What is Arechclient2 (SectopRAT)?

Arechclient2 (SectopRAT) is a RAT and Infostealer

Arechclient2, also known as SectopRAT, is a remote access trojan and infostealer initially observed in 2019. It’s primarily used as a post-compromise tool and is currently experiencing a significant surge in deployment during 2025 campaigns. The malware is delivered via the HijackLoader steganographic delivery mechanism, which embeds encrypted payloads within PNG image files using IDAT chunk manipulation.

This particular sample represents a sophisticated, multi-component attack leveraging legitimate cloud infrastructure for data exfiltration and cryptocurrency theft operations. As far as I can tell, this is a variant that differs significantly from standard SectopRAT deployments.

This is also the first time I’ve seen steganography used in the wild, and is quite unusual in a malware sample from what I’ve seen.

Standard SectopRAT vs This Variant:


The sample represents a variant in the standard SectopRAT deployment, especially in its crypto and infostealing features:

  • Zero-detection dropper components bypassing traditional AV
  • Steganographic payload delivery in PNG images (IDAT chunk manipulation)
  • Multi-component architecture with intentional decoy modules
  • Process injection into custom-created processes (FluInterface32.exe)
  • Comprehensive financial data theft targeting 24 cryptocurrency wallets
  • Calli obfuscator defeating dynamic analysis
FeatureStandard SectopRATThis Variant
Injection TargetMSBuild.exeCustom FluInterface32.exe
C2 ResolutionPastebin dynamicHardcoded Russian IP
Port Range9000, 15647-1567815847 (within range)

Surface Level Analysis

Sample Identification:


Our sample was disguised as XMouseButtonControl (legitimate mouse button remapping software.)

Initial Dropper Metadata:

SHA-256: 7dc2ddaac0f6c54d774f6b336fa15a249fd0d5e74a903e7ada07cc00772c8341
File Name: XMouseButtonControlSetup.2.20.5.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 2.80 MB
Signed: Yes (REVOKED GlobalSign certificate)
First Seen:
02/06/2025 (2nd of June 2025)

VirusTotal Detection Rates:

ComponentDetection RateStrategy
Steganographic PNG (memmmu.png)0/97Clean payload carrier
Initial dropper (XMouseButtonSetup)41/71Moderate detection despite signing
PowerShell dropper (goto.ps1)14/63Some AV detection
E-Consol.exe (orchestrator)0/72Completely clean
AliyunWrap.dll (crypto library)39/72Heavily flagged – functional but with unused cloud code
FluInterface32.exe (pre-injection)0/68Clean host process

As you will see later on, AliyunWrap.dll is heavily detected (39/72) but serves a dual purpose: it’s functionally required for crypto operations while also containing unused cloud/credential code that may misdirect analysis efforts.

Delivery Method:

  • Embedded in PNG image via steganography (PostImg hosting)
  • XOR encryption (single-byte key at offset 436)
  • Packaged as ZIP archive containing full malware suite
  • Delivered via PowerShell dropper script goto.ps1

Processes Graph:

(any.run)

Initial Triage

The infection chain begins with what appears to be legitimate XMouseButtonControl software.

The mouse software appears to be fully working. Upon excecution, the Xmouse installer:

  • Installs legitimate XMouseButtonControl software to %LOCALAPPDATA%\XMouseButtonControl\
  • Writes a malicious PowerShell script, goto.ps1 to disk alongside the legitimate installation

The initial Xmouse install binary writes goto.ps1 to disk, which contains the actual steganographic payload extraction logic. I downloaded the “goto.ps1” from a sandbox and started to statically analyze it.

(goto.ps1 SHA-256 hash: 163810b5276c23ddccfdcbcb85ac97c58957b7968aae5312cb06668e68f6ac98)

The script downloads a doge png named “memmmu.png”:

The PNG contains a Doge meme image with the encrypted malware ZIP embedded after the IDAT chunk

The powershell script then extracts the XOR decryption key from byte 436, before finding the IDAT PNG chunk marker, as the payload starts four bytes after. It extracts and XOR decrypts the payload to reveal a ZIP archive. It defines the target directory, kills e-consol, but only if the system is already infected (only works if already infected – SilentlyContinue suppresses errors on first run). It removes old installation files if they exist and creates a fresh directory. It writes the decrypted ZIP, extracts its contents before deleting the zip. The PS script then hides the directory, creates a startup persistence shortcut and finally executres the malware with a hidden window.

In order to more efficiently fetch the malware without execution I wrote a script to extract it:

https://github.com/thetrueartist/HijackLoader-IDATloaderPayloadExtractor

After using this tool and extracting the ZIP folder we get everything that the malware writes to disk.

My first impressions of the files were that “E-consol.exe” was potentially the main malware, followed by the “AliyunWrap.dll”. Both “Jeadpietpour.rky” “Meck.xkd” were kept intentionally murky by the malware author, with “AliyunConfig.ini” likely being of use, even despite the small file size.

After submitting some of the files to VirusTotal, it would have you think that all apart from the “AliyunWrap.dll” harmless. At this point I was questioning what files were potentially a decoy to waste my time (however this happened to not be the case, as I’ll explain later).

After extracting the files I ended up dynamically analyzing “E-consol.exe” after finding lacking leads with basic static analysis.

After letting it run, it writes and creates a process called “FluInterface32.exe” 10 seconds after E-consol.exe has been executed.

Based off of the name, I had guessed that it (“FluInterface32.exe”) was used for the network functionality, maybe alone, and at this point “AliyunWrap.dll” was potentially where the main functionality of the malware was hiding, especially considering the VirusTotal detections for it.



However I continued on with analyzing “FluInterface32.exe” to start. After investigating with strings/FLOSS and quickly checking the malware on VirusTotal, it would have you think that “FluInterface32.exe” is clean or is harmless.

Network Discovery

I then checked network connections for all of the processes it wrote/spawned and found (with Process Hacker 2, and Fakenet) that “FluInterface32.exe” was attempting to connect to a Russian IP as well as a Binance domain hosted on AWS.

And sure enough, the IPs it contacted were in memory:

I found it unusual that this was the only process it spawned that was making active network connections.

Process Injection Confirmation

To check to see if “FluInterface32.exe” was being process injected, I used Hollows Hunter to check.

This confirmed that “FluInterface32.exe” was process injected, as the binary was native, yet there was .NET code running inside it.


After this I was pretty sure “E-Consol.exe” was just a dropper.

I used ExtremeDumper to dump the injected payload from FluInterface32.exe’s memory to analyze what was actually running.

Architecture Discovery

Before I analyzed the memory dump, I wanted to investigate the component relationships, and to find out which files were actually required for E-consol.exe to run and function.

I decided to test component dependencies by selectively removing binaries to see what E-Consol actually requires in order for it to work.

In short;

Test 1: E-Consol.exe alone

Failed immediately, it was missing AliyunWrap.dll. Hard dependency confirmed.

Test 2: E-Consol.exe + AliyunWrap.dll + AliyunConfig.ini

Started but crashed with 0xc0000142 error. Before crashing, it created an empty Meck.xkd file. This means E-Consol.exe writes to Meck.xkd at runtime rather than reading from it.

Test 3: Added Meck.xkd (83 KB)

Still crashed with the same error. Another component is missing.

Test 4: Added Jeadpietpour.rky (2 MB)

Finally executed successfully. Jeadpietpour.rky is essential for execution.

Required components:

  • AliyunWrap.dll – hard dependency, crashes immediately without it
  • Jeadpietpour.rky – required for successful execution, crashes without it
  • Meck.xkd – runtime artifact, not an input file

Analyzing Jeadpietpour.rky

I uploaded Jeadpietpour.rky to VirusTotal to get more information about the file.

VirusTotal’s Magika classifier identified it as a PNG file despite the .rky extension. I decided to check the file header to confirm.

Checking the file signature:

The file doesn’t start with PNG magic bytes (89 50 4E 47). It starts with 77 4D... instead. The file is likely encrypted or compressed on disk.

Checking Meck.xkd as well:



Meck.xkd has null-byte patterns suggesting either wide-character encoding or encrypted data. The scattered ASCII strings (LIA, MSLG, jEF) suggest this might be partially decrypted or compressed data.

My Hypothesis


VirusTotal’s Magika detected PNG structure because it analyzed the decrypted content, not the encrypted file on disk. Jeadpietpour.rky stores encrypted bytes on disk (77 4D 80 79...), which AliyunWrap.dll’s SendLogToCloud() function decrypts at runtime. The decrypted result is a PNG file with the actual payload embedded in IDAT chunks. The .NET assembly is then extracted from the PNG and injected into FluInterface32.exe.

This explains why AliyunWrap.dll is required (provides decryption), why both Jeadpietpour.rky and Meck.xkd are needed (key material and staging data), why AVs can’t detect the payload (encrypted at rest), and why Meck.xkd is created empty on crash (it’s written during decryption, not read as input).

However, this is only a theory, but seems likely.

The execution flow is (likely):

E-Consol.exe
├─ Reads encrypted Jeadpietpour.rky
├─ Calls AliyunWrap.dll::SendLogToCloud() for decryption
├─ Writes intermediate data to Meck.xkd
├─ Extracts .NET payload from decrypted PNG
└─ Injects payload into FluInterface32.exe

The architecture seems to separate the encrypted payload (Jeadpietpour.rky) from the decryption logic (AliyunWrap.dll), obscures file purposes with unusual extensions (.rky, .xkd), and creates a clean injection target (FluInterface32.exe) at runtime to avoid detection.

