What is Arechclient2 (SectopRAT)?
Arechclient2 (SectopRAT) is a RAT and Infostealer
Arechclient2, also known as SectopRAT, is a remote access trojan and infostealer initially observed in 2019. It’s primarily used as a post-compromise tool and is currently experiencing a significant surge in deployment during 2025 campaigns. The malware is delivered via the HijackLoader steganographic delivery mechanism, which embeds encrypted payloads within PNG image files using IDAT chunk manipulation.
This particular sample represents a sophisticated, multi-component attack leveraging legitimate cloud infrastructure for data exfiltration and cryptocurrency theft operations. As far as I can tell, this is a variant that differs significantly from standard SectopRAT deployments.
This is also the first time I’ve seen steganography used in the wild, and is quite unusual in a malware sample from what I’ve seen.
Standard SectopRAT vs This Variant:
The sample represents a variant in the standard SectopRAT deployment, especially in its crypto and infostealing features:
- Zero-detection dropper components bypassing traditional AV
- Steganographic payload delivery in PNG images (IDAT chunk manipulation)
- Multi-component architecture with intentional decoy modules
- Process injection into custom-created processes (FluInterface32.exe)
- Comprehensive financial data theft targeting 24 cryptocurrency wallets
- Calli obfuscator defeating dynamic analysis
| Feature | Standard SectopRAT | This Variant |
| Injection Target | MSBuild.exe | Custom FluInterface32.exe |
| C2 Resolution | Pastebin dynamic | Hardcoded Russian IP |
| Port Range | 9000, 15647-15678 | 15847 (within range) |
Surface Level Analysis
Sample Identification:
Our sample was disguised as XMouseButtonControl (legitimate mouse button remapping software.)
Initial Dropper Metadata:
SHA-256: 7dc2ddaac0f6c54d774f6b336fa15a249fd0d5e74a903e7ada07cc00772c8341
File Name: XMouseButtonControlSetup.2.20.5.exe
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
File Size: 2.80 MB
Signed: Yes (REVOKED GlobalSign certificate)
First Seen: 02/06/2025 (2nd of June 2025)
VirusTotal Detection Rates:
| Component | Detection Rate | Strategy |
| Steganographic PNG (memmmu.png) | 0/97 | Clean payload carrier |
| Initial dropper (XMouseButtonSetup) | 41/71 | Moderate detection despite signing |
| PowerShell dropper (goto.ps1) | 14/63 | Some AV detection |
| E-Consol.exe (orchestrator) | 0/72 | Completely clean |
| AliyunWrap.dll (crypto library) | 39/72 | Heavily flagged – functional but with unused cloud code |
| FluInterface32.exe (pre-injection) | 0/68 | Clean host process |
As you will see later on, AliyunWrap.dll is heavily detected (39/72) but serves a dual purpose: it’s functionally required for crypto operations while also containing unused cloud/credential code that may misdirect analysis efforts.
Delivery Method:
- Embedded in PNG image via steganography (PostImg hosting)
- XOR encryption (single-byte key at offset 436)
- Packaged as ZIP archive containing full malware suite
- Delivered via PowerShell dropper script goto.ps1
Processes Graph:

(any.run)
Initial Triage
The infection chain begins with what appears to be legitimate XMouseButtonControl software.
The mouse software appears to be fully working. Upon excecution, the Xmouse installer:
- Installs legitimate XMouseButtonControl software to
%LOCALAPPDATA%\XMouseButtonControl\ - Writes a malicious PowerShell script
, goto.ps1to disk alongside the legitimate installation
The initial Xmouse install binary writes goto.ps1 to disk, which contains the actual steganographic payload extraction logic. I downloaded the “goto.ps1” from a sandbox and started to statically analyze it.

