 server