Memory Dump Analysis

After looking into the architecture of the malware, I resumed analyzing the memory dump from FluInterface32.exe.


I attempted to use DNSpy to debug the dumped payload (wosoqulwj2u.exe), however there was a lot of obfuscation thanks to the Calli Obfuscator.


The calli (call indirect) instruction is a signature of the Calli obfuscator. This made it so that instead of normal method calls, all function invocations route through function pointers dynamically resolved at runtime.

This makes it very hard to analyze, it can be done but diminishing returns kick in hard.

I ended up pivoting to use FLOSS to extract strings from memory.

Dumped Payload strings

‘(‘/’

+’+?+L+

.O0X0u0E1}1

?D@N@

OAPHP

wosoqulwj2u.exe

wosoqulwj2u

mscorlib

System.Web.Extensions

System.Windows.Forms

System

System.Drawing

System.Core

System.Net.Http

System.Runtime.Serialization

System.Security

System.Xml

System.Management

System.IO.Compression.FileSystem

Microsoft.CSharp

kernel32.dll

advapi32.dll

advapi32

user32.dll

msvcrt.dll

User32.dll

gdi32.dll

rstrtmgr.dll

ntdll.dll

String

Format

IFormatProvider

FileInfo

System.IO

get_Directory

DirectoryInfo

Environment

GetFolderPath

SpecialFolder

Concat

Replace

RuntimeHelpers

System.Runtime.CompilerServices

InitializeArray

Array

RuntimeFieldHandle

Split

Type

GetTypeFromHandle

RuntimeTypeHandle

Marshal

System.Runtime.InteropServices

SizeOf

AllocHGlobal

Copy

IntPtr

op_Inequality

FreeHGlobal

ExpandEnvironmentVariables

Encoding

System.Text

get_UTF8

Convert

FromBase64String

get_NewLine

StringSplitOptions

Contains

IsNullOrEmpty

get_Chars

ToUpper

Remove

Path

Combine

File

Exists

Trim

IsNullOrWhiteSpace

StartsWith

ToInt64

DateTime

get_Now

AddMonths

get_Ticks

ToInt32

Join

GetFiles

SearchOption

GetEncoding

ProtectedData

System.Security.Cryptography

Unprotect

DataProtectionScope

get_ASCII

HashAlgorithm

ComputeHash

CultureInfo

System.Globalization

get_InvariantCulture

get_SystemDirectory

BitConverter

get_Unicode

GetBytes

Buffer

BlockCopy

ToLower

get_BigEndianUnicode

ToString

IndexOf

StringComparison

Substring

TrimStart

Compare

Directory

GetDirectories

get_Length

get_CurrentManagedThreadId

Regex

System.Text.RegularExpressions

Matches

MatchCollection

StringBuilder

AppendLine

ChangeType

Object

GetType

op_Equality

GetLogicalDrives

EnumerateDirectories

IEnumerable`1

System.Collections.Generic

XmlDocument

get_DocumentElement

XmlElement

CreateDirectory

FileSystemInfo

get_CreationTime

op_LessThan

Delete

get_UserDomainName

get_UserName

Assembly

System.Reflection

GetExecutingAssembly

InputLanguage

get_CurrentInputLanguage

get_Culture

Screen

get_PrimaryScreen

get_Bounds

Rectangle

get_Width

get_Height

TimeZoneInfo

get_Local

get_DisplayName

RegistryKey

Microsoft.Win32

OpenSubKey

GetValue

GetDelegateForFunctionPointer

Delegate

XmlNode

SelectSingleNode

Append

ManagementObjectSearcher

ManagementObjectCollection

GetEnumerator

ManagementObjectEnumerator

get_Current

ManagementBaseObject

get_Item

ToUInt32

GetSubKeyNames

FileVersionInfo

System.Diagnostics

GetVersionInfo

get_FileVersion

Process

GetCurrentProcess

get_SessionId

get_InstalledInputLanguages

InputLanguageCollection

ToDouble

Math

Round

get_Is64BitOperatingSystem

ReadAllText

WriteAllText

GetDirectoryName

Int32

Parse

NumberStyles

Char

IsLetter

IsLower

SHA256

Create

OpenRead

FileStream

get_Capacity

GetLastWin32Error

EnsureCapacity

PtrToStringAuto

set_Length

IsWhiteSpace

UInt32

TryParse

Decimal

Enum

CreateInstance

SetValue

ConstructorInfo

Invoke

IsDigit

Double

StringComparer

get_OrdinalIgnoreCase

Attribute

GetCustomAttribute

MemberInfo

DataMemberAttribute

get_Name

FormatterServices

GetUninitializedObject

AppendFormat

get_ProcessName

Byte

Registry

GetProcesses

Kill

Thread

System.Threading

Sleep

Image

FromStream

Stream

Save

Bitmap

GetPixel

Color

ToArgb

get_White

Clone

PixelFormat

System.Drawing.Imaging

GetTempFileName

WebClient

System.Net

DownloadFile

Start

TextBoxBase

Paste

RegistryValueKind

GetProcessesByName

Monitor

Enter

Exit

GetCreationTimeUtc

Guid

NewGuid

DriveInfo

get_IsReady

get_DriveType

DriveType

ReadAllBytes

WriteAllBytes

GetRandomFileName

Insert

Graphics

FromHwnd

get_VolumeLabel

get_AvailableFreeSpace

GetFileName

ReadAllLines

WriteAllLines

Point

get_X

get_Y

set_X

set_Y

op_Explicit

Size

get_Left

get_Top

get_Right

get_Bottom

ProcessStartInfo

set_RedirectStandardError

set_RedirectStandardOutput

set_UseShellExecute

set_CreateNoWindow

set_StartInfo

get_MainWindowTitle

get_Id

get_Size

set_Width

set_Height

get_CurrentThread

set_Priority

ThreadPriority

Socket

System.Net.Sockets

BeginSend

IAsyncResult

SocketFlags

AsyncCallback

Collect

get_PixelFormat

LockBits

BitmapData

ImageLockMode

get_Scan0

Receive

UnlockBits

FromImage

ReleaseHdc

DrawImage

Abort

get_AllScreens

CopyFromScreen

EndSend

Console

WriteLine

Close

get_MainWindowHandle

CloseMainWindow

get_WorkingArea

Shutdown

SocketShutdown

GetProcessById

PerformanceCounter

NextValue

BeginReceive

Poll

SelectMode

get_Available

IPAddress

Connect

EndPoint

set_NoDelay

Send

set_ReceiveTimeout

EndReceive

TrimEnd

get_Stride

ImageFormat

get_Jpeg

op_Addition

ServicePointManager

set_SecurityProtocol

SecurityProtocolType

ToCharArray

Reverse

GetInvalidFileNameChars

WaitForExit

Application

ReadInt32

DownloadString

ZipFile

System.IO.Compression

ExtractToDirectory

DownloadData

SuppressFinalize

get_Threads

ProcessThreadCollection

ProcessThread

ToBoolean

TimeSpan

FromMinutes

get_TotalMilliseconds

Timer

System.Timers

add_Elapsed

ElapsedEventHandler

get_InstalledUICulture

set_RedirectStandardInput

set_StandardOutputEncoding

set_StandardErrorEncoding

GetPathRoot

set_WorkingDirectory

set_Arguments

get_StandardInput

StreamWriter

Clear

get_HasExited

get_StandardOutput

StreamReader

get_StandardError

Stop

TcpClient

get_MainModule

ProcessModule

get_FileName

get_Extension

NetworkInterface

System.Net.NetworkInformation

GetAllNetworkInterfaces

MethodInfo

Load

CSharpArgumentInfo

Microsoft.CSharp.RuntimeBinder

CSharpArgumentInfoFlags

Binder

GetIndex

CallSiteBinder

CSharpBinderFlags

BinaryOperation

ExpressionType

System.Linq.Expressions

UnaryOperation

GetTempPath

Exception

get_HResult

ReAllocHGlobal

ReadIntPtr

UIntPtr

MultipartFormDataContent

HttpContent

get_Headers

HttpContentHeaders

System.Net.Http.Headers

MediaTypeHeaderValue

set_ContentType

HttpClient

PostAsync

Task`1

System.Threading.Tasks

HttpResponseMessage

get_IsSuccessStatusCode

get_Content

ReadAsByteArrayAsync

Task

Wait

ToBase64String

CryptoStream

FlushFinalBlock

RandomNumberGenerator

CopyTo

SocketAsyncEventArgs

get_LastOperation

SocketAsyncOperation

get_ExecutablePath

set_WindowStyle

ProcessWindowStyle

set_FileName

op_Subtraction

op_GreaterThan

get_Connected

InvokeMember

SetBuffer

SendAsync

get_BytesTransferred

ReceiveAsync

get_Buffer

GetDrives

GetFullPath

get_LastWriteTime

MoveTo

get_Png

EndsWith

GetThumbnailImage

GetThumbnailImageAbort

Icon

ExtractAssociatedIcon

ToBitmap

IPGlobalProperties

GetIPGlobalProperties

ToByte

get_Default

Capture

get_Value

IsLetterOrDigit

JavaScriptSerializer

System.Web.Script.Serialization

set_MaxJsonLength

AsyncTaskMethodBuilder

SetException

SetResult

ReadAsStringAsync

get_Client

set_ReceiveBufferSize

set_SendBufferSize

GetHostByName

IPHostEntry

get_AddressList

