How Difficult is Analyzing Malware Shielded by Themida and VMProtect – SOC/DFIR Guide

Researchers analyzed six malware families that are using the protectors Themida and VMProtect. None of the samples used code virtualization, significantly simplifying the analysis, as only one sample had anti-debugging enabled. 

The malware code itself was largely unprotected, except for the initial stages of compression and decryption. While almost all samples had encrypted/obfuscated strings, only two obfuscated their C2 servers.


Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

RisePro is stealer malware that uses protectors like Themida and VMProtect. Analyzing RisePro samples packed with Themida and VMProtect showed that these protectors were used for simple packing and offered weak protection. 

samples found with Themida and VMProtect. 

The researchers were able to unpack the samples using breakpoints and debuggers. The unpacked code revealed readable code and functionalities like loading encrypted strings and C2 communication

Try all features of ANY.RUN Sandbox for free - Request a 14-day trial 

The analysis also concluded that the string protection functionality belonged to RisePro itself, not the protectors, and observed similar unpacking techniques for other malware families, such as PrivateLoader, Amadey, Arkei, and Lumma.

breakpoint on the loading of any system DLL

The PrivateLoader sample, in contrast to RisePro, uses a straightforward XOR algorithm to decrypt the C2 server address rather than storing it directly in the dump, which is possible by simulating the code or stepping through it with a debugger. 

Code to obtain the C2

Arkei samples are packed with VMProtect, a packer that hinders analysis, and unpacking the sample reveals readable code responsible for loading functions from external libraries. 

The unpacked data contains the C2 server address, crucial for attacker communication, which suggests that Arkei is a malicious program designed to communicate with a command and control server.

readable code that loads the required functions from libraries

Lumma, a malware sample packed with VMProtect, employs obfuscation techniques. The unpacked code exhibits control flow flattening, dividing the function into numbered blocks. 

A loop iterates, selecting which block to execute with each pass, making it difficult to analyze the code’s true functionality. Additionally, a C2 server address within the dump indicates the malware’s communication capabilities.

 C2 server in the dump

The Amadey malware sample, packed with Themida, hides strings in memory until kernel.appcore.dll loads, which also employs anti-debugging mechanisms. By using a debugger with functionality like TitanHide, we can bypass these checks and reach the kernel.appcore.dll loading stage. 

 base64-encoded strings in encrypted form

After that, standard memory dump techniques can be used. However, the extracted strings are encrypted and base64-encoded, but further decryption (using Amadey’s custom shuffling algorithm) and base64 decoding are required to reveal the original data. 

Analyzing malware samples packed with Themida and VMProtect revealed a trend: they often lack advanced features like virtualization, making them easier to reverse engineer, which rely on basic packers that provide minimal obfuscation. 

Who is ANY.RUN?

According to ANY.RUN, the primary challenges to malware analysis stem from the obfuscation techniques employed by the malware itself, such as string obfuscation and C2 concealment, rather than the packing tools themselves.

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYara Search, and Feeds,help you find IOCs or files to learn more about the threats and respond to incidents faster.  

Easily analyze malware in ANY.RUN sandbox - Register for Free.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.