Bandit Stealer Garbled
Published: 2023-07-31 · Archived: 2026-04-06 01:23:16 UTC
According to CloudSek the stealer panel has security flaws that allow some of the data to be accessed without
authentication. This example shows the main panel for the stealer
http[:]//142.202.240[.]84:8080/csetayukhv.html
Binary Analysis
Early builds of the stealer did not use obfuscation, and contained plaintext strings. These versions were simple to
reverse engineer once the method names were recovered using GO IDA parser (works well!). Later versions of the
stealer attempted to slightly obfuscate the method names and ultimately moved to using Garble a GO obfuscator.
Garble
Garble is able to obfuscate GO method names, obfuscate strings, and modify control flow. Each option can be
enabled separately. We will be analyzing the following Bandit Stealer sample obfuscated with Garble
623a5f4c57cf5b3feb6775508cd6492f89d55ce11f62e0b6fb1020fd730b2e8f .
Method Name Obfuscation
The method names are obfuscated using a hash which is then base64 encoded. The method metadata recovery
process is not possible using our favorite IDA script but we can use GoReSym. When this is run we can see
method names like...
{
 "Start": 5369065792,
 "End": 5369065824,
 "PackageName": "h20dLQEZPVaM",
 "FullName": "h20dLQEZPVaM.CvGFbRy"
 },
 {
 "Start": 5369072416,
 "End": 5369072512,
 "PackageName": "h20dLQEZPVaM",
 "FullName": "h20dLQEZPVaM.IRlPxsFX"
 },
 {
 "Start": 5369072512,
 "End": 5369072608,
 "PackageName": "h20dLQEZPVaM",
https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html
Page 1 of 2

"FullName": "h20dLQEZPVaM.MRLxEQ"
 },
Idea it might be possible to brute force these if you had access to an earlier version of the sample which has the
full method names
String Obfuscation
The string obfuscation appears to result in dedicated functions for each obfuscated string which consist of some
constants and an algorithm used to recreate the string. The function then converts the resulting byte string into a
go string and returns it.
.text:00000001407BC661 mov ecx, 0Ah
.text:00000001407BC666 call runtime_slicebytetostring
.text:00000001407BC66B mov rbp, [rsp+38h+var_8]
.text:00000001407BC670 add rsp, 38h
.text:00000001407BC674 retn
It may be possible to attack this by identifying the dedicated string functions and emulating them!
Stand Alone String Decryption
Source: https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html
https://research.openanalysis.net/bandit/stealer/garble/go/obfuscation/2023/07/31/bandit-garble.html
Page 2 of 2