get_Task

get_SocketError

SocketError

remove_Completed

EventHandler`1

add_Completed

SystemInformation

get_VirtualScreen

Serialize

resource

List`1

.ctor

GetString

EmptyTypes

Func`2

KeyValuePair`2

Enumerable

System.Linq

Select

IList`1

UInt64

Int16

CryptographicException

IDisposable

Dispose

Zero

Single

UInt16

Int64

ParamArrayAttribute

IteratorStateMachineAttribute

Enumerator

MoveNext

get_FullName

Empty

AddRange

XmlTextReader

XmlReader

get_ChildNodes

XmlNodeList

get_ItemOf

IEnumerator

System.Collections

get_InnerText

InvalidOperationException

get_Location

get_EnglishName

ToList

get_Exists

BinaryReader

ReadUInt16

ReadByte

get_Position

ReadInt16

ReadUInt32

Seek

SeekOrigin

Dictionary`2

ContainsKey

Boolean

get_Count

get_Key

set_Item

GetComputerName

LookupAccountName

ConvertSidToStringSid

LocalFree

HMACSHA256

IEnumerator`1

FirstOrDefault

Where

MemoryStream

HashSet`1

LocalMachine

CurrentUser

ToArray

EnumDisplayMonitors

GetMonitorInfo

memcmp

memcpy

SetForegroundWindow

GetForegroundWindow

keybd_event

TextBox

Control

get_Text

Component

System.ComponentModel

ThreadStart

get_Message

GetDeviceCaps

GetHdc

InsertRange

mouse_event

SetCursorPos

SystemParametersInfo

OpenDesktop

CloseDesktop

EnumDesktopWindows

SetWindowPos

IsWindowVisible

SuppressUnmanagedCodeSecurityAttribute

PostMessage

SendMessage

SetThreadDesktop

WindowFromPoint

GetClassName

GetWindowRect

GetParent

GetScrollPos

SetScrollPos

SetActiveWindow

DefWindowProc

CreateProcess

GetThreadDesktop

SetWindowLong

GetWindowLong

GetCurrentThreadId

EnumWindows

PrintWindow

DeleteDC

Last

get_AsyncState

GZipStream

CompressionMode

Write

CreateDesktop

IsWindow

First

FindWindow

ShowWindow

AddressFamily

SocketType

ProtocolType

IPEndPoint

ParameterizedThreadStart

RemoveRange

GetRange

SetLength

ManagementObject

ReadOnlyCollectionBase

Distinct

OpenThread

SuspendThread

ResumeThread

CloseHandle

CopyFile

Tuple`2

DataContractSerializer

XmlObjectSerializer

ReadObject

DeflateStream

CompressionLevel

WriteObject

get_TextInfo

TextInfo

get_OEMCodePage

get_CodePage

get_BaseStream

TextReader

Read

Peek

ApplicationException

ObjectDisposedException

TextWriter

Flush

MD5CryptoServiceProvider

get_OperationalStatus

OperationalStatus

get_Description

GetPhysicalAddress

PhysicalAddress

get_Item1

get_Item2

GetMethod

BindingFlags

MethodBase

Deserialize

CallSite`1

Func`3

CallSite

Target

Func`4

IsWow64Process

MapViewOfFile

CreateFileMappingA

GetFileSizeEx

RmRegisterResources

RmStartSession

RmEndSession

RmGetList

DuplicateHandle

GetCurrentProcessId

TerminateProcess

OpenProcess

GetFinalPathNameByHandleW

UnmapViewOfFile

GetFileType

NtQuerySystemInformation

get_Result

AsyncTaskMethodBuilder`1

AsyncStateMachineAttribute

DebuggerStepThroughAttribute

SymmetricAlgorithm

set_Key

set_IV

get_IV

CreateEncryptor

ICryptoTransform

CryptoStreamMode

CreateDecryptor

Take

Skip

DynamicAttribute

get_DomainName

FileMode

FileAccess

FileShare

Match

Predicate`1

RemoveAll

OpenClipboard

CloseClipboard

SetClipboardData

Count

Nullable`1

GetValueOrDefault

ResourceManager

System.Resources

GetManifestResourceStream

DebuggerHiddenAttribute

EqualityComparer`1

Equals

GetHashCode

DebuggerDisplayAttribute

Account

k__BackingField

k__BackingField

k__BackingField

get_URL

set_URL

value

get_Username

set_Username

get_Password

set_Password

Username

Password

DataContractAttribute

Autofill

k__BackingField

k__BackingField

set_Name

set_Value

Name

Value

ValueType

.cctor

<>9__2_0

<>9__4_0

Browser

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

get_BrowserName

set_BrowserName

get_BrowserProfile

set_BrowserProfile

get_Logins

set_Logins

get_Autofills

set_Autofills

get_CC

set_CC

get_Cookies

set_Cookies

ICollection`1

IsEmpty

BrowserName

BrowserProfile

Logins

Autofills

Cookies

k__BackingField

k__BackingField

k__BackingField

k__BackingField

get_HolderName

set_HolderName

get_Month

set_Month

get_Year

set_Year

get_Number

set_Number

HolderName

Month

Year

Number

ScannedCookie

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

get_Host

set_Host

get_Http

set_Http

get_Path

set_Path

get_Secure

set_Secure

get_Expires

set_Expires

ToText

Host

Http

Secure

Expires

BrowserVersion

k__BackingField

k__BackingField

k__BackingField

get_NameOfBrowser

set_NameOfBrowser

get_Version

set_Version

get_PathOfFile

set_PathOfFile

NameOfBrowser

Version

PathOfFile

Func`1

<>9__0_0

<>9__0_2

<>9__0_4

<>9__0_6

<>9__0_8

Finalize

MulticastDelegate

BeginInvoke

EndInvoke

CompareTo

Resize

ReadMasterOfContext

offset

IEnumerable

System.IDisposable.Dispose

System.Collections.Generic.IEnumerator.get_Current

NotSupportedException

System.Collections.IEnumerator.Reset

Reset

System.Collections.IEnumerator.get_Current

System.Collections.Generic.IEnumerable.GetEnumerator

System.Collections.IEnumerable.GetEnumerator

ScannedFile

k__BackingField

k__BackingField

k__BackingField

k__BackingField

filename

get_NameOfFile

set_NameOfFile

get_Body

set_Body

get_NameOfApplication

set_NameOfApplication

get_DirOfFile

set_DirOfFile

NameOfFile

Body

NameOfApplication

DirOfFile

get_CurrentEncoding

ReadToEnd

SelectMany

GetProperties

PropertyInfo

get_PropertyType

<>9__4_1

FileScannerArg

k__BackingField

k__BackingField

k__BackingField

k__BackingField

get_Tag

set_Tag

set_Directory

get_Pattern

set_Pattern

get_Recoursive

set_Recoursive

Pattern

Recoursive

Random

OrderBy

IOrderedEnumerable`1

Next

HardwareType

value__

Processor

EnumMemberAttribute

Graphic

Json

json

set_RecursionLimit

get_JSON

FromJSON

this

ToJSON

JSON

LocalState

k__BackingField

get_os_crypt

set_os_crypt

os_crypt

OsCrypt

k__BackingField

get_encrypted_key

set_encrypted_key

encrypted_key

LoadLibrary

FreeLibrary

ReliabilityContractAttribute

System.Runtime.ConstrainedExecution

Consistency

GetProcAddress

ScanDetails

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

get_SecurityUtils

set_SecurityUtils

get_AvailableLanguages

set_AvailableLanguages

get_Softwares

set_Softwares

get_Processes

set_Processes

get_SystemHardwares

set_SystemHardwares

get_Browsers

set_Browsers

get_FtpConnections

set_FtpConnections

get_InstalledBrowsers

set_InstalledBrowsers

get_ScannedFiles

set_ScannedFiles

get_GameLauncherFiles

set_GameLauncherFiles

get_ScannedWallets

set_ScannedWallets

get_NordAccounts

set_NordAccounts

get_Open

set_Open

get_Proton

set_Proton

get_MessageClientFiles

set_MessageClientFiles

get_DicrFiles

set_DicrFiles

SecurityUtils

AvailableLanguages

Softwares

Processes

SystemHardwares

Browsers

FtpConnections

InstalledBrowsers

ScannedFiles

GameLauncherFiles

ScannedWallets

NordAccounts

Open

Proton

MessageClientFiles

DicrFiles

SystemHardware

k__BackingField

k__BackingField

get_Counter

set_Counter

get_HardType

set_HardType

Counter

HardType

ScanningArgs

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

k__BackingField

get_ScanBrowsers

set_ScanBrowsers

get_ScanFiles

set_ScanFiles

get_ScanFTP

set_ScanFTP

get_ScanWallets

set_ScanWallets

get_ScanScreen

set_ScanScreen

get_ScanTelegram

set_ScanTelegram

get_ScanVPN

set_ScanVPN

get_ScanSteam

set_ScanSteam

get_ScanDiscord

set_ScanDiscord

get_ScanFilesPaths

set_ScanFilesPaths

get_ScanChromeBrowsersPaths

set_ScanChromeBrowsersPaths

get_ScanGeckoBrowsersPaths

set_ScanGeckoBrowsersPaths

get_Configs

set_Configs

ScanBrowsers

ScanFiles

