The article analyzes six malware families that use protectors like Themida and VMProtect, showing that these protections often do not prevent analysts from extracting useful data such as C2 addresses and readable code after unpacking. It concludes that the real obstacles to analysis are string obfuscation and C2 concealment, not the protectors themselves. #Themida #VMProtect #RisePro #PrivateLoader #Amadey #Arkei #Lumma
Keypoints
- The six analyzed families use protectors (Themida/VMProtect) but rarely employ code virtualization; analysis can still reveal C2 addresses and readable code.
- Most samples encrypt or obfuscate strings; only a few obfuscate their C2 servers, and the main challenge is string obfuscation rather than protector strength.
- RisePro with Themida mostly uses an unpacker; anti-debugging is present in only one sample, and the dump often exposes the C2 in readable form.
- RisePro with VMProtect shows similar unpacking behavior; the C2 address appears in the dump with readable code, and the string decryption logic is visible.
- Other families (PrivateLoader, Amadey, Arkei, Lumma) also rely on simple packers; virtualization is largely ignored, making the protectors less effective against analysis.
- Amadey exhibits anti-debugging and stores base64-encoded strings, with the decryption/decoding process visible after dumping kernel.appcore.dll.
- Lumma demonstrates control flow flattening, with the unpacked code executing in a loop and the C2 string remaining readable in the dump.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – The samples show encrypted/obfuscated strings across the dumps, e.g., “encrypted/obfuscated strings” observed in the analysis.
- [T1140] Deobfuscate/Decode Files or Information – The code loads an encrypted string onto the stack and calls a function to decrypt it, e.g., “loads an encrypted string onto the stack and calls a function to decrypt it.”
- [T1497] Virtualization/Sandbox Evasion – Anti-debugging is present in at least one sample, with notes like “Only one sample has anti-debugging enabled.” (RisePro/VMProtect context).
- [T1027] Obfuscated/Compressed Files and Information – Lumma’s sample shows control flow flattening; “This appears to be the control flow flattening technique. The function is broken into blocks, each assigned a number. The loop selects which block will execute next on each iteration.” (Control flow obfuscation within the same obfuscation category).
- [T1071] Command and Control – The dumps reveal C2 servers/address data embedded in the dumped code, e.g., “the C2 server right there in the dump, along with quite readable code.”
Indicators of Compromise
- [Domain] C2 servers identified in dumps – C2 server addresses found in the dump, and DDR profiles for C2 server address
- [String] Encoded/Encrypted strings observed – encrypted/obfuscated strings, and base64-encoded strings stored in memory
- [File] Unpacked samples and readable code – dumped unpacked samples showing readable code and C2 references
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/vmprotect-themida-malware-analysis/