XaiJu
oalabs
oalabs

patreon


Intercepting HTTP Traffic With The Debugger

In this tutorial we demonstrate how to use x64dbg to intercept network traffic in a target process. We are using Lumma Stealer as an example but the approach is roughly the same for all malware.

References

Sample

5aead2773474aa64c7e5300d49eca7ee01174fe806fd73f4a878ae4b2a4aaca1 [UnpacMe]

Lumma Stealer Analysis

Intercepting HTTP Traffic With The Debugger

Comments

It is not possible to decrypt the traffic if you are only capturing it, but with some modifications on the VM you can make it possible. The two approaches are to either dump the TLS master secret from the process (this is a good overview https://github.com/cuckoosandbox/cuckoo/issues/2103) or you need to install your own certificate in the store on the host and man-in-the-middle the traffic. Any MITM proxy will have instructions for this, for example https://github.com/mitmproxy

OALABS

Using this technique, it appears we would see the TLS traffic in an unencrypted state which id very handy. If I was only capturing traffic with a network based capture, I would need some additional steps to see the same traffic in an unencrypted state. Awesome walk through, thanks!!

cyberw01f


More Creators