{
	"id": "e1c39cf8-9f07-4cde-822e-d24238f2c4cc",
	"created_at": "2026-04-06T00:13:58.281705Z",
	"updated_at": "2026-04-10T13:12:46.069432Z",
	"deleted_at": null,
	"sha1_hash": "5e856e8a83aa34494a157fbf576f26d78cf42c40",
	"title": "Applied Emulation - Analysis of MarsStealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2087332,
	"plain_text": "Applied Emulation - Analysis of MarsStealer\r\nBy map[name:Alessandro Strino]\r\nPublished: 2023-11-15 · Archived: 2026-04-05 16:32:31 UTC\r\nIntroduction\r\nEmulation is a technique that could be very handy and effective when we have to deal with malware triage,\r\nconfiguration extractor and deobfuscate part of the code without rewriting complex algorithms. Even if it\r\nseems magic (and it’s not unfortunately) it’s still not possible to apply emulation on random code. However, if\r\napplied correctly this method could really speed up our malware analysis and triage. Through this blogpost I\r\nwould like to give an overview about emulation usage and apply it in a real case scenario.\r\nRecently, I followed a twitter warning about Vidar malware in the wild and eager to revalidate an IDA-python\r\nscript to deobfuscate strings, I immediately jumped into it. However, extracting that sample it was pretty obvious\r\nthat I was dealing with another stealer, called MarsStealer. Since I did have a lot of information about that sample,\r\nI thought that could be a good choice to experiment with emulation. The result was quite promising and because\r\nof that I want to take this occasion to show a few basic emulations that could, hopefully, help someone else to\r\nspeed up its analysis.\r\nOpening up in IDA the original sample, it was clear that a lot of strings were actually obfuscated and the code was\r\npartially packed, because of the references to jumps or calls towards registries and un-initialized DWORD.\r\nFigure 1: MarsStealer packed code\r\nIn order to extract the actual payload that will contain a deobfuscation string routine and additional code, it’s\r\nnecessary to go for dynamic analysis and speed up our extraction. As always one of the quickest methods to\r\nextract unpacked information is to look for VirtualAlloc and VirtualProtect.\r\nhttps://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nPage 1 of 6\n\nFigure 2: Unpacked payload retrieved\r\nDeobfuscation routine analysis\r\nSince that our purpose is to find out code to emulate, we could look for a deobfuscation routine within the payload\r\nextracted. Our search won’t last long because, almost immediately after the VirtualProtect call the malware\r\njumps directly to the allocated memory, starting the name resolving routine.\r\nFigure 3: Deobfuscation wrapper\r\nThe highlighted function is a wrapper that contains the actual routine. The code is quite easy to spot because of the\r\nthree push instructions. Opening the payload in IDA, it’s possible to go a little bit deeper and explore the\r\ndeobfuscation routine, reconstructing its signature and from that point, understanding the function flow.\r\nhttps://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nPage 2 of 6\n\nFigure 4: Deobfuscation routine\r\nRegardless of the red box related memory errors, it’s very easy to understand its core functionality and control\r\nflow. However, even if it seems quite easy to reconstruct its logic, I’m going to take this code as a use case to try a\r\ncompletely different approach, using emulation to resolve all the strings.\r\nEmulation requirements\r\nBefore proceeding with emulation, there are few things to settle. The first one is that for emulating this code, we\r\nneed to emulate the user mode because we are dealing with instructions that are going to make additional calls to\r\nWindowsAPI. For that reason, we are going to use dumpulator, implementing if needed some API calls. The\r\nsecond thing to talk about are the requirements for dumpulator. To make it effective, it’s necessary to take a\r\nminidump of the process that we are analyzing and understand the parameters for starting and stopping\r\nemulation.\r\nIn order to take a minidump, its possible to use x32dbg/x64dbg that include it as a command (e.g.,\r\nminidump mstealer.dump);\r\nthen to take the starting point, it’s possible to take references to deobfuscation calls and save those\r\naddresses for later.\r\nFigure 5: References to deobfuscation function\r\nhttps://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nPage 3 of 6\n\nNow that we have two out of three requirements, it’s necessary to focus on the emulation ending point. Of\r\ncourse, this one is the most important requirement and could impact your result in terms of efficiency (emulation\r\nis tremendously slow) and code writing (could be required to write more code that fits your needs).\r\nFor the purpose of this analysis/tutorial about emulation I’m going straight to the point using hints collected from\r\nIDA and doing some dynamic code analysis.\r\nObserving carefully the Figure 4, it’s easy to spot that the plaintext string is settled after the for loop and before\r\nthe VirtualProtect call. Looking at the assembly with the information acquired, it’s easy to understand that\r\nemulation should stop at the instruction push ecx. In fact, ecx register is going to be a pointer for the plaintext\r\nstring.\r\nFigure 6: Focus on plaintext resolution\r\nWith all this information, the emulation end variable could be easily retrieved within the debugger at the address\r\n0x031f4De5.\r\nFigure 7: Emulation stop address\r\nString Resolving Automation\r\nSince that we have collected all the requirements for the emulation, we are ready to setup our code as follow:\r\nLaunching this script we are able to extract a lot of information on Mars Stealer, starting our triage without even\r\nreversing the whole malware. In fact, from the resolved string we have something related to common stealer\r\ntargets such as: credit cards, browser, crypto wallet, etc..\r\nhttps://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nPage 4 of 6\n\nFigure 8: Retrieved strings\r\nAdditionally we also have a chance to get a few insights about anti-analysis or reversing-aware functions such as:\r\nIsDebuggerPresent or CreateToolhelp32Snapshot. Additionally we have also some indications about anti-sandbox techniques with HAL9TH, that should be the Microsoft sandbox computer name. All deobfuscated\r\nstrings could be found within the Reference section.\r\nConclusion and next chapter\r\nEmulation represents the state of the art for analyzing malware functions or triaging sample without losing\r\nyourself in complex and heavily obfuscated routine. It was pretty fun to analyze Mars Stealer through this\r\ntechnique. I’m thinking of creating additional and probably more structured content (maybe a Whitepaper) about\r\nmalware emulation.\r\nThe script above could be used as a reference for further analysis, it’s quite simple (and not perfect) but very\r\neffective and I used that as a “soft” introduction to this topic and also to give an idea of emulation capabilities.\r\nHope you enjoyed reading this post as much as I had reversing this malware and writing this article!\r\nReferences\r\nSample analyzed:\r\nMalwareBazaar Sample\r\nMinidump:\r\nmars_stealer_minidump.7z\r\nString resolver:\r\nMarsStealer_stringResolver.py\r\nhttps://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nPage 5 of 6\n\nExtracted strings:\r\nstrings.txt\r\nDumpulator:\r\nReference\r\nSource: https://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nhttps://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/"
	],
	"report_names": [
		"applied-emulation-analysis-of-marsstealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434438,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e856e8a83aa34494a157fbf576f26d78cf42c40.pdf",
		"text": "https://archive.orkl.eu/5e856e8a83aa34494a157fbf576f26d78cf42c40.txt",
		"img": "https://archive.orkl.eu/5e856e8a83aa34494a157fbf576f26d78cf42c40.jpg"
	}
}