{ "id": "cb5ef79c-238e-485a-8700-f2c5b7410e3c", "created_at": "2026-04-06T01:30:12.799268Z", "updated_at": "2026-04-10T03:21:04.102008Z", "deleted_at": null, "sha1_hash": "cb86a5b02ae8a4f95e839376c8dd464c3b624f96", "title": "Bandit Stealer Garbled", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42893, "plain_text": "Bandit Stealer Garbled\r\nPublished: 2023-07-31 ยท Archived: 2026-04-06 01:23:16 UTC\r\nAccording to CloudSek the stealer panel has security flaws that allow some of the data to be accessed without\r\nauthentication. This example shows the main panel for the stealer\r\nhttp[:]//142.202.240[.]84:8080/csetayukhv.html\r\nBinary Analysis\r\nEarly builds of the stealer did not use obfuscation, and contained plaintext strings. These versions were simple to\r\nreverse engineer once the method names were recovered using GO IDA parser (works well!). Later versions of the\r\nstealer attempted to slightly obfuscate the method names and ultimately moved to using Garble a GO obfuscator.\r\nGarble\r\nGarble is able to obfuscate GO method names, obfuscate strings, and modify control flow. Each option can be\r\nenabled separately. We will be analyzing the following Bandit Stealer sample obfuscated with Garble\r\n623a5f4c57cf5b3feb6775508cd6492f89d55ce11f62e0b6fb1020fd730b2e8f .\r\nMethod Name Obfuscation\r\nThe method names are obfuscated using a hash which is then base64 encoded. The method metadata recovery\r\nprocess is not possible using our favorite IDA script but we can use GoReSym. When this is run we can see\r\nmethod names like...\r\n{\r\n \"Start\": 5369065792,\r\n \"End\": 5369065824,\r\n \"PackageName\": \"h20dLQEZPVaM\",\r\n \"FullName\": \"h20dLQEZPVaM.CvGFbRy\"\r\n },\r\n {\r\n \"Start\": 5369072416,\r\n \"End\": 5369072512,\r\n \"PackageName\": \"h20dLQEZPVaM\",\r\n \"FullName\": \"h20dLQEZPVaM.IRlPxsFX\"\r\n },\r\n {\r\n \"Start\": 5369072512,\r\n \"End\": 5369072608,\r\n \"PackageName\": \"h20dLQEZPVaM\",\r\nhttps://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html\r\nPage 1 of 2\n\n\"FullName\": \"h20dLQEZPVaM.MRLxEQ\"\r\n },\r\nIdea it might be possible to brute force these if you had access to an earlier version of the sample which has the\r\nfull method names\r\nString Obfuscation\r\nThe string obfuscation appears to result in dedicated functions for each obfuscated string which consist of some\r\nconstants and an algorithm used to recreate the string. The function then converts the resulting byte string into a\r\ngo string and returns it.\r\n.text:00000001407BC661 mov ecx, 0Ah\r\n.text:00000001407BC666 call runtime_slicebytetostring\r\n.text:00000001407BC66B mov rbp, [rsp+38h+var_8]\r\n.text:00000001407BC670 add rsp, 38h\r\n.text:00000001407BC674 retn\r\nIt may be possible to attack this by identifying the dedicated string functions and emulating them!\r\nStand Alone String Decryption\r\nSource: https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html\r\nhttps://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html" ], "report_names": [ "bandit-garble.html" ], "threat_actors": [], "ts_created_at": 1775439012, "ts_updated_at": 1775791264, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb86a5b02ae8a4f95e839376c8dd464c3b624f96.pdf", "text": "https://archive.orkl.eu/cb86a5b02ae8a4f95e839376c8dd464c3b624f96.txt", "img": "https://archive.orkl.eu/cb86a5b02ae8a4f95e839376c8dd464c3b624f96.jpg" } }