VERY IMPORTANT

OnionCrypter, which is discussed in this blogpost, uses a combination of multiple interesting techniques that make it hard for analysts and for proper detection. One of the key techniques this crypter uses is multiple layers of encryption. Because of this Avast is calling it "OnionCrypter". It’s important to note the name reflects the many layers this crypter uses, it’s in no way related to the TOR browser or network. OnionCrypter has been used by over 30 different malware families since 2016. This includes some of the best known-most prevalent families such as Ursnif, Lokibot, Zeus, AgentTesla, and Smokeloader among others. This blogpost covers most of the techniques OnionCrypter used to complicate analysis and breaks down its structure.