ScanFTP

ScanWallets

ScanScreen

ScanTelegram

ScanVPN

ScanSteam

ScanDiscord

ScanFilesPaths

ScanChromeBrowsersPaths

ScanGeckoBrowsersPaths

Configs

ScanResult

get_Hardware

set_Hardware

get_ReleaseID

set_ReleaseID

get_MachineName

set_MachineName

get_OSVersion

set_OSVersion

get_Language

set_Language

get_Resolution

set_Resolution

get_ScanDetails

set_ScanDetails

get_Country

set_Country

get_City

set_City

get_TZ

set_TZ

get_IPv4

set_IPv4

get_Monitor

set_Monitor

get_ZipCode

set_ZipCode

get_FileLocation

set_FileLocation

get_SeenBefore

set_SeenBefore

Hardware

ReleaseID

MachineName

OSVersion

Language

Resolution

Country

City

IPv4

ZipCode

FileLocation

SeenBefore

Cast

<>9__7_0

<>9__8_0

<>9__1_0

Stack`1

ThreadStaticAttribute

FieldInfo

get_IsPrimitive

get_IsEnum

get_IsArray

GetElementType

Push

get_IsGenericType

GetGenericTypeDefinition

GetGenericArguments

GetConstructor

IList

IDictionary

IEqualityComparer`1

IgnoreDataMemberAttribute

IsDefined

TryGetValue

GetFields

get_FieldType

ICollection

get_Keys

get_CanRead

ObsoleteAttribute

EnumDesktopWindowsProc

<>9__22_0

TrimExcess

<>9__34_1

<>9__34_7

<>9__34_2

<>9__34_9

<>9__34_4

<>9__34_11

<>9__34_5

<>9__34_13

<>9__34_6

<>9__34_15

Repeat

<>9__6_0

STAThreadAttribute

SetWindowsHookEx

CallNextHookEx

GetModuleHandle

GetWindowThreadProcessId

GetKeyState

GetKeyboardState

GetKeyboardLayout

ToUnicodeEx

MapVirtualKey

GetWindowText

Keys

<>9__23_0

Mutex

WaitHandle

FlagsAttribute

StealerSettingConfigParce

get_discord

set_discord

get_files

set_files

get_ftp

set_ftp

get_steam

set_steam

get_telegram

set_telegram

get_vpn

set_vpn

get_endbled

set_endbled

get_grabber

set_grabber

discord

files

steam

telegram

endbled

grabber

IAsyncStateMachine

TaskAwaiter`1

StringContent

ByteArrayContent

GetAwaiter

get_IsCompleted

AwaitUnsafeOnCompleted

GetResult

SetStateMachine

OnCompleted

<>9__48_0

<>9__49_0

<>9__57_0

<>9__71_0

ElapsedEventArgs

Find

Action`3

<>9__9_0

RuntimeMethodHandle

Module

get_Module

ResolveMethod

get_MethodHandle

GetFunctionPointer

PtrToStructure

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

DebuggableAttribute

DebuggingModes

AssemblyTitleAttribute

AssemblyDescriptionAttribute

AssemblyConfigurationAttribute

AssemblyCompanyAttribute

AssemblyProductAttribute

AssemblyCopyrightAttribute

AssemblyTrademarkAttribute

ComVisibleAttribute

GuidAttribute

AssemblyFileVersionAttribute

TargetFrameworkAttribute

System.Runtime.Versioning

UnverifiableCodeAttribute

ui+vi

mk+nk

{ Type = {Type} }

Type

Name

Name

Username

Name

Password0

Name

AccountT

\tNamespace

BrowserExtension

Name

Name

Name

Value1

Name

AutofillT

\tNamespace

BrowserExtension

Name

BrowserName

Name

BrowserProfile\t(

Name

Logins\t(

Name\tAutofills\t(

Name

CC\t(

Name

Cookies7

Name

ScannedBrowserT

\tNamespace

BrowserExtension

Name

HolderName

Name

Month

Name

Year

Name

Number+

Name

\tNamespace

BrowserExtension

Name

Host

Name

Http

Name

Path

Name

Secure

Name

Expires6

Name

ScannedCookieT

\tNamespace

BrowserExtension

Name

NameOfBrowser

Name

Version

Name

PathOfFile7

Name

BrowserVersionT

\tNamespace

BrowserExtension:

Name

NameOfFile

Name

Body

Name

NameOfApplication

Name\tDirOfFile4

Name

ScannedFileT

\tNamespace

BrowserExtension

Name\tDirectory

Name

Pattern

Name

Recoursive7

Name

FileScannerArgT

\tNamespace

BrowserExtension%

Name

HardwareType

Name

os_crypt

Name

LocalState

Name

encrypted_key

Name

OsCrypt

Name

SecurityUtils

Name

AvailableLanguages

Name\tSoftwares

Name\tProcesses

Name

SystemHardwares\t(

Name

Browsers\t(

Name

FtpConnections\t(

Name

InstalledBrowsers

Name

ScannedFiles

Name

GameLauncherFiles

Name

ScannedWallets

Name

Nord

Name

Open

Name

Proton

Name

MessageClientFiles

Name\tDicrFiles4

Name

ScanDetailsT

\tNamespace

BrowserExtension

Name

Counter

Name

HardType7

Name

SystemHardwareT

\tNamespace

BrowserExtension\t

Name

ScanBrowsers

Name\tScanFiles

Name

ScanFTP

Name

ScanWallets

Name

ScanScreen

Name

ScanTelegram

Name

ScanVPN

Name\tScanSteam

Name

ScanDiscord

Name

ScanFilesPaths#

Name

ScanChromeBrowsersPaths”

Name

ScanGeckoBrowsersPaths

Name

Configs5

Name

ScanningArgsT

\tNamespace

BrowserExtension\t

Name

WalletConfigT

\tNamespace

BrowserExtension

Name

Hardware

Name\tReleaseID

Name

MachineName

Name\tOSVersion

Name

Language

Name

ScreenSize

Name

ScanDetails

Name

Country

Name

City

Name

TimeZone

Name

IPv4

Name

Monitor

Name

ZipCode

Name

FileLocation

Name

SeenBefore3

Name

ScanResultT

\tNamespace

BrowserExtension\t

Name

discord

Name

files

Name

Name

steam

Name

telegram

Name

Name

endbled

Name

grabber@

Name

StealerSettingConfigParceT

\tNamespace

SettingsParces

WrapNonExceptionThrows

$fb27641d-4694-4b93-9361-8f5262570e64

1.0.0.0

.NETFramework,Version=v4.7.2

FrameworkDisplayName

.NET Framework 4.7.2

<security>

  <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">

    <requestedExecutionLevel level="asInvoker" uiAccess="false"/>

  </requestedPrivileges>

</security>

+————————————-+

| FLOSS STATIC STRINGS: UTF-16LE (32) |

+————————————-+

Login Data, CommandLine: , Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall-*.lo–gNoDefrdDefVPNDefID: CommandLineOpera GX Stabletdata\tdataZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg==AFileSystemntivFileSystemirusPrFileSystemoduFileSystemct|AntiFileSystemSpyWFileSystemareProFileSystemduct|FireFileSystemwallProdFileSystemuct[^\u0020-\u007F]Profilesexpiraas21tion_yas21ear%appdata%\discord\Local Storage\leveldbmoz_cookiesTotalVisibleMemorySizeis_securewaasflletasfWeb DataDisplayVersionautofill

//settString.Replaceing[@name=\UString.Replacesername]/vaString.Replaceluepath%appdata%{0}\FileZilla\recentservers.xmlUser Data{0}\FileZilla\sitemanager.xml MB or SELECT * FROM Cookiesconfig

Local StateProfile_%localappdata%\valuecookiesTotal of RAMwaasflleasft.datasfcard_number_encryptedwindows-1251

isSecureSoftware\Valve\SteamROOT\SecurityCenterv10ssfnexpiryname_on_cardSteamPath//settinString.Removeg[@name=\PasswString.Removeord]/valuString.Removeeencrypted_valueNWinordVWinpn.eWinxeWinDisplayName\Program Files\Program Files (x86)\profiles1.1l1d1begram.exehost_keyAppData\Local\ProcessIdUnknownExtensionexpires_utcuser.config\Telegram Desktop\tdataAppData\Roaming\OpHandlerenVPHandlerN ConHandlernectName%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingUNKNOWNOpera GXv11\Program Data\name{}:,[]”.Profile_Unknownloginscookies.sqliteROOT\SecurityCenter2coMANGOokies.sqMANGOliteLocalPrefs.json\Windows*.vstring.Replacedfexpiras21ation_moas21nth%DSK_23%TelTReplaceokReplaceenReplaces.tReplacextdisplayName[AString-ZaString-z\d]{2String4}.[String\w-]{String6}.[\wString-]{2String7}Local Extension Settingshost

  • 6$7%8&?’@7A:CGzV

“&%’%/.21:9;9FEJIPOQOSRTRURVRWRXRYRZR[R\R]R^R_R`RaRbRcRdReRfRgRhRiRjRkRlRmRnRoRpRutvtwtyxzx{x|x}x~x

abcdefghijklmnop

estu

yxyz

wosoqulwj2u, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

resource

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

Comments

CompanyName

FileDescription

FileVersion

1.0.0.0

InternalName

dfgfghfghfghfghfgh.exe

LegalCopyright

LegalTrademarks

OriginalFilename

dfgfghfghfghfghfgh.exe

ProductName

ProductVersion

1.0.0.0

Assembly Version

1.0.0.0

RAT Capabilities & Theft Targets

FLOSS string extraction from the dumped payload revealed extensive financial data theft operations targeting cryptocurrency users, gamers, and business users.


