This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remcos, and Rhadamanthys. HeartCrypt injects malicious code into legitimate binaries and employs various obfuscation techniques to hinder analysis. The packer executes in multiple stages, using encoded resources and anti-sandbox measures. Over 2,000 malicious payloads across 45 malware families have utilized HeartCrypt, highlighting the increasing commoditization of malware development and the need for proactive threat hunting. Author: AlienVault
Related Tags:
heartcrypt
anti-sandbox
process hollowing
LummaStealer
Vidar Stealer
T1497.001
T1027.002
T1055.012
T1547.001
Associated Indicators:
5E3BD1CEF78452981FEE2E74CBA2FDC46C6EBAC15D9A19D85F53EE4812B1FCEC
516F23ACC3B9EB0C1E2FA79C2A4D8A33A07141B486E6B0CB4ED93DCAE966478A
4AF6877B9E52C8CE27AADF8D95429DC5FBCBBE663A3BFF94367AAFABEA6327A8
2832EAC061FDBDF5431C134F2A22C5006964FAB899BD21C918F6BB010CCE32D9
2F06E10B7DBDAD33ADBDBAD7411C1FB31924D183AE29D7A5E1EB9BBA256EDCC8
4A9E11F3A1B5B7543F00F4F662B4602C5449C78F7181A139AF3B804AA7316006
1F98D9D0535D73965DAC132490686E26E29A89ECA7001FD7FB9A1BC82E5C9A93
AE8AF3E049E812D26F5001815DE7CF20D74C21FCB013B7B1EA7BAC95EA0C71D4
B992553008A95FF9FEEFBFB4522B54569E8B1D0F035A0F06E87E9B4D2F4CF120