[ Technical Tear Down : Silver (.Net Keylogger) ]

This is a sample which i’ve found some time ago from VirusTotal but i totally forgotten to publish it until today. This is a very easy to analyse .NET Keylogger.

One of the first thing i usually do would be try to detect what compiler or packer/crypter did the exe used so that i could use the appropriate tools to analyse it. Usually I used ProtectioniD to determine it and this is the results.

From the returned results, we can see that the binary is developed in .NET. Now I’ll be doing the technical tear-down of this .NET binary.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
The password to the attachment is “infected29A

[ Sample used in the analysis ]
MD5: c326d834da742a9d00b54cf493857f8f
SHA1: 7d6ae63d942a57df62437e3a50a310edccb9c6fc

[ How it starts ]
Since it’s a .NET binary, let’s fire up ILSpy to decompile it try to understand how does it work.
Looking at ILSpy, we can deduce a few things:

  1. The application is developed in VB as it is referencing Microsoft.VisualBasic
  2. The application didn’t use any Packer or Crypter. This means it should not be too difficult to reverse it. 😛

Like any other .NET application(s), the entrypoint is always the “Main” method.
Looking at the “Main” Method, we can see that it’s firing up “Form1”

[ Dissecting Form_Load ]
Now let’s look at “Form1_Load” method and see what actually takes place when this “Form Load“.

At first glance, it appears that the “obfuscated looking strings” looks like it’s base64 encoded. But it’s not as it’s using the “ahbGUhSfA” method to decode the string. A quick and dirty way is simply re-using the decompiled VB source code for “ahbGUhSfA” method and grab out the “de-obfuscated” strings.

After de-ofuscation, we know that the values for the following variables are as follows:
EUehzMbhDfp = 666124593
TccIbaADsu = killyourministers@gmail.com
xUsGccFea = < _redacted_ >
iRPfddGlUHcas = h
TuqbA = http://

Next let’s look at this.

We can see that it first checks whether silver.exe exists in the victim(s)’ AppData folder. In our case as i’m using Win 7, the folder path will be “C:\Users\-.-\AppData\Roaming
Then it do a check on whether the startup path is same as the folder path which i’ve mentioned earlier.
If it is, it will start the timer. I will come back to this later on.

Ok, so what if “silver.exe” doesn’t exist in the first place?
So let’s look at the portion after “else” statement.

As we can see that it’s calling “nuaMfm” method and converting the returned data into string.
A quick look at “nuaMfm” method and it’s actually generating a random number between 3 and 50000
Then it will copy “itself” to “C:\Users\-.-\AppData\Roaming“, execute the new copy and set the file attributes to “hidden
Next it will create a new registry key,”Windows applicaton”, in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the value of “C:\Users\-.-\AppData\Roaming\silver.exe
Finally it will call “wZLdOsNpk” method.

[ Dissecting “wZLdOsNpk” method ]
A quick glimpse at “wZLdOsNpk” method and we can know that it’s trying to send out emails. But to whom, you may ask and what data is it sending? Could it to the email address which we have de-obfuscated earlier?

Let’s look at the part of the snippet here and it is indeed sending an email from the email address which we have found earlier to itself.
The email’s subject title is “Vulcan

Now's let's look deeper into this snippet. We can also see now that this malicious application will take a screenshot of the victim(s)' computer and attached it to the email as attachment.

Finally in "wZLdOsNpk” method, we can see that it will call several methods to grab the victim(s)’ information and add it into the email’s contents.
I’ll briefly describe what does the different methods do.
GetMyIP method – basically grabs the IP address of the data by visiting “h–p://automation.whatismyip.com/n09230945.asp
biIS method – try to determine which version of Windows is the victim(s) running
Environment.UserName.ToString – Grab the “username” of the trojanised system.
Environment.MachineName.ToString – Grab the “computer name” of the trojanised system.
Environment.MachineName.ToString – Grab the fully qualified path of the system directory.
Environment.UserDomainName.ToString – Grab the network domain name associated with the current user.
Then using the “credentials” which we have “deobfuscated earlier, it will send it back to itself.

[ Dissecting Timer events ]
If you remember earlier while we were reversing this application, it will start 2 “Timer” if this malware exists and is running. So what does the 2 “Timer” do?
If you read the MSDN, you will realise that once a Timer had started, a “Tick” event had been triggered. In this case, it had fired up the 2 methods, “Timer1_Tick” & “Timer2_Tick”.
If we look at “Timer1_Tick”, it will look almost the same “wZLdOsNpk” method. The author probably could reuse the codes but he/she didn’t.
Next we look at “Timer2_Tick”, it’s very long…but after i spotted the API, “GetAsyncKeyState“. We can safely deduce that “Timer2_Tick” activated the “Keylogger” feature.

[ Conclusion ]
While this is definitely not one of the best .NET Malware that i’ve analysed, but it’s probably one of the many similar type of “keylogger” out there.
If we did a quick search on “Vulcan keylogger”, we can see that there are many website(s) teaching how to use it as shown in this link here.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse .NET malware on their own.

Happy Reversing,
Jacob Soo

Leave a Reply