Modular Configuration System

The malware uses a modular configuration with distinct scanning modules:

Configuration Flags:
├─ ScanBrowsers    → Browser credential harvesting
├─ ScanWallets     → Cryptocurrency wallet extension theft
├─ ScanFiles       → Document/file enumeration
├─ ScanFTP         → FTP client credential theft
├─ ScanTelegram    → Telegram data exfiltration
├─ ScanVPN         → VPN configuration theft
├─ ScanSteam       → Steam account credential theft
├─ ScanDiscord     → Discord token harvesting
└─ ScanScreen      → Screenshot capability

This modularity allows operators to enable/disable capabilities per target, reduce detection surface by disabling unused features, and customize theft profiles for different campaigns.

Cryptocurrency Wallet Targeting (24 Extensions)

The malware contains a base64-encoded list of 24 cryptocurrency wallet browser extensions:

Primary Targets:

  • Metamask (Ethereum, ~21M users)
  • Coinbase (major exchange wallet)
  • BinanceChain (Binance ecosystem)
  • Phantom (Solana ecosystem)
  • BraveWallet (Brave browser integrated)

Multi-Chain Wallets:

  • MathWallet, GuardaWallet, AtomicWallet, Coin98Wallet, BitAppWallet

Gaming/NFT Focused:

  • RoninWallet (Axie Infinity), GuildWallet, Wombat (EOS gaming), NiftyWallet

Blockchain-Specific:

  • TronLink (Tron), TerraStation (Terra/Luna), HarmonyWallet, KardiaChain, TonCrystal, YoroiWallet (Cardano)

Additional:

  • EqualWallet, JaxxxLiberty, iWallet, MewCx (MyEtherWallet)

The inclusion of RoninWallet (Axie Infinity), GuildWallet, and Wombat indicates operators specifically target blockchain gaming communities and NFT traders. Multi-chain wallet support (MathWallet, Coin98, AtomicWallet) targets DeFi traders who manage portfolios across multiple blockchains. It appears very flexible.

Browser Data Theft

Chromium-Based Browsers:
Target Files:

  • Login Data → SQLite database with encrypted credentials
  • Cookies → Session cookies for session hijacking
  • Local State → Contains master encryption key for passwords
  • Web Data → Autofill data, payment methods
  • */User Data/Default → Profile-specific data

Credit Card Theft:

  • card_number_encrypted, name_on_card, expiration_month, encrypted_value

Supported Browsers: Chrome, Edge, Opera GX, Brave, any Chromium-based browser

Firefox-Based:

Target Files:

  • cookies.sqlite, logins.json, key4.db (master password), cert9.db

Access to Local State and key4.db allows decryption of all stored passwords, enabling complete credential harvesting from browser password managers.

Application-Specific Targeting

Discord Token Theft:

Target Path: %appdata%\discord\Local Storage\leveldb\
Target Files: *.ldb, Tokens.txt

Potential Impact:
├─ Complete account takeover
├─ Access to all DMs and servers
├─ Ability to send messages as victim
└─ Two-factor bypass (token-based auth)

(Discord's token security sucks :p)

Telegram Data Exfiltration:

Target Path: \Telegram Desktop\tdata\
Target Files: key_datas, *s files, user_data, usertag, settings*

Impact:
├─ Complete message history access
├─ Contact list exfiltration
├─ Media file access
└─ Session hijacking

Steam Account Theft:

Registry Target: Software\Valve\Steam\SteamPath
File Targets: ssfn*, config/loginusers.vdf, config/config.vdf

Impact:
├─ Complete account access
├─ Inventory theft (CS:GO skins, TF2 items)
├─ Steam Market access
└─ Trading functionality

FileZilla FTP Credentials:

Target Paths: %appdata%\FileZilla\
Target Files: recentservers.xml, sitemanager.xml (plaintext passwords)

Impact:
├─ Website/server access
├─ Database credentials (if stored)
├─ Ability to deface websites
└─ Lateral movement to server infrastructure

VPN Configuration Theft:

Target Extensions: *.ovpn, *.vd, profiles*.ld, *.conf

Specific Targets: OpenVPN, NordVPN, ProtonVPN, WireGuard

Impact:
├─ Corporate network access
├─ VPN credential theft
├─ Bypass of IP geolocation restrictions
└─ Enterprise network penetration

System Reconnaissance

The malware performs comprehensive system profiling before data exfiltration.

Security Software Enumeration:

WMI Queries:
├─ ROOT\SecurityCenter → Windows Security Center status
├─ ROOT\SecurityCenter2 → Windows Defender status
├─ AntiSpyWareProduct → Installed anti-malware products
└─ FirewallProduct → Firewall configuration

System Information Collection:

Data Points:
├─ CommandLine → Process command-line arguments
├─ DisplayVersion → Windows version/build
├─ DisplayName → Installed software names
├─ TotalVisibleMemorySize → Total RAM capacity
├─ ProcessorId → CPU identifier
└─ UserName → Current user account

File System Scanning:

Target Directories:
├─ %appdata%
├─ %localappdata%
├─ %USERPROFILE%\AppData\Roaming
├─ %USERPROFILE%\AppData\Local
├─ \Program Files\
└─ \Program Files (x86)\

String Obfuscation

The malware employs multiple layers of obfuscation for sensitive string storage:

  • Layer 1: XOR encryption with key 0xD0 (208 decimal)
  • Layer 2: Base64 encoding over XOR-encrypted data
  • Layer 3: Calli obfuscation prevents string-to-usage mapping

Network Infrastructure Analysis

Active Command & Control

Primary C2 Server:

IP Address: 45.141.87.249
Port: 15847
ASN: Media Land LLC
Country: Russian Federation
Status: Offline (failed connection during analysis)
Protocol: TCP

The malware also contacts binance servers (hosted on AWS) dynamic ip etc:

IP Address: 52.223.34.155
Port: 443 (HTTPS)
ASN: AMAZON-02 (AWS)
Country: United States
Data Observed: 829 bytes upload, 5 KB download
Purpose: Likely data exfiltration or secondary C2
Status: Active (successful connection)

The Russian C2 was offline during analysis (connection attempts failed).

Cryptocurrency Operations Infrastructure

Binance Smart Chain (BSC) Nodes:

Primary Nodes:
├─ bsc-dataseed1.ninicoin.io
├─ bsc-dataseed2.ninicoin.io
├─ bsc-dataseed3.ninicoin.io
└─ bsc-dataseed4.ninicoin.io

Binance Official: bsc-dataseed1.binance.org
Protocol: JSON-RPC over HTTPS
Port: 443

Network Traffic Pattern

Wireshark Analysis Results:

Russian C2 Connection Attempt

  • 45.141.87.249:15847
  • Status: FAILED (RST packet received)
  • Retries: 3 attempts, all failed
  • Conclusion: C2 server offline/blocked

AWS Connection

  • 52.223.34.155:443
  • Status: SUCCESS (TLS handshake complete)
  • Data Transfer: 829 bytes up, 5 KB down
  • TLS Version: 1.2

BSC Node Queries

  • bsc-dataseed[1-4].ninicoin.io:443
  • Status: SUCCESS (multiple queries)
  • Request Pattern: eth_call JSON-RPC
  • Frequency: ~15 queries per minute

AliyunWrap.dll Deep Dive

AliyunWrap.dll is one of the most interesting components. It’s a 493 KB DLL heavily detected by AV (39/72) that initially appeared suspicious but dependency testing proved it’s required for E-Consol.exe to function.

Removing AliyunWrap.dll causes E-Consol.exe to fail immediately with “AliyunWrap.dll was not found” error. It appears to be an essential component.

Ghidra Analysis: Legitimate Cloud APIs

Static analysis in Ghidra revealed AliyunWrap.dll contains a complete, professional implementation of Alibaba Cloud Log Service APIs.

Exported DLL Functions:





AliyunOpenSession, AliyunCloseSession, AliyunSendInfo
AliyunAddParamToSessionA/W, AliyunEnableUserInfoCollect
AliyunGetUserUid, AliyunInstallConfigFilePath
AliyunInstallInitUid, AliyunIsEnableUserInfoCollect
AliyunStopProcess, AliyunUninstallStart/End
SendLogToCloud (main cloud upload function)

Configuration System:

[Config Section Keys]
LOGENDPOINT, ACCESSKEYID, ACCESSKEYSECRET
PROJECTNAME, LOGSTORENAME, LOGSTORENAME2
ProductName, AllowSendUrl, SZUID
bAllowSendInfo, bAutoAddUid, bAutoAddTimestamp
nLimitKeyvalueMaxLen, nLimitPairsCount
nMaxItemCount, nMaxItemDays, nMaxIdleMinutes

Network Protocol Implementation:

POST http://[project].[domain]/logstores/[logstore]/shards/lb HTTP/1.1
Host: [project].[domain]
Content-Type: application/x-protobuf
x-log-apiversion: 0.6.0
x-log-compresstype: lz4
x-log-signaturemethod: hmac-sha1
x-log-bodyrawsize: [size]
x-acs-security-token: [token]
Content-MD5: [hash]
Authorization: LOG [accesskey]:[signature]
User-Agent: log-c-lite_0.1.0
Date: [RFC 822 timestamp]

[Protocol Buffers binary data - LZ4 compressed]

System Profiling Capabilities:

Hardware enumeration:
├─ HARDWARE\DESCRIPTION\System\CentralProcessor\0
├─ ProcessorNameString (CPU model)
├─ SystemBiosVersion
└─ ~MHz (CPU frequency)

Process monitoring:
├─ CreateToolhelp32Snapshot (enumerate processes)
├─ Process32FirstW/Process32NextW (iterate)
└─ OpenProcess (access process handles)

Network adapter info:
├─ GetAdaptersInfo (MAC addresses)
└─ Network interface details

Credential Harvesting Infrastructure:





.netrc file parsing:
├─ machine [hostname]
├─ login [username]
└─ password [password]

Authentication methods supported:
├─ LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, GSSAPI
├─ EXTERNAL, NTLM, SCRAM-SHA-1, SCRAM-SHA-256
├─ XOAUTH2, OAUTHBEARER, AWS_SIGV4

Protocol support:
├─ IMAP (CAPABILITY, AUTHENTICATE, FETCH)
├─ SMTP (MAIL FROM, RCPT TO)
├─ POP3
└─ STARTTLS

Code Signing Certificate:





Signer: CHENGDU YIWO Tech Development Co., Ltd.
Location: Wuhou District, Chengdu, Sichuan
Organization ID: 91510107765360104N
CA: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Valid: 2024-07-09 to 2027-07-09 (REVOKED)

PDB Debug Paths:

D:\svn\share_lib\99_publiclibrary\aliyunlog-2017\userinfocollect\aliyun-vs2017-lib\aliyun\src\log_api.cpp
D:\EPM\_EPM_main\ShareLib\aliyunlog\Release_x64\AliyunWrap.pdb




The professional implementation uses correct Alibaba Cloud authentication (HMAC-SHA1), proper Protocol Buffers serialization, and LZ4 compression. The PDB paths reveal SVN version control and professional development environment.

