Below is the PEDUMP of the Trojan

It is a stealer. It steals the password from major FTP clients. The list will be mentioned below It also acts as a TCP / UDP proxy service allowing redirection of traffic. It also contains a downloader module, which downloads executables from c2c. This malware is configuration-specific which means certain main features can be turned off using a config mask.

In the initial phase, it starts a thread for mutex creation. The mutex name is formatted using an inbuilt string and a version number in a %s_%d format. In this case, the mutex and version was “5629186B-0207-4659-AE5D-B09282932A86_519.” It checks continuously for this mutex, and if present, it terminates itself. Static config is decoded using a simple XOR algorithm using a 4 byte XOR key. After decoding static config, various masks and structures are revealed – for example, IP Address or Exfil HTTP server. In this sample XOR key was 96A534F0h, and after XORing, the following information is revealed:

IP address Exfil HTTP server Socket Ports Mask value for config.

It also adds a firewall exception rule and masquerades it as Microsoft Office:

In the next subroutine, three manual reset events are created. These events will be later used to trigger c2 connection set. It also generates a 16byte bot ID based on system parameters or random numbers. It is either taken from softwaremicrosoftwindowscurrentversionvendorid or generated random using UID create using XOR and MOD.

Main Thread Modules

IP Update Thread

This thread connects to c2 which is present in the binary. It will continuously connect to c2 ip and will try to update a DWORD used later in the initialization packet. This DWORD is saved in Network Byte order. Now we will discuss different configuration masks used.

ConfigMask: bit 4 (Init packet thread)

After the call to c2thread, it checks a DWORD value extracted from the configuration buffer which is known as the ConfigMask variable. If the 4th bit is set from the mask value, then it starts another thread which will continuously send initialization packets to the c2 and a constant port number using the following format for the value generated from BOTID generation subroutine as mentioned below.     %08X-%04X-%04X-%02X%02X%02X%02X%02X%02X%02X%02X This subroutine encodes data using a base64 algorithm and connects to c2 from the base packet using port number again obtained from variable InitPacketPort TCP:23407.

Configmask: bit 1 (Registry persistence thread)

If bit 1 is set, then it will start a thread which keeps the malware persistent thought-out using a well know registry value to run on start: SoftwareMicrosoftWindowsCurrentVersionRun.

ConfigMask: Bit 3 (Create a TCP proxy tunnel)

In this subroutine a critical section is created which is shared for synchronization between two threads created in this subroutine. Data Shared using Critical section is 128 bytes long.


This thread binds a TCP port named as ListenPort: 1080 and binds over it . When a connection is accepted an IP address of connecting machine is checked against a 128byte array with the following validation. ((unsigned __int8)(128 » (unsigned __int8)(hostlonga » (32 – (8 * i + 8))) % 8) & (unsigned __int8)*(&_80hBytes[32 * i] + (unsigned __int8)((signed int)(unsigned __int8)(hostlonga » (32 – (8 * i + 8))) » 3))) != 0; where hostlonga = Ipaddress of connecting machine After that it receives one bye from socket which is used to check for what type of proxy it is supposed to be created.

value 4 = Ip based proxy ( received response will contain a raw ip address) value 5 = Host name based proxy ( response will contain a printable domain name ) For Ip based proxy 8 bytes are received again from c2 which are formatted as struct _8bytepacket { BYTE Unused; BYTE Type1; // Should be 1 otherwise fails WORD PortNumber ; DWORD Ipaddress;/ IP of target system (HOST order ) } If type == 1 . then (0x005b || 0x000000) DWORD is sent as failure packet to c2 otherwise (0x005A || 0x000000 ) is sent as success packet


This thread which receives a 128-byte buffer from c2 connecting to port ProxyInfoPort:23404 Configmask: bit 5 (download executable) If bit 5 is set it will connect to all c2 using a specified port number and will send some data / a placeholder ‘SgrC’ to c2 and will download an executable ConfigMask: bit 2 and Configmask2 bit 1 If these bits are set, it will start a routine for capturing email addresses from all files in root drive. However, it will skip from following extensions as mentioned below