LetsDefend — Serpent Stealer Challenge Walkthrough
Analyzing the Serpent Stealer Malware with DIE, dotPeek, and MITRE ATT&CK
Introduction:
Have you ever wanted to reverse engineer an info stealer malware sample, see how it works, and determine its capabilities to impact a victim? If this topic sounds interesting to you, you’ve stumbled on the right blog!
Welcome to my weekly walkthrough where we are going to cover the Serpent Stealer Challenge from LetsDefend! This is a medium-difficulty malware reverse engineering challenge where we’ll be using JetBrains dotPeek to analyze the provided information stealer malware sample. By digging into this malware’s code, we’ll determine its capabilities, how it evades detection, and what data it targets — fun stuff!
Although malware reverse engineering isn’t my strongest skill, I recently tackled a similar challenge from LetsDefend, so as the old saying goes, practice makes perfect! We might stumble along the way through this one, but we’ll adapt and learn some new tricks together.
Now let’s grab our shovels and have some fun digging through this malware. Thanks for reading along!
Challenge Link: https://app.letsdefend.io/challenge/serpent-stealer
Challenge Scenario:
Located in the heart of the financial district, a leading multinational company was hit by a sophisticated data theft. Over several months, confidential customer data, proprietary software, and sensitive financial information were stolen. The company’s cybersecurity team recently discovered that a “stealer” malware was responsible for the breach. They are analyzing the stealer and trying to protect the company from future attacks.
Question 1: What is the md5 hash for the malware?
Let’s jump right in and connect to the provided virtual machine and extract the challenge file archive within the Challenge File folder.
In the meantime, it’s also a good idea to get familiar with the provided tools so that we have some idea of what’s available to tackle the challenge. Let’s review the Tools folder on the Desktop. Right away, we’ll see several available disassemblers, debuggers, and decompilers which will be helpful to dig into the provided malware sample.
But for our first task, we simply need to get the MD5 file hash of the sample so that we can start learning about this stealer malware. There are a couple of ways we can approach this, but for this walkthrough I am going to just use PowerShell — if you have another method you like, go for it! The important thing is that we get the MD5 hash:
Get-FileHash -Algorithm MD5 .\sample
Now that we have the file hash of this sample, we can answer Question 1! But for some additional intelligence, why don’t we also check this hash against VirusTotal to see if there are any hits?
All right, this is a well-known malware sample which might be helpful later in our investigation. For now, let’s keep going and see what else we can uncover.
Question 2: What is the name of the list the malware uses to evade detection by the VirusTotal check?
To answer Question 2, we need to first figure out the best tool to use to analyze the malware. But before we do that, we need to understand what type of file the sample is. To do this, let’s gather some information using Detect It Easy (DIE) which is a utility that can be used to determine the file type of an application.
To put this into practice, let’s point DIE to the path of the challenge’s malware sample:
Here we will see that the sample binary is a .NET portable executable (PE32). Since we now know that it is a .NET binary, we can select the right tool to disassemble the executable and start to answer Question 2.
As I hinted at in the introduction, we’re going to leverage JetBrains dotPeek which is already installed on the LetsDefend VM we’re using.
Now, let’s jump into dotPeek and start to analyze the malware. To do this, open the Challenge File folder, right-click the extracted sample, and select “Open With > JetBrains dotPeek.”
This will launch dotPeek and load the challenge file. Don’t worry, it will take a few minutes to load the assembly explorer, but when it does, expand the node called Serpent.
We’ll see that the assembly objects contained within Serpent are both organized and non-obfuscated which is going to speed up our analysis. Since we are looking for a defense evasion technique, let’s try expanding the Evasion object and focus on the AntiVT class.
Here we see that the malware does an environment check (T1497.001) to detect if it is being analyzed on VirusTotal by comparing the user name of the victim’s system to a stored list containing common user names used by VirusTotal during analysis. If any of the strings match, the malware sleeps and exits to avoid further detection.
Circling back to the objective, the name of the list containing these strings is what we’ll need to answer Question 2.
Question 3: What is the name of the folder that was used by the malware to collect the password on it?
Now let’s expand the modules object and expand the conveniently labelled PasswordStealer method. To answer Question 3, we will focus on the Run method within the PasswordStealer:
Looking closely at this method, we’ll discover that the malware creates a centralized folder called “serpent” in the temporary directory of the victim’s system for staging the data it collects (T1074.001.)
Question 4: What is the first command that the malware uses to bypass the User Account Control (UAC)?
Okay, now we are going to examine some of the mechanisms that the malware uses for privilege escalation. Let’s return to the Evasion object and focus on the UAC class.
To understand what the malware is doing, we first need to understand what User Account Control (UAC) in Windows is. According to Microsoft Learn:
User Account Control (UAC) is a Windows security feature designed to protect the operating system from unauthorized changes. When changes to the system require administrator-level permission, UAC notifies the user, giving the opportunity to approve or deny the change.
In other words, UAC helps prevent unauthorized, administrator-level changes on a system by notifying users of the request and requiring approval to proceed, typically by supplying administrative credentials.
Let’s look at the first bypass string (psCMD1) in the UAC class. This command creates a new registry key which can be abused to bypass UAC (T1548.002) — it is also the answer to Question 4.
Once you copy the string out, it’s a little tricky as the format of the double quotation marks doesn’t transfer over the VNC clipboard. Instead, on a US keyboard, I used the ALT codes for double quotation marks Alt 0147 to open, Alt 0148 to close the path.
Question 5: How many file extensions does the malware target?
Next, let’s analyze what file extensions this stealer targets so that we can understand the impact to a victim’s system.
To locate this information, we’ll navigate back to Modules > FileStealer function > SupportedExtensions string and focus on the below lines of code:
This will take us directly to the location we need to discover which extensions are targeted by the malware. Let’s submit our findings and move forward with the investigation.
Question 6: What is the first process listed in the blacklisted processes used by the malware?
Back to the Evasion object! This time, we’re going to and check the AntiAV class and look at the blackListedProcesses string.
The malware is doing another system check for indicators that it is executed in an analysis environment by looking for processes common in malware analysis sandboxes like virtualization/analysis tool processes. This technique is another example of the malware attempting be stealthy and evade detection (T1497.001.)
To answer Question 6, we just need to input the first process name in the stealer’s blackListedProcesses list.
Question 7: What is the last wallet name that is targeted by the malware on the list?
To answer Question 7, we’re going to search for the crypto wallets that the stealer targets.
This will be largely the same process that we have followed for the last couple of questions. We’ll navigate back to the Modules, and look at the Run method of the Wallets tab.
Here, we’ll see a list of the specific crypto wallet services that are targeted by the malware. We can just input last wallet name on the list for the answer and then we’ll move on to the final question of this challenge!
Question 8: After getting the current user, what is the subkey used by the malware to dump FTP credentials?
We’ve made it to the last question! Now, to discover the answer to Question 8, we’ll check the Run method under FTPStealer, in the Root Namespace.
Take a look at the first couple of strings under the Run method:
We see that the malware is targeting a Windows Registry hive HKCU\Software\Microsoft\FTP where the Credentials key stores FTP credentials, if they are cached on the victim device (T1552.002.)
Okay, there we have it! Now that we have determined Registry
key that the FTPStealer function targets, let’s submit our answer and wrap up this investigation.
Conclusion:
Mission accomplished! We have finished our analysis of the Serpent Stealer malware, learned how it evades detection, elevates privileges, and what victim data it targets. With the listed objectives completed, it’s time to close out this walkthrough of the Serpent Stealer challenge!
A big thank you to LetsDefend for another fun challenge! I chose this challenge for two reasons: To keep upskilling in malware reverse engineering and to get more familiar with how information stealer malware works. I appreciated the opportunity to jump back into dotPeek and have more hands-on time with the tool. As information stealers become a bigger and more common threat, it’s equally important to me to peek into stealer functionality for insights on how to better defend against them. Like I said in the introduction, practice makes perfect; so thank you for practicing your reverse engineering skills with me. I hope you learned something and had some fun along the way!
If you found this walkthrough helpful in leveling up your skills or getting you through a tricky question, please give it a clap! Your feedback lets me know that I helped you out on your security journey. We’re in this together! Thanks for the support!
Until next week — stay curious.
Tools & References:
JetBrains dotPeek: https://www.jetbrains.com/decompiler/
VirusTotal: https://www.virustotal.com/gui/file/c4f981f1f532ec827032775c88a45f1b4153c3d27885f189654ad6ee85c709c1/details
Detect It Easy: https://github.com/horsicq/Detect-It-Easy
MITRE ATT&CK (T1497.001 — Virtualization/Sandbox Evasions: System Checks): https://attack.mitre.org/techniques/T1497/001/
MITRE ATT&CK (T1074.001 — Data Staged: Local Data Staging): https://attack.mitre.org/techniques/T1074/001/
Microsoft Learn (UAC): https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/
MITRE ATT&CK (T1548.002 — Abuse Elevation Control Mechanism: Bypass User Account Control): https://attack.mitre.org/techniques/T1548/002/
MITRE ATT&CK (T1552.002 — Unsecured Credentials: Credentials in Registry): https://attack.mitre.org/techniques/T1552/002/