The Runtime Reality: Required But Not Used for Cloud

Dependency testing proved AliyunWrap.dll is required for E-Consol.exe to start (removing it causes immediate failure). However, dynamic analysis revealed zero Alibaba Cloud traffic.

AliyunWrap.dll IS loaded by E-Consol.exe (hard dependency), and some functions from it are used (likely crypto/PNG extraction), but the Alibaba Cloud networking functions are not used (no cloud traffic).

E-Consol.exe likely imports AliyunWrap.dll for its crypto/decompression functions (needed to extract Jeadpietpour.rky payload) but doesn’t use the cloud upload functionality. The cloud API code is vestigial from an earlier version or repurposed from legitimate software.

Definitive Evidence: Import Analysis

Analysis of E-Consol.exe’s import table definitively resolves whether AliyunWrap.dll’s extensive credential harvesting and cloud upload code is active.

E-Consol.exe imports one single function from AliyunWrap.dll:





ALIYUNWRAP.DLL
└─ SendLogToCloud

E-Consol.exe does not import any of the other 26 exported functions

What This Proves:

  1. E-Consol.exe cannot call functions it doesn’t import
  2. The credential harvesting code requires those other functions – they’re part of the “user info collect” and “session” APIs
  3. Only SendLogToCloud() is used – despite its misleading name, this is the decryption/extraction function
  4. All other code is vestigial – present in the DLL but unreachable by E-Consol.exe

The FTP/IMAP/SMTP/credential harvesting code in AliyunWrap.dll is definitively inactive in this sample. E-Consol.exe’s import table proves it only uses the single SendLogToCloud() function, which despite its name, is repurposed for payload decryption rather than cloud data exfiltration.

Why the Cloud Code Remains

Evidence Supporting Repurposed Library Theory:

  1. Code Signing Certificate:
    • Signed by legitimate Chinese software company (CHENGDU YIWO Tech)
    • Certificate was revoked (indicating abuse/theft)
    • Suggests this is real Aliyun SDK code from a legitimate product
  2. Professional Development:
    • PDB paths show SVN version control: D:\EPM\_EPM_main\ShareLib\aliyunlog\
    • Production quality code with proper error handling
    • Too polished to be fake/decoy code
  3. Functional Crypto Library:
    • Contains working implementations of HMAC-SHA1, MD5, Base64, LZ4
    • These functions ARE used by E-Consol.exe (for Jeadpietpour.rky extraction)
    • Only the cloud UPLOAD functions are unused
  4. Dependency Requirement:
    • E-Consol.exe hard-coded to require AliyunWrap.dll
    • Not just present as misdirection – actually imported and loaded
    • Removing it causes immediate execution failure

AliyunWrap.dll is a repurposed legitimate library from Alibaba Cloud SDK or telemetry software. The malware authors kept the crypto/compression functions they need, left the cloud upload code intact (easier than removing), and never use the credential harvesting code. The YIWO Tech certificate being revoked supports this – it was legitimate software that was stolen and repurposed for malware.

Unintentional Decoy Effect:

While AliyunWrap.dll is functionally necessary, it creates a decoy effect:

  • 39/72 AV detection draws attention away from 0/72 clean E-Consol.exe
  • Analysts waste time analyzing unused cloud functions
  • Attribution confusion (Chinese certificate + Russian C2)

Reverse Engineering AliyunWrap.dll

This section documents the reverse engineering process that revealed how E-Consol.exe loads and decrypts Jeadpietpour.rky using AliyunWrap.dll. Analysis was performed using Ghidra with supplemental dynamic analysis via ANY.RUN sandbox.

Component Architecture

E-Consol.exe (Orchestrator):

  • Imports only SendLogToCloud from AliyunWrap.dll
  • Builds parameter vector via internal functions
  • Calls AliyunWrap.dll with configuration data
  • Performs post-load operations via AttemptInstallation

AliyunWrap.dll (Dual-Purpose Library):

  • Legitimate Path: Alibaba Cloud Log Service API (unused in this sample)
  • Malicious Path: PE reflective loading and decryption

Confirmed Call Chain





E-Consol.exe
├─ FUN_1400017a0 (Main orchestration loop)
│   ├─ FUN_140001e60 (Data preparation)
│   ├─ FUN_140001b20 (Build parameter vector)
│   └─ SendLogToCloud(vector<pair<wchar_t*, wchar_t*>>)
│
AliyunWrap.dll
├─ SendLogToCloud (Vector entry point - 0x180004050)
│   └─ Data conversion: wchar_t → char
│   └─ SendLogToCloud (Raw pointer wrapper - 0x180003fa0)
│       └─ Retry logic (attempts twice on failure)
│       └─ SendLogToCloud_Interface (Orchestrator - 0x180003d20)
│           ├─ LoadCloudConfig (Parse AliyunConfig.ini)
│           ├─ ExtractDomain/ExtractEndpoint (Parse settings)
│           ├─ GetCloudContext (Initialize context)
│           ├─ UploadDataToCloud (Protocol Buffers encoding)
│           └─ [Unknown routing logic] ← GAP IN ANALYSIS
│               └─ ReflectivePELoader (PE loader - 0x180008e30)
│                   ├─ API resolution via hashing
│                   ├─ File operations (CreateFileW/ReadFile - obfuscated)
│                   ├─ PE header parsing
│                   ├─ Memory allocation + VirtualProtect
│                   └─ Payload execution

Analysis Gap: The exact conditional logic that routes from SendLogToCloud_Interface to ReflectivePELoader is obfuscated. Static analysis shows both functions exist, but the dispatcher mechanism uses either encrypted parameters or function pointer indirection that wasn’t fully resolved.

Import Analysis: Definitive Proof of Unused Code

E-Consol.exe’s import table confirms which AliyunWrap.dll functions are used:

Imported Functions:
✓ SendLogToCloud (vector<pair<wchar_t*, wchar_t*>>) - USED

Not Imported:
✗ AliyunOpenSession
✗ AliyunEnableUserInfoCollect  
✗ AliyunSendInfo
✗ All other 26+ cloud API functions

This proves the extensive Alibaba Cloud code (HMAC-SHA1, Protocol Buffers, HTTP client) is vestigial – present in the DLL but unreachable by E-Consol.exe. The credential harvesting code discovered in FLOSS analysis is definitively inactive.

AliyunWrap.dll Obfuscation Analysis

Static analysis of AliyunWrap.dll revealed significant anti-analysis techniques that prevented complete code tracing:

API Hashing: Function calls throughout the DLL use dynamic resolution via hash-based lookups (multiplicative hash: hash * 2 + byte). This prevents static identification of which Windows APIs are called, though constants matching standard file I/O parameters (GENERIC_READ, OPEN_EXISTING) were observed.

String References: Analysis confirmed Jeadpietpour.rky is explicitly referenced in AliyunWrap.dll code at address 0x180008e30, with ASCII-to-wide-char conversion patterns consistent with Windows file operations.

Code Patterns: The function at 0x180008e30 contains:

  • Hash-based function resolution loops
  • Constants matching PE structure offsets (0x3c, 0x2c)
  • Memory protection constant 0x40 (PAGE_EXECUTE_READWRITE value)
  • Memory copy operations

These patterns are consistent with reflective PE loading techniques, though the exact execution flow could not be definitively traced due to obfuscation.

Analysis Limitation: The routing mechanism from SendLogToCloud to internal payload processing functions uses either encrypted parameters or function pointer indirection that static analysis could not fully resolve. Import table analysis remains the definitive proof of which functions E-Consol.exe actually uses.

