WhiteSnake Stealer Analysis
I’m drunk and this is my analysis on WhiteSnake Stealer. My friend Global wouldn’t stop bothering me to analyse it with him so here it is.
Shoutout to my cat Vince for giving me the emotional support while reversing this shit
First off we got a fuckin .NET binary !!!
How fun and enjoyable, no Ghidra required.
After initally opening the binary, everything is obfuscated and shit, so i used de4dot to unobfuscate it and decode the strings:
After “cleaning”, the file is now decoded and we can view the strings:
A lot of the function names or whatever the fuck the shit in the left side of DnSpy is called is encoded/obfuscated with random names, so anything that i mention will come from this list:
btw, you will see a lot of dissing to ESET in this malware, lol
The malware seems to create a schtask for something, i would assume its for persistence.
Also, the malware seems to make a bunch of random requests to random websites like google.kz, blog.cyble.com, and cyware.com
I haven’t made a direct connection yet, but i believe the parameters used on the end of these requests are encoded variables or code used by the malware
For example, here is some encoded strings that Process.Start calls:
Then here is one of the webClient.DownloadString functions:
See how the 1Mxm1dRnMr is similar to the Process.Start strings? I cant find a connection, but i assume this is some sort of evasion method which is unique to me, i havent seen it before
The malware also downloads TOR for some reason? I messaged the WhiteSnake developer himself and i asked if it uses TOR, and he confirmed it does! What a nice threat actor. I assume TOR is used for uploading the data:
mA2Z seems to be where most of the functionality calls for the stealer are located, for example:
Here is the malware compress function, it compresses data into a ZIP file, and again we see it using the webClient.DownloadString “obfuscation” that we saw earlier:
We also have a WEBCAM call function, i assume to record the webcam or screenshot it:
Then of course, we have a KEYLOGGER function.
We also have a LIST_PROCESSES function.
Overall, from what ive seen, mA2Z is where a lot of the malicious functionality lies.
The malware also uses SQL Queries! What for? I have no fucking idea, this shit is Windows malware, and as much as WhiteSnakes dev apparently has a Linux stub, i dont see Win32_ComputerSystem working on Linux lol:
Moving on, the quq function is sending some data regarding the infected machine to the CNC server:
I assume this is the inital infection data, that the threat actor could possible use to filter their infections out via Country, OS, Report Size, etc, based on the strings seen above.
Below, we see the CNC choice for this malware, which is Telegram, as you can see the malware is using Telegrams API to communicate the stolen data, and we also get some information on the chat_id
If we look into the wRFiM.g_zc function seen below:
We can see the Telegram channel ID and the HTTP API token:
For anyone who wants to fuck around (since the CNC we found this binary on is still up and running + we believe this campaign is still ongoing), here is the API token & channel ID:
Channel ID: 5668321496
Token API: 5805920195:AAHrkiYfOXg55Cncdj5wUj0Ov4rUYjQg7iU
Moving onto the ra function, we also have have some XML related functions which relate to the XML written stealer variables/targets which i will talk about later:
Continuing on, I eventually found a function called rkbzL, which im pretty sure was being used as the keylogger function to capture keys inputted into the victim computer:
As you can see from above, the function is noting any notable keys like ESC, Space and LWin and i would assume sending them to the Telegram CNC
Furthermore, the wCbjr function is more than likely noting down and stealing the storage drives that are connected to the computer:
It also seems to be creating some sort of persistence module within %SystemDrive%\\Users\\{0}\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
Finally, probably the only interesting thing about the malware, the configuration. While looking at the wRFiM function, we have a bunch of random IP addresses:
Browsing to these IPs results in either a transfer.sh link or a timeout:
Interestingly, these transfer.sh links had their upload links, so when browsing to them, a lot of them had 404s, like below:
Some of them timed out:
And rarely, i would get some error messages, which could be being used by the malware as a way of error reporting, but im not 100% sure:
Apart from that, we also have the variable names of the Channel ID and Token API key which i mentioned earlier:
And we also have a big XML “encoded”/”written” string of all the data that the stealer should steal and send to the Telegram CNC:
This includes:
- Firefox Browser
- Vivaldi Browser
- CocCoc Browser
- CentBrowser
- Opera Browser
- OperaGX Browser
- CoreFTP
- Windscribe VPN
- Authy
- WinAuth
- OBS
- FileZilla
- AzireVPN
- Snowflake Client
- Steam
- Discord
- The Bat! Email Client
- Outlook
- Signal
- Pidgin
- Telegram
- Atomic Wallet
- Wasabi Wallet
- Binance
- Guarda Wallet
- Coinomi Wallet
- Bitcoin Core Wallet
- Electrum Wallet
- Exodus Wallet
- JaxxLiberty Wallet
- Metamask Wallet
- Ronin Wallet
- BinanceChain
- TronLink Wallet
- Phantom Wallet
*.txt;*.doc*;*.xls*;*.kbd*;*.pdfFiles
The stealer sends all of this data to the Telegram channel
Channel ID: 5668321496
Token API: 5805920195:AAHrkiYfOXg55Cncdj5wUj0Ov4rUYjQg7iU
Overall, a fun 3 hour reversing session, thanks to Global for the laughs and enjoyment while reversing this shit.