{
	"id": "50398a87-2696-48ec-8e74-18e880d71b75",
	"created_at": "2026-04-06T00:12:20.00301Z",
	"updated_at": "2026-04-10T03:20:40.023079Z",
	"deleted_at": null,
	"sha1_hash": "41f2679f8f25cdb543c7745de4f0f43a43a31d08",
	"title": "[QuickNote] Techniques for decrypting BazarLoader strings",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2599176,
	"plain_text": "[QuickNote] Techniques for decrypting BazarLoader strings\r\nPublished: 2022-02-24 · Archived: 2026-04-05 19:33:07 UTC\r\n1. Overview\r\nUsually, to make it more difficult for analysts, malware authors will hide important strings and only decrypt these\r\nstrings during runtime. The famous malwares like Emotet, QakBot or TrickBot often use the one or some\r\nfunctions to perform decrypting strings when needed.\r\nHowever, on researching and analyzing some other malwares such as Conti, BlackMatter and BazarLoader,\r\ninstead of using a separate function to decrypt strings, these malwares make it more difficult by saving the\r\nencrypted strings on the stack as stack strings. Then, strings are decrypted by XOR-ing with a key value (this\r\nvalue may not be fixed) or through quite complex computation. This technique consumes time of the analyst.\r\nThe images below are the pseudocode of the Conti and BlackMatter malware.\r\nThis article uses the BazarLoader samples as an example to demonstrate how to decrypt strings with:\r\nAutomate resolving with IDAPython script.\r\nEmulate code with IDA uEmu plugin.\r\nDebugging with IDA Bochs plugin.\r\n2. BazarLoader samples\r\nBazarLoader was first discovered in April 2020. The malware loader has been continuously evolving, allowing\r\nattackers to install additional malware, often used for ransomware attacks, dropping Cobalt Strike, and stealing\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 1 of 8\n\nsensitive data. The common assumption is that the distribution and post-exploitation activities of the loader are\r\nakin to the Trickbot malware.\r\nThese samples are all 64-bit Windows executable.\r\nUnpacked sample 1: cc522400b3fed1d2c4dcca16666ddcff\r\nUnpacked sample 2: 63c4bb3f1044f36632ce1759b62296dc\r\n3. Decrypt strings\r\n3.1. Using IDApython script\r\nAnalyzing the first sample of BazarLoader, we will see that it uses the same stack strings decryption technique as\r\nin BlackMatter ransomware:\r\nTo decrypt these strings, you can use x64dbg to debug or extract the above values and use CyberChef to perform\r\nthe following:\r\nHowever, debugging with x64dbg or using CyberChef as above will take more time, to make static analysis\r\neasier, I will use IDAPython script to decrypt the strings. The code I use is as follows:\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 2 of 8\n\nLoad this script into IDA, providing the relevant addresses to perform the decryption:\r\nFinally, by using the above script, the analysis process will be much more convenient:\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 3 of 8\n\n3.2. Using uEmu plugin\r\nIn the second sample of BazarLoader, the code that decrypt the stack strings is similar to the Conti ransomware\r\nand quite complicated:\r\nWith the code as shown in the figure, the implementation of using IDApython script will be difficult and not\r\nfeasible. The most suitable solution for this case is to use an emulator to emulate the code. Here, I will use uEmu,\r\na tiny cute emulator plugin for IDA based on unicorn engine.\r\nVery easy to emulate the decoding code with uEmu:\r\nFirst, set a breakpoint at the address after the string has been decrypted.\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 4 of 8\n\nGo to the beginning of the function and select the starting address of the function, then start uEmu. The\r\nCPU Context Edit window will appear, click OK to continue. uEmu will now initialize the emulator.\r\nCheck the CPU context to see if the address of the EIP/RIP register is pointed at the beginning of the\r\nfunction:\r\nThen, through uEmu Control, you can trace the code by Step or Run to emulates instructions until\r\nbreakpoint is reached. During execution, uEmu will ask about unmapped memory, select No to continue.\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 5 of 8\n\nPress Step, to trace over the lea command. Then using uEmu’s Show Memory Range feature, enter the\r\naddress of the rdx register and select Add. The result will be similar to the following:\r\n3.3. Debugging with IDA Bochs Plugin\r\nIDA Bochs debugger plugin allows malware researchers to debug malicious code in a safe/emulated environment.\r\nFor more information please visit [1], [2].\r\nIn order to debug the code that decrypt the string, we configure the Bochs plugin to work in IDB mode. This\r\nmode is used to debug code snippets by simply selecting the code from the database.\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 6 of 8\n\nNext, select the position or code snippets to debug, then press F9 to start debugging:\r\nFrom here you can trace the code as usual or simply set a breakpoint at the address after finished decryting the\r\nstring and press F9. The resulting at rdx register will point to the decrypted string as follows:\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 7 of 8\n\n4. References\r\nBlackMatter Ransomware v2.0\r\nHighway to Conti: Analysis of Bazarloader\r\nBazarLoader infection with Cobalt Strike\r\nEnd.\r\nm4n0w4r\r\nSource: https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nhttps://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/\r\nPage 8 of 8\n\n https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/    \nLoad this script into IDA, providing the relevant addresses to perform the decryption:\nFinally, by using the above script, the analysis process will be much more convenient:\n   Page 3 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://kienmanowar.wordpress.com/2022/02/24/quicknote-techniques-for-decrypting-bazarloader-strings/"
	],
	"report_names": [
		"quicknote-techniques-for-decrypting-bazarloader-strings"
	],
	"threat_actors": [],
	"ts_created_at": 1775434340,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41f2679f8f25cdb543c7745de4f0f43a43a31d08.pdf",
		"text": "https://archive.orkl.eu/41f2679f8f25cdb543c7745de4f0f43a43a31d08.txt",
		"img": "https://archive.orkl.eu/41f2679f8f25cdb543c7745de4f0f43a43a31d08.jpg"
	}
}