Technical Findings Summary

Observed Evidence:

  1. Function at 0x180008e30 exists and is registered in Windows SEH exception table
  2. References “Jeadpietpour.rky” string explicitly
  3. Converts filename to wide char for Windows APIs
  4. Uses API hashing to obfuscate Windows function calls
  5. Contains constants matching standard file I/O and PE structure parameters
  6. Contains constant 0x40 (PAGE_EXECUTE_READWRITE value)
  7. Contains memory copy loops and indirect function calls

Inferred Behavior (based on code patterns):

  • Function likely performs file operations on Jeadpietpour.rky
  • Code patterns consistent with PE loading techniques
  • Memory operations suggest executable payload loading

Unknown Elements:

  • Exact decryption algorithm (AES-256 suspected based on AliyunWrap.dll crypto functions)
  • Decryption key source (embedded, derived, or from Meck.xkd)
  • Precise routing logic from SendLogToCloud_Interface to payload loading
  • Complete API hash to function name mapping
  • Meck.xkd purpose (83KB file – possibly staging data or key material)

Why This Design is Effective

The separation of concerns provides multiple evasion layers:

  1. Clean Executables: E-Consol.exe (0/72 detection) and FluInterface32.exe (0/68 detection) contain no malicious code on disk
  2. Repurposed Library: AliyunWrap.dll appears as legitimate Alibaba SDK with valid (revoked) code signature
  3. Encrypted Payload: Jeadpietpour.rky remains encrypted on disk until runtime
  4. Memory-Only Execution: Malicious code never touches disk in decrypted form
  5. API Obfuscation: Hashing prevents signature-based detection of malicious API sequences

Automated Analysis: CAPA Findings

CAPA (FLARE Capability Analysis) was run against both E-Consol.exe and AliyunWrap.dll to identify capabilities through automated pattern matching. Key findings support and extend our manual analysis.

E-Consol.exe Capabilities

File Operations:

✓ read .ini file (6 matches) - Configuration file parsing
✓ write file on Windows - Dropper functionality
✓ delete file (2 matches) - Cleanup operations
✓ check if file exists (2 matches) - Pre-execution validation
✓ set current directory - Environment manipulation

Process Management:

✓ check mutex and exit - Anti-rerun protection
✓ create mutex - Single instance enforcement
✓ parse PE header - PE file manipulation capability

Network Communication:

✓ download URL - File retrieval capability
✓ receive data - C2 communication potential
✓ HTTP client - Web-based communication

Runtime Behavior:

✓ link function at runtime (5 matches) - Dynamic API resolution via GetProcAddress
✓ reference anti-VM strings - VM detection capability
✓ query registry value - System reconnaissance

AliyunWrap.dll Capabilities

Anti-Analysis Techniques:

✓ check for software breakpoints (0x180015B90) - Anti-debugging
✓ reference anti-VM strings - VM detection

Cryptographic Operations (Confirms Our Analysis):

✓ hash data using djb2 (0x18001E090) - API hashing function
✓ hash data with MD5 - Integrity checking
✓ hash data using SHA1 (2 matches) - HMAC operations
✓ authenticate HMAC - Alibaba Cloud authentication
✓ encrypt data using RC4 PRGA (2 matches) - Stream cipher
✓ encrypt data using DES - Block cipher
✓ encrypt or decrypt via WinCrypt - Windows Crypto API usage
✓ encode data using XOR (2 matches) - Simple obfuscation
✓ encode data using Base64 - Data encoding

Key Discovery – API Resolution:

✓ resolve function by parsing PE exports (0x180008AC4)

This function at 0x180008AC4 is part of the API hashing infrastructure we documented in ReflectivePELoader. It parses PE export tables to resolve function addresses by hash, confirming our static analysis findings.

Key Discovery – DJB2 Hashing:

✓ hash data using djb2 (0x18001E090)

The DJB2 hash algorithm is commonly used for API hashing in malware. However, our manual analysis of ReflectivePELoader showed a simpler hash * 2 + byte algorithm. This suggests:

  • Multiple hashing schemes are present in AliyunWrap.dll
  • DJB2 may be used elsewhere (possibly for config or string obfuscation)
  • The ReflectivePELoader uses a custom variant

Network & Communication (Extensive Capabilities):

✓ send data (15 matches) - Comprehensive exfiltration capability
✓ receive data (5 matches) - C2 communication
✓ HTTP status code checking (3 matches) - Robust HTTP client
✓ resolve DNS - Domain resolution
✓ initialize Winsock library - Network stack initialization
✓ socket operations (11+ matches) - Raw socket communication

Process & System Manipulation:

✓ create process on Windows (2 matches) - Process spawning capability
✓ enumerate processes (2 matches) - System reconnaissance
✓ terminate process (2 matches) - Process control
✓ enumerate process modules - Advanced process inspection
✓ create thread (2 matches) - Multi-threading support

File System Operations:

✓ read file on Windows (4 matches) - File I/O confirmed
✓ write file on Windows (2 matches) - File creation
✓ read .ini file (4 matches) - Configuration parsing
✓ copy file (2 matches) - File duplication
✓ move file - File relocation
✓ delete file - File cleanup

Analysis Correlations

Confirmed from Manual Analysis:

  1. API Hashing: CAPA identified djb2 hashing (0x18001E090) and PE export parsing (0x180008AC4), validating our observation of API obfuscation in ReflectivePELoader
  2. Cryptographic Capabilities: Multiple encryption schemes (RC4, DES, HMAC-SHA1) confirm AliyunWrap.dll’s crypto functionality for Jeadpietpour.rky decryption
  3. File Operations: Read/write capabilities support our conclusion that the DLL performs file I/O despite not seeing direct CreateFileW in decompiled code
  4. Anti-Analysis: Software breakpoint detection and anti-VM strings confirm sophisticated evasion techniques

New Discoveries:

  1. Process Enumeration: Two separate implementations suggest capability to identify security products or sandboxes
  2. Thread Creation: Multi-threading support may indicate asynchronous operations or persistence mechanisms
  3. Named Pipes: Read pipe capability (0x180040160) suggests potential for inter-process communication or cmd.exe output capture
  4. Luhn Algorithm: Payment card validation (0x180033B40) indicates potential credit card theft functionality beyond our initial analysis

CAPA Limitations

CAPA identifies capabilities but cannot determine:

  • Whether capabilities are actually used (many may be vestigial from legitimate Alibaba SDK)
  • The routing logic between components
  • Encrypted strings or obfuscated parameters
  • Runtime behavior under specific conditions

Our manual analysis provides context for which CAPA-detected capabilities are actively exploited versus dormant code.


Conclusion

This Arechclient2/SectopRAT variant demonstrates advanced adversary tradecraft through component separation and multi-layer evasion.

The Component Strategy

AliyunWrap.dll serves a dual purpose: it’s both functionally necessary and analytically misleading.

Functional Necessity:

  • Dependency testing proved E-Consol.exe crashes without AliyunWrap.dll
  • Contains crypto/decompression functions (CAPA identified DES, RC4, SHA1, HMAC implementations)
  • Likely provides Windows CryptoAPI wrapper functions for decrypting Jeadpietpour.rky

Analytical Misdirection:

  • Contains extensive Alibaba Cloud API code that never executes
  • Contains FTP/IMAP/SMTP credential harvesting code that’s definitively unused (import analysis proves this)
  • PDB paths suggest legitimate software origin, not purpose-built malware
  • Heavy AV detection (39/72) draws attention while clean components (0/72) execute

The most likely explanation: AliyunWrap.dll is repurposed from legitimate Alibaba Cloud SDK or telemetry software. The malware authors kept the crypto/compression functions they need, left the cloud upload code intact (easier than removing), and never use the credential harvesting code. The YIWO Tech certificate being revoked supports this.

Evasion Through Separation

The multi-layer evasion strategy operates across the entire attack lifecycle:

  1. Delivery Phase: Clean PNG (0/97) bypasses email/web filters via steganography
  2. Installation Phase: Clean executables (0/72) bypass AV signature scans
  3. Execution Phase: Process injection hides malicious code in memory-only execution
  4. Analysis Phase: Calli obfuscation defeats debuggers and decompilers
  5. Network Phase: Legitimate infrastructure (BSC, AWS) appears as normal traffic

Financial Targeting

The comprehensive cryptocurrency targeting (24 wallet extensions) combined with gaming (Steam), messaging (Discord/Telegram), and business (FTP) credentials reveals operators specifically hunting high-value targets:

  • Blockchain Gamers: RoninWallet (Axie Infinity) targets play-to-earn users
  • DeFi Traders: Multi-chain wallets target users with diversified portfolios
  • NFT Collectors: Wallets like MewCx and NiftyWallet target NFT traders
  • Enterprise Users: FTP and VPN theft enables lateral movement

Evolution from Standard SectopRAT

This variant represents significant evolution from standard SectopRAT deployments:

Evolution PointStandard SectopRATThis Variant
DeliveryDirect downloadHijackLoader steganography
InjectionMSBuild.exe (LOLBin)Custom FluInterface32.exe
ObfuscationBasic ConfuserExStrategic clean/obfuscated separation
C2Dynamic (Pastebin)Hardcoded Russian + AWS backup
Targeting~10 wallets24 wallets + comprehensive apps

The shift to steganographic delivery, combined with custom injection targets and intentional decoy modules, shows commodity malware adopting APT-level techniques.

What Was Definitively Proven

Confirmed findings:

  • Steganographic delivery via PNG (IDAT chunk + XOR decryption)
  • Multi-component architecture with clean droppers (0/72 detection)
  • Component dependencies: E-Consol.exe requires AliyunWrap.dll and Jeadpietpour.rky
  • Process injection into FluInterface32.exe (confirmed via Hollows Hunter)
  • Comprehensive RAT/infostealer capabilities from memory dump (24 crypto wallets, Discord, Telegram, Steam, FTP, VPN)
  • C2 infrastructure: Russian C2, AWS backup, BSC blockchain queries
  • AliyunWrap.dll credential harvesting is DEFINITIVELY INACTIVE (import analysis proves this)
  • Calli obfuscation prevents debugging

Unknown or speculative:

  • Exact decryption mechanism in AliyunWrap.dll (likely AES-256)
  • Meck.xkd purpose (83KB file – possibly key file or config)
  • Jeadpietpour.rky internal structure (PNG container with encrypted payload)
  • Injection technique details (exact API calls unknown)
  • Full C2 protocol (server was offline during analysis)

Static Analysis: CAPA Capability Detection

CAPA analysis confirms the capabilities observed during reverse engineering and reveals additional functionality in both components.

E-Consol.exe Capabilities

Core Functionality:

parse PE header                    → Confirms PE manipulation capability
create mutex                       → Single-instance enforcement
check mutex and exit              → Prevents multiple executions

File System Operations:

read .ini file (6 matches)        → Configuration file processing
check if file exists (2 matches)   → File verification
delete file (2 matches)           → Cleanup operations
write file on Windows             → Component deployment
set current directory             → Working directory manipulation

Network Operations:

download URL                      → File download capability
receive data                      → C2 communication
get MAC address on Windows        → System fingerprinting

Anti-Analysis:

reference anti-VM strings         → VM detection capability
link function at runtime (5 matches) → Dynamic API resolution

AliyunWrap.dll Capabilities

Command & Control:

send data (15 matches)            → Extensive C2 communication
receive data (5 matches)          → Command reception
check HTTP status code (3 matches) → HTTP-based C2 validation
resolve DNS                       → Domain resolution
get socket information (11 matches) → Network operations
initialize Winsock library        → Windows sockets initialization

Cryptography & Encoding:

hash data using MD5               → Data integrity/identification
hash data using SHA1 (2 matches)  → Cryptographic hashing
hash data using djb2              → Fast hashing (likely for API hashing)
authenticate HMAC                 → Message authentication (Alibaba Cloud)
encrypt data using RC4 (2 matches) → Stream cipher encryption
encrypt data using DES            → Block cipher encryption
encode data using XOR (2 matches) → Simple obfuscation
encode data using Base64          → Data encoding

Process & System Interaction:

create process on Windows (2 matches) → Process spawning (FluInterface32.exe)
enumerate processes (2 matches)   → System reconnaissance
enumerate process modules         → Module enumeration
terminate process (2 matches)     → Process control
read pipe                         → Inter-process communication
create thread (2 matches)         → Threading capability

Anti-Analysis & Evasion:

check for software breakpoints    → Anti-debugging
reference anti-VM strings         → VM detection
resolve function by parsing PE exports → Dynamic API resolution (confirms our findings)

Data Theft Infrastructure:

get MAC address on Windows        → Network fingerprinting
get local IPv4 addresses (11 matches) → Network enumeration
query environment variable (2 matches) → System information gathering
get session user name             → User identification
get user security identifier      → SID enumeration

File Operations:

read file on Windows (4 matches)  → File reading (Jeadpietpour.rky)
write file on Windows (2 matches) → File writing
copy file (2 matches)             → File copying
move file                         → File relocation
delete file                       → Cleanup operations
check if file exists (2 matches)  → File verification
read .ini file (4 matches)        → Configuration parsing

Notable Technical Details:

linked against libcurl            → Uses libcurl for HTTP operations
validate payment card number using luhn → Credit card validation capability
generate random numbers via WinAPI → PRNG for cryptographic operations

Key Observations

1. Dual-Purpose Design: AliyunWrap.dll contains both legitimate Alibaba Cloud functionality (HMAC, HTTP, Base64) and malicious capabilities (process enumeration, anti-debugging, PE parsing for injection).

2. Comprehensive Crypto Suite: The presence of MD5, SHA1, HMAC, RC4, DES, and XOR indicates multi-layered encryption and authentication – explaining why static analysis of Jeadpietpour.rky reveals only high entropy.

3. API Hashing Confirmed: CAPA detected “resolve function by parsing PE exports” and “hash data using djb2” – confirming the API hashing obfuscation observed in ReflectivePELoader.

4. Anti-Analysis Focus: Both components implement anti-debugging and anti-VM checks, combined with dynamic API resolution – sophisticated evasion for commodity malware.

5. Network Infrastructure: 15 send data functions and 5 receive data functions in AliyunWrap.dll confirm extensive C2 capabilities beyond just the Alibaba Cloud upload functionality.


CAPA Static Analysis

CAPA revealed capabilities supporting our reverse engineering findings:

E-Consol.exe Capabilities

  • Parse PE header (0x14001085C)
  • Read .ini files (6 matches)
  • Create mutex (0x1400031A0)
  • Download URL, Receive C2 data
  • Anti-VM strings reference

AliyunWrap.dll Capabilities

Cryptographic Operations:

  • DES encryption (0x180059500), RC4 PRGA (2 matches)
  • MD5 (0x180013D80), SHA1 (2 matches), HMAC (0x18005C1B0)
  • Base64/XOR encoding

PE Manipulation:

  • Resolve function by parsing PE exports (0x180008AC4) → Confirms API hashing in ReflectivePELoader
  • Create process (2 matches) → Confirms FluInterface32.exe spawning

Network:

  • Send data (15 matches), receive data (5 matches)
  • HTTP status checks (3 matches), libcurl linked

Anti-Analysis:

  • Software breakpoint detection (0x180015B90)
  • Anti-VM strings

Key Validation:

  1. PE export parsing (0x180008AC4) validates our API hashing analysis
  2. Crypto suite (RC4, DES, SHA1, HMAC) supports Jeadpietpour.rky decryption theory
  3. Process creation confirms FluInterface32.exe spawning capability

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

Initial Delivery:

7dc2ddaac0f6c54d774f6b336fa15a249fd0d5e74a903e7ada07cc00772c8341
└─ XMouseButtonControlSetup.2.20.5.exe (2.80 MB, 41/71 detection)

163810b5276c23ddccfdcbcb85ac97c58957b7968aae5312cb06668e68f6ac98
└─ goto.ps1 (PowerShell dropper, 14/63 detection)

Core Components:

0285dd7f0017a6b8d6dad24b1b876970dc9766db49811647f3d5a68fbfa2143a
└─ E-Consol.exe (178 KB, 0/72 detection)

57ec97f531753ff2c825eabb56134754d0a7c1edb606d278ccbcb8506b5a5a6c
└─ FluInterface32.exe (67 KB, 0/68 detection)

6cc3640cd7e5b027f39ef83fe23bd25ef01addc144fca7bdd0f0c8c763349e85
└─ AliyunWrap.dll (493 KB, 39/72 detection)

[Unknown]
└─ wos....exe (dumped RAT payload)

d6b40125f781c1d44c4e3b497e0705012c7ed9cb253c18e390dd48aaf6dcae89
└─ Jeadpietpour.rky (1.69 MB, encrypted modules)

41e50d05d58f48d5b473b2118fe03d438a662c76873c8d367dbe4dd653a0ee47
└─ Meck.xkd (83 KB, secondary encrypted component)

b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
└─ AliyunConfig.ini (2 bytes, configuration file)

Network Indicators

Command & Control:

45.141.87.249:15847/tcp     - Primary Russian C2 (offline during analysis)
52.223.34.155:443/tcp       - AWS Binance IP (likely)

Cryptocurrency Infrastructure:

bsc-dataseed1.ninicoin.io:443
bsc-dataseed2.ninicoin.io:443
bsc-dataseed3.ninicoin.io:443
bsc-dataseed4.ninicoin.io:443
bsc-dataseed1.binance.org:443

Steganographic Payload:

https://i.postimg.cc/L41T7Xgc/memmmu.png (0/97 detection)

File System Indicators

Installation Paths:

%APPDATA%\Roaming\GoToxW\
%PROGRAMDATA%\Checksystemjxg\
%LOCALAPPDATA%\XMouseButtonControl\
%USERPROFILE%\FluInterface32.exe

Persistence:

%STARTUP%\GoTo.lnk (shortcut to E-Consol.exe)

Targeted Data Locations:

Browser Data:
├─ %LOCALAPPDATA%\Google\Chrome\User Data\Default\
├─ %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\
├─ %APPDATA%\Opera Software\Opera GX Stable\
└─ %APPDATA%\Mozilla\Firefox\Profiles\

Application Data:
├─ %APPDATA%\discord\Local Storage\leveldb\
├─ %APPDATA%\Telegram Desktop\tdata\
├─ %APPDATA%\FileZilla\
└─ Registry: Software\Valve\Steam\

Registry Indicators

HKLM\Software\Microsoft\Tracing\FluInterface32_RASAPI32
HKLM\Software\Microsoft\Tracing\FluInterface32_RASMANCS
Software\Valve\Steam\SteamPath
ROOT\SecurityCenter
ROOT\SecurityCenter2

Behavioral Indicators

Process Artifacts:

Parent-Child Relationships:
├─ E-Consol.exe → powershell.exe (with -ExecutionPolicy Bypass)
├─ powershell.exe → goto.ps1
├─ E-Consol.exe → FluInterface32.exe
└─ E-Consol.exe → attrib.exe +h [path]

Network Behavior:

├─ Failed connections to 45.141.87.249:15847
├─ Successful HTTPS to 52.223.34.155:443
├─ Multiple eth_call JSON-RPC requests to BSC nodes
└─ Connection attempts from FluInterface32.exe (unexpected process)

Memory Indicators:

Process Injection Signs:
├─ FluInterface32.exe with .NET modules loaded (originally native PE)
├─ Undetermined image sizes in memory
├─ RWX (Read-Write-Execute) memory regions
└─ Unsigned code executing in signed process space

By xande