 Welcome to map analysis for hedgehogs. So this is a different room than usual because I'm on vacation So just ignore that part. But anyways in posting because it seems to be a new trend that certain Melvver files are built with electron framework and electron framework is a way to create desktop application JavaScript code. So the resulting Portable executable files are huge and if this is the first for you as a reverse engineer, you might get lost in the Well, huge application and where to find the actual code. So that's the reason I'm posting this use a small tutorial on how to unpack This kind of file based on a stealer example. So let's see So the fight is being on a look at is this crazy down PE file and at the time it or at the time yesterday it was posted on Melvver tips and the question was okay this supposed to be game is this truly legit and yeah, check virus total on that and Yesterday there were zero detections on both total. So none of the scanners detected By now it seems that automation has picked up because I know for a fact that this is from automation Um So What do we see on barstow? We see it's relatively big almost 70 megabytes and Detected easy determines. It's a now soft installer. So nothing suspicious right here because now soft is very common Also by legit files. It's just a way to create your own installers But the version information is already weird like the version information says description evil. All right And the names here also a somewhat weird name But this can sometimes happen if you have files that are generate names arbitrarily for the temp folder so they could like have Random names for certain reasons. So this is not always an indicator that it's malicious So something else that was interesting the behavior tab. Well, first off Mitra I generally do not look at that much because it's an interpretation It doesn't tell me hard facts like why Does it think that certain things are happening here and what's the exact command for that? So this is something I don't see in Mitra. So let's remove that tree. That's interested here But yeah, the DNS resolution. So this says age or stealer WTF. All right I when I saw this I was immediately like, okay I want to find the code that actually references this and see what's happening there When you go Scroll down to the files that are being written. You see here mention of clipboard the clipboard is a legit application It's a package for Node.js But this application is there to you know get the clipboard contents. So basically name checks out so This could be abused by malware What else do we see you scroll down here's some Mention of credit cards database passwords database web data database. So Okay, this looks more like a stealer like This could actually be a stealer So based on that, how do we find the code right here? Now, we know it's now soft. So we can just unpack it with seven zip and This is what you get So here are the unpacked files. We have some dls and choose another archive. So let's unpack this archive And this is now where the interesting part started for me at least We have a lot of files here a lot of fights and the main process when you execute this It's built out easy. So you will see that this this build out easy does all of the interesting stuff so This is a huge file 158 megabytes and I immediately got lost in that for like two hours The detected easy needs some time to process this file because it's so big and Here we see the result. So the tech easy says it's an electron package if you check the signature Presenter s see it thinks so because of the section name. So there's a section name named CPA D info and Another one named zero zero CFG So this seems to be indicative of electron package The strings will also tell you so but I'm not gonna extract the strings right now because it's so big like there are too many strings to See all of them. The reason I'm posting this here is it's actually not so hard to obtain the code but when you haven't seen this before it can be challenging because this is like where you would look first because it's a main executable and Because it's so big you will get lost. So I tried finding ways to unpack this package But actually where the code is isn't the resources F dot Azar file. So this can be named can have a different name But it would generally have dot Azar at the end of it. So this is the package It's interesting when you have an electron application. So when detected easy tells you it's electron Check for resources and then check for the dot Azar file. So this is the one that's interesting here and Now you need some Azar unacquire There is one for seven zip. That's a plug-in can install this plug-in and then seven zip is able to Unstrike extract this one as well It will say unavailable data node modules clipboard So this is the data you will see has already been unpacked here and for some reason here to complaints that this is not available You can ignore that now we have the data here and Now you got to know where to look for the rest so the package JSON It's like the package definition file And it will tell you our entry point for this is main.js So this could have a different name, but here we know it's main.js also see author's evil. Yeah Evil also interesting, but that's just a side note config.js in this case says webhook replace me So we check the main.js because that seems to be the entry point and it doesn't do much just 19 lines of code But it refers to core aes.js so it says this is required and We're gonna check this one because it's referenced and here is the interesting data actually because here We have a huge string that is being all that's Turn the turn off the word wrap actually. So this is a huge base 64 string and That contains some encrypted data and now you have to decode this data now This is very specific to the stealer now We already basically unpack this electron app and if that's all you need you kind of stop here But for this particular file for this particular stealer We also need to decode this part and that's quite easy. You just replace this part here with some output Like so What it does now it will print the contents of decrypted. So this will Decrypt this right, so then we print the contents of that. So Let's copy and paste this and I'm kind of lazy I'm using just this online compiler Now click on execute and here we have everything copy and paste this to new file and Now I'm turning word wrap on again Because otherwise we miss some interesting things and I'm gonna turn on the JavaScript highlight And here we see the code that references HL stealer and we also see this what was the this is some kind of Authentication password or something that so This was also used as a file name what we saw in verse total and this is huge Like this is more than 3,000 lines of code So you can check this and look What the seeder is capable of basically it steals everything you can imagine so from telegram to discord tokens to Browser data passwords everything you can imagine Roblox Drotopia and And you'll also find some reference to class called space dealer Where some interesting stuff is happening here in the constructor so we see startup So persistence we see Some functions that steal tokens and telegram stuff and some discord references Yeah, so Anyways, check it out if you're interested and That's all I gotta tell you about the electron. Yeah You