An analysis of Razor Crypter, a HackForums product

Today we are going to take a look at Razor Crypter V2, it is a well-known crypter on HackForums. It is one of the biggest and oldest crypters that are still running. It was started 3 years ago as Razor Crypter V1 (I may cover it in a later post) and it is written in AutoIt, a language commonly used to develop malware as it is very easy to program and reFUD.

On execution, Razor Crypter’s stub creates a random number, creates a loop that add 1 to the number, check if it is prime, if it is it adds an “x” to a Variable, if not the loop is restarted. This is repeated until the number is somewhere between 10000 and 90000.

After this, the variable “NUMS” get splitted with the delimiter “x” and saved into an array called “EXP” :

 

The script will next take 2 random numbers from “EXP” and adds a random number.

This junk code is most likely done to prevent detection by AV, since after this the variable “EXP” is not used again.

When everything is done,it will drop another AutoIt script,and execute it via the AutoIt parameter “AutoIt3ExecuteScript”. However, the dropped script is detected by 90% of all AVs. Even though this crypter has such a big reputation on HackForums, it is just a poorly written crypter.

Another obfuscation technique employed is the renaming of pre-defined Functions. This is done using defining new functions that do nothing except for calling the pre-defined function. A very interesting method of obfuscation, however, it is easily thwarted by renaming all of the functions.

 

String Reverse was also renamed, however, it is custom coded. A funny thing is that the code looks copy & pasted, so I am not really sure that is a point for the coder or not.

 

 

 

However, since the crypter is written in AutoIt, and the coder has a lot of time on his/her hand, to reFUD the crypter, it is often FUD and it is very popular among non-skilled hackers (aka Skids). The encryption is also very weak, as Base64 is used, and since Base64 is a keyless kind of encryption (And the function was named _winapi_base6decode), it would be trivial to unpack the stub.

Virustotal link of the stub.

Conclusion:

  • The crypter uses bad ways to be undetected, however it is updated often which means it is hard for AVs to keep up with the Scantime detections.
  • All stubs are the same, containing barely any difference.
  • Just because a crypter is old and famous doesn’t mean it is good.
  • Don’t use Base64, at least use RC4, XXTEA, AES or something with a key.
 

The Magical Mushdoom

 

Leave a Reply

Your email address will not be published. Required fields are marked *