(goto.ps1 SHA-256 hash: 163810b5276c23ddccfdcbcb85ac97c58957b7968aae5312cb06668e68f6ac98)
The script downloads a doge png named “memmmu.png”:

The powershell script then extracts the XOR decryption key from byte 436, before finding the IDAT PNG chunk marker, as the payload starts four bytes after. It extracts and XOR decrypts the payload to reveal a ZIP archive. It defines the target directory, kills e-consol, but only if the system is already infected (only works if already infected – SilentlyContinue suppresses errors on first run). It removes old installation files if they exist and creates a fresh directory. It writes the decrypted ZIP, extracts its contents before deleting the zip. The PS script then hides the directory, creates a startup persistence shortcut and finally executres the malware with a hidden window.

In order to more efficiently fetch the malware without execution I wrote a script to extract it:
https://github.com/thetrueartist/HijackLoader-IDATloaderPayloadExtractor

After using this tool and extracting the ZIP folder we get everything that the malware writes to disk.


My first impressions of the files were that “E-consol.exe” was potentially the main malware, followed by the “AliyunWrap.dll”. Both “Jeadpietpour.rky” “Meck.xkd” were kept intentionally murky by the malware author, with “AliyunConfig.ini” likely being of use, even despite the small file size.
After submitting some of the files to VirusTotal, it would have you think that all apart from the “AliyunWrap.dll” harmless. At this point I was questioning what files were potentially a decoy to waste my time (however this happened to not be the case, as I’ll explain later).
After extracting the files I ended up dynamically analyzing “E-consol.exe” after finding lacking leads with basic static analysis.
After letting it run, it writes and creates a process called “FluInterface32.exe” 10 seconds after E-consol.exe has been executed.
Based off of the name, I had guessed that it (“FluInterface32.exe”) was used for the network functionality, maybe alone, and at this point “AliyunWrap.dll” was potentially where the main functionality of the malware was hiding, especially considering the VirusTotal detections for it.

However I continued on with analyzing “FluInterface32.exe” to start. After investigating with strings/FLOSS and quickly checking the malware on VirusTotal, it would have you think that “FluInterface32.exe” is clean or is harmless.

Network Discovery
I then checked network connections for all of the processes it wrote/spawned and found (with Process Hacker 2, and Fakenet) that “FluInterface32.exe” was attempting to connect to a Russian IP as well as a Binance domain hosted on AWS.


And sure enough, the IPs it contacted were in memory:


I found it unusual that this was the only process it spawned that was making active network connections.
Process Injection Confirmation
To check to see if “FluInterface32.exe” was being process injected, I used Hollows Hunter to check.

This confirmed that “FluInterface32.exe” was process injected, as the binary was native, yet there was .NET code running inside it.
After this I was pretty sure “E-Consol.exe” was just a dropper.
I used ExtremeDumper to dump the injected payload from FluInterface32.exe’s memory to analyze what was actually running.


Architecture Discovery
Before I analyzed the memory dump, I wanted to investigate the component relationships, and to find out which files were actually required for E-consol.exe to run and function.
I decided to test component dependencies by selectively removing binaries to see what E-Consol actually requires in order for it to work.
In short;
Test 1: E-Consol.exe alone
Failed immediately, it was missing AliyunWrap.dll. Hard dependency confirmed.

Test 2: E-Consol.exe + AliyunWrap.dll + AliyunConfig.ini
Started but crashed with 0xc0000142 error. Before crashing, it created an empty Meck.xkd file. This means E-Consol.exe writes to Meck.xkd at runtime rather than reading from it.

Test 3: Added Meck.xkd (83 KB)
Still crashed with the same error. Another component is missing.
Test 4: Added Jeadpietpour.rky (2 MB)
Finally executed successfully. Jeadpietpour.rky is essential for execution.
Required components:
- AliyunWrap.dll – hard dependency, crashes immediately without it
- Jeadpietpour.rky – required for successful execution, crashes without it
- Meck.xkd – runtime artifact, not an input file
Analyzing Jeadpietpour.rky
I uploaded Jeadpietpour.rky to VirusTotal to get more information about the file.

VirusTotal’s Magika classifier identified it as a PNG file despite the .rky extension. I decided to check the file header to confirm.
Checking the file signature:

The file doesn’t start with PNG magic bytes (89 50 4E 47). It starts with 77 4D... instead. The file is likely encrypted or compressed on disk.
Checking Meck.xkd as well:

Meck.xkd has null-byte patterns suggesting either wide-character encoding or encrypted data. The scattered ASCII strings (LIA, MSLG, jEF) suggest this might be partially decrypted or compressed data.
My Hypothesis
VirusTotal’s Magika detected PNG structure because it analyzed the decrypted content, not the encrypted file on disk. Jeadpietpour.rky stores encrypted bytes on disk (77 4D 80 79...), which AliyunWrap.dll’s SendLogToCloud() function decrypts at runtime. The decrypted result is a PNG file with the actual payload embedded in IDAT chunks. The .NET assembly is then extracted from the PNG and injected into FluInterface32.exe.
This explains why AliyunWrap.dll is required (provides decryption), why both Jeadpietpour.rky and Meck.xkd are needed (key material and staging data), why AVs can’t detect the payload (encrypted at rest), and why Meck.xkd is created empty on crash (it’s written during decryption, not read as input).
However, this is only a theory, but seems likely.
The execution flow is (likely):
E-Consol.exe
├─ Reads encrypted Jeadpietpour.rky
├─ Calls AliyunWrap.dll::SendLogToCloud() for decryption
├─ Writes intermediate data to Meck.xkd
├─ Extracts .NET payload from decrypted PNG
└─ Injects payload into FluInterface32.exe
The architecture seems to separate the encrypted payload (Jeadpietpour.rky) from the decryption logic (AliyunWrap.dll), obscures file purposes with unusual extensions (.rky, .xkd), and creates a clean injection target (FluInterface32.exe) at runtime to avoid detection.
Memory Dump Analysis
After looking into the architecture of the malware, I resumed analyzing the memory dump from FluInterface32.exe.
I attempted to use DNSpy to debug the dumped payload (wosoqulwj2u.exe), however there was a lot of obfuscation thanks to the Calli Obfuscator.

The calli (call indirect) instruction is a signature of the Calli obfuscator. This made it so that instead of normal method calls, all function invocations route through function pointers dynamically resolved at runtime.
This makes it very hard to analyze, it can be done but diminishing returns kick in hard.
I ended up pivoting to use FLOSS to extract strings from memory.
Dumped Payload strings
‘(‘/’
+’+?+L+
.O0X0u0E1}1
?D@N@
OAPHP
wosoqulwj2u.exe
wosoqulwj2u
mscorlib
System.Web.Extensions
System.Windows.Forms
System
System.Drawing
System.Core
System.Net.Http
System.Runtime.Serialization
System.Security
System.Xml
System.Management
System.IO.Compression.FileSystem
Microsoft.CSharp
kernel32.dll
advapi32.dll
advapi32
user32.dll
msvcrt.dll
User32.dll
gdi32.dll
rstrtmgr.dll
ntdll.dll
String
Format
IFormatProvider
FileInfo
System.IO
get_Directory
DirectoryInfo
Environment
GetFolderPath
SpecialFolder
Concat
Replace
RuntimeHelpers
System.Runtime.CompilerServices
InitializeArray
Array
RuntimeFieldHandle
Split
Type
GetTypeFromHandle
RuntimeTypeHandle
Marshal
System.Runtime.InteropServices
SizeOf
AllocHGlobal
Copy
IntPtr
op_Inequality
FreeHGlobal
ExpandEnvironmentVariables
Encoding
System.Text
get_UTF8
Convert
FromBase64String
get_NewLine
StringSplitOptions
Contains
IsNullOrEmpty
get_Chars
ToUpper
Remove
Path
Combine
File
Exists
Trim
IsNullOrWhiteSpace
StartsWith
ToInt64
DateTime
get_Now
AddMonths
get_Ticks
ToInt32
Join
GetFiles
SearchOption
GetEncoding
ProtectedData
System.Security.Cryptography
Unprotect
DataProtectionScope
get_ASCII
HashAlgorithm
ComputeHash
CultureInfo
System.Globalization
get_InvariantCulture
get_SystemDirectory
BitConverter
get_Unicode
GetBytes
Buffer
BlockCopy
ToLower
get_BigEndianUnicode
ToString
IndexOf
StringComparison
Substring
TrimStart
Compare
Directory
GetDirectories
get_Length
get_CurrentManagedThreadId
Regex
System.Text.RegularExpressions
Matches
MatchCollection
StringBuilder
AppendLine
ChangeType
Object
GetType
op_Equality
GetLogicalDrives
EnumerateDirectories
IEnumerable`1
System.Collections.Generic
XmlDocument
get_DocumentElement
XmlElement
CreateDirectory
FileSystemInfo
get_CreationTime
op_LessThan
Delete
get_UserDomainName
get_UserName
Assembly
System.Reflection
GetExecutingAssembly
InputLanguage
get_CurrentInputLanguage
get_Culture
Screen
get_PrimaryScreen
get_Bounds
Rectangle
get_Width
get_Height
TimeZoneInfo
get_Local
get_DisplayName
RegistryKey
Microsoft.Win32
OpenSubKey
GetValue
GetDelegateForFunctionPointer
Delegate
XmlNode
SelectSingleNode
Append
ManagementObjectSearcher
ManagementObjectCollection
GetEnumerator
ManagementObjectEnumerator
get_Current
ManagementBaseObject
get_Item
ToUInt32
GetSubKeyNames
FileVersionInfo
System.Diagnostics
GetVersionInfo
get_FileVersion
Process
GetCurrentProcess
get_SessionId
get_InstalledInputLanguages
InputLanguageCollection
ToDouble
Math
Round
get_Is64BitOperatingSystem
ReadAllText
WriteAllText
GetDirectoryName
Int32
Parse
NumberStyles
Char
IsLetter
IsLower
SHA256
Create
OpenRead
FileStream
get_Capacity
GetLastWin32Error
EnsureCapacity
PtrToStringAuto
set_Length
IsWhiteSpace
UInt32
TryParse
Decimal
Enum
CreateInstance
SetValue
ConstructorInfo
Invoke
IsDigit
Double
StringComparer
get_OrdinalIgnoreCase
Attribute
GetCustomAttribute
MemberInfo
DataMemberAttribute
get_Name
FormatterServices
GetUninitializedObject
AppendFormat
get_ProcessName
Byte
Registry
GetProcesses
Kill
Thread
System.Threading
Sleep
Image
FromStream
Stream
Save
Bitmap
GetPixel
Color
ToArgb
get_White
Clone
PixelFormat
System.Drawing.Imaging
GetTempFileName
WebClient
System.Net
DownloadFile
Start
TextBoxBase
Paste
RegistryValueKind
GetProcessesByName
Monitor
Enter
Exit
GetCreationTimeUtc
Guid
NewGuid
DriveInfo
get_IsReady
get_DriveType
DriveType
ReadAllBytes
WriteAllBytes
GetRandomFileName
Insert
Graphics
FromHwnd
get_VolumeLabel
get_AvailableFreeSpace
GetFileName
ReadAllLines
WriteAllLines
Point
get_X
get_Y
set_X
set_Y
op_Explicit
Size
get_Left
get_Top
get_Right
get_Bottom
ProcessStartInfo
set_RedirectStandardError
set_RedirectStandardOutput
set_UseShellExecute
set_CreateNoWindow
set_StartInfo
get_MainWindowTitle
get_Id
get_Size
set_Width
set_Height
get_CurrentThread
set_Priority
ThreadPriority
Socket
System.Net.Sockets
BeginSend
IAsyncResult
SocketFlags
AsyncCallback
Collect
get_PixelFormat
LockBits
BitmapData
ImageLockMode
get_Scan0
Receive
UnlockBits
FromImage
ReleaseHdc
DrawImage
Abort
get_AllScreens
CopyFromScreen
EndSend
Console
WriteLine
Close
get_MainWindowHandle
CloseMainWindow
get_WorkingArea
Shutdown
SocketShutdown
GetProcessById
PerformanceCounter
NextValue
BeginReceive
Poll
SelectMode
get_Available
IPAddress
Connect
EndPoint
set_NoDelay
Send
set_ReceiveTimeout
EndReceive
TrimEnd
get_Stride
ImageFormat
get_Jpeg
op_Addition
ServicePointManager
set_SecurityProtocol
SecurityProtocolType
ToCharArray
Reverse
GetInvalidFileNameChars
WaitForExit
Application
ReadInt32
DownloadString
ZipFile
System.IO.Compression
ExtractToDirectory
DownloadData
SuppressFinalize
get_Threads
ProcessThreadCollection
ProcessThread
ToBoolean
TimeSpan
FromMinutes
get_TotalMilliseconds
Timer
System.Timers
add_Elapsed
ElapsedEventHandler
get_InstalledUICulture
set_RedirectStandardInput
set_StandardOutputEncoding
set_StandardErrorEncoding
GetPathRoot
set_WorkingDirectory
set_Arguments
get_StandardInput
StreamWriter
Clear
get_HasExited
get_StandardOutput
StreamReader
get_StandardError
Stop
TcpClient
get_MainModule
ProcessModule
get_FileName
get_Extension
NetworkInterface
System.Net.NetworkInformation
GetAllNetworkInterfaces
MethodInfo
Load
CSharpArgumentInfo
Microsoft.CSharp.RuntimeBinder
CSharpArgumentInfoFlags
Binder
GetIndex
CallSiteBinder
CSharpBinderFlags
BinaryOperation
ExpressionType
System.Linq.Expressions
UnaryOperation
GetTempPath
Exception
get_HResult
ReAllocHGlobal
ReadIntPtr
UIntPtr
MultipartFormDataContent
HttpContent
get_Headers
HttpContentHeaders
System.Net.Http.Headers
MediaTypeHeaderValue
set_ContentType
HttpClient
PostAsync
Task`1
System.Threading.Tasks
HttpResponseMessage
get_IsSuccessStatusCode
get_Content
ReadAsByteArrayAsync
Task
Wait
ToBase64String
CryptoStream
FlushFinalBlock
RandomNumberGenerator
CopyTo
SocketAsyncEventArgs
get_LastOperation
SocketAsyncOperation
get_ExecutablePath
set_WindowStyle
ProcessWindowStyle
set_FileName
op_Subtraction
op_GreaterThan
get_Connected
InvokeMember
SetBuffer
SendAsync
get_BytesTransferred
ReceiveAsync
get_Buffer
GetDrives
GetFullPath
get_LastWriteTime
MoveTo
get_Png
EndsWith
GetThumbnailImage
GetThumbnailImageAbort
Icon
ExtractAssociatedIcon
ToBitmap
IPGlobalProperties
GetIPGlobalProperties
ToByte
get_Default
Capture
get_Value
IsLetterOrDigit
JavaScriptSerializer
System.Web.Script.Serialization
set_MaxJsonLength
AsyncTaskMethodBuilder
SetException
SetResult
ReadAsStringAsync
get_Client
set_ReceiveBufferSize
set_SendBufferSize
GetHostByName
IPHostEntry
get_AddressList
get_Task
get_SocketError
SocketError
remove_Completed
EventHandler`1
add_Completed
SystemInformation
get_VirtualScreen
Serialize
resource
List`1
.ctor
GetString
EmptyTypes
Func`2
KeyValuePair`2
Enumerable
System.Linq
Select
IList`1
UInt64
Int16
CryptographicException
IDisposable
Dispose
Zero
Single
UInt16
Int64
ParamArrayAttribute
IteratorStateMachineAttribute
Enumerator
MoveNext
get_FullName
Empty
AddRange
XmlTextReader
XmlReader
get_ChildNodes
XmlNodeList
get_ItemOf
IEnumerator
System.Collections
get_InnerText
InvalidOperationException
get_Location
get_EnglishName
ToList
get_Exists
BinaryReader
ReadUInt16
ReadByte
get_Position
ReadInt16
ReadUInt32
Seek
SeekOrigin
Dictionary`2
ContainsKey
Boolean
get_Count
get_Key
set_Item
GetComputerName
LookupAccountName
ConvertSidToStringSid
LocalFree
HMACSHA256
IEnumerator`1
FirstOrDefault
Where
MemoryStream
HashSet`1
LocalMachine
CurrentUser
ToArray
EnumDisplayMonitors
GetMonitorInfo
memcmp
memcpy
SetForegroundWindow
GetForegroundWindow
keybd_event
TextBox
Control
get_Text
Component
System.ComponentModel
ThreadStart
get_Message
GetDeviceCaps
GetHdc
InsertRange
mouse_event
SetCursorPos
SystemParametersInfo
OpenDesktop
CloseDesktop
EnumDesktopWindows
SetWindowPos
IsWindowVisible
SuppressUnmanagedCodeSecurityAttribute
PostMessage
SendMessage
SetThreadDesktop
WindowFromPoint
GetClassName
GetWindowRect
GetParent
GetScrollPos
SetScrollPos
SetActiveWindow
DefWindowProc
CreateProcess
GetThreadDesktop
SetWindowLong
GetWindowLong
GetCurrentThreadId
EnumWindows
PrintWindow
DeleteDC
Last
get_AsyncState
GZipStream
CompressionMode
Write
CreateDesktop
IsWindow
First
FindWindow
ShowWindow
AddressFamily
SocketType
ProtocolType
IPEndPoint
ParameterizedThreadStart
RemoveRange
GetRange
SetLength
ManagementObject
ReadOnlyCollectionBase
Distinct
OpenThread
SuspendThread
ResumeThread
CloseHandle
CopyFile
Tuple`2
DataContractSerializer
XmlObjectSerializer
ReadObject
DeflateStream
CompressionLevel
WriteObject
get_TextInfo
TextInfo
get_OEMCodePage
get_CodePage
get_BaseStream
TextReader
Read
Peek
ApplicationException
ObjectDisposedException
TextWriter
Flush
MD5CryptoServiceProvider
get_OperationalStatus
OperationalStatus
get_Description
GetPhysicalAddress
PhysicalAddress
get_Item1
get_Item2
GetMethod
BindingFlags
MethodBase
Deserialize
CallSite`1
Func`3
CallSite
Target
Func`4
IsWow64Process
MapViewOfFile
CreateFileMappingA
GetFileSizeEx
RmRegisterResources
RmStartSession
RmEndSession
RmGetList
DuplicateHandle
GetCurrentProcessId
TerminateProcess
OpenProcess
GetFinalPathNameByHandleW
UnmapViewOfFile
GetFileType
NtQuerySystemInformation
get_Result
AsyncTaskMethodBuilder`1
AsyncStateMachineAttribute
DebuggerStepThroughAttribute
SymmetricAlgorithm
set_Key
set_IV
get_IV
CreateEncryptor
ICryptoTransform
CryptoStreamMode
CreateDecryptor
Take
Skip
DynamicAttribute
get_DomainName
FileMode
FileAccess
FileShare
Match
Predicate`1
RemoveAll
OpenClipboard
CloseClipboard
SetClipboardData
Count
Nullable`1
GetValueOrDefault
ResourceManager
System.Resources
GetManifestResourceStream
DebuggerHiddenAttribute
EqualityComparer`1
Equals
GetHashCode
DebuggerDisplayAttribute
Account
k__BackingField
k__BackingField
k__BackingField
get_URL
set_URL
value
get_Username
set_Username
get_Password
set_Password
Username
Password
DataContractAttribute
Autofill
k__BackingField
k__BackingField
set_Name
set_Value
Name
Value
ValueType
.cctor
<>9__2_0
<>9__4_0
Browser
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
get_BrowserName
set_BrowserName
get_BrowserProfile
set_BrowserProfile
get_Logins
set_Logins
get_Autofills
set_Autofills
get_CC
set_CC
get_Cookies
set_Cookies
ICollection`1
IsEmpty
BrowserName
BrowserProfile
Logins
Autofills
Cookies
k__BackingField
k__BackingField
k__BackingField
k__BackingField
get_HolderName
set_HolderName
get_Month
set_Month
get_Year
set_Year
get_Number
set_Number
HolderName
Month
Year
Number
ScannedCookie
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
get_Host
set_Host
get_Http
set_Http
get_Path
set_Path
get_Secure
set_Secure
get_Expires
set_Expires
ToText
Host
Http
Secure
Expires
BrowserVersion
k__BackingField
k__BackingField
k__BackingField
get_NameOfBrowser
set_NameOfBrowser
get_Version
set_Version
get_PathOfFile
set_PathOfFile
NameOfBrowser
Version
PathOfFile
Func`1
<>9__0_0
<>9__0_2
<>9__0_4
<>9__0_6
<>9__0_8
Finalize
MulticastDelegate
BeginInvoke
EndInvoke
CompareTo
Resize
ReadMasterOfContext
offset
IEnumerable
System.IDisposable.Dispose
System.Collections.Generic.IEnumerator.get_Current
NotSupportedException
System.Collections.IEnumerator.Reset
Reset
System.Collections.IEnumerator.get_Current
System.Collections.Generic.IEnumerable.GetEnumerator
System.Collections.IEnumerable.GetEnumerator
ScannedFile
k__BackingField
k__BackingField
k__BackingField
k__BackingField
filename
get_NameOfFile
set_NameOfFile
get_Body
set_Body
get_NameOfApplication
set_NameOfApplication
get_DirOfFile
set_DirOfFile
NameOfFile
Body
NameOfApplication
DirOfFile
get_CurrentEncoding
ReadToEnd
SelectMany
GetProperties
PropertyInfo
get_PropertyType
<>9__4_1
FileScannerArg
k__BackingField
k__BackingField
k__BackingField
k__BackingField
get_Tag
set_Tag
set_Directory
get_Pattern
set_Pattern
get_Recoursive
set_Recoursive
Pattern
Recoursive
Random
OrderBy
IOrderedEnumerable`1
Next
HardwareType
value__
Processor
EnumMemberAttribute
Graphic
Json
json
set_RecursionLimit
get_JSON
FromJSON
this
ToJSON
JSON
LocalState
k__BackingField
get_os_crypt
set_os_crypt
os_crypt
OsCrypt
k__BackingField
get_encrypted_key
set_encrypted_key
encrypted_key
LoadLibrary
FreeLibrary
ReliabilityContractAttribute
System.Runtime.ConstrainedExecution
Consistency
GetProcAddress
ScanDetails
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
get_SecurityUtils
set_SecurityUtils
get_AvailableLanguages
set_AvailableLanguages
get_Softwares
set_Softwares
get_Processes
set_Processes
get_SystemHardwares
set_SystemHardwares
get_Browsers
set_Browsers
get_FtpConnections
set_FtpConnections
get_InstalledBrowsers
set_InstalledBrowsers
get_ScannedFiles
set_ScannedFiles
get_GameLauncherFiles
set_GameLauncherFiles
get_ScannedWallets
set_ScannedWallets
get_NordAccounts
set_NordAccounts
get_Open
set_Open
get_Proton
set_Proton
get_MessageClientFiles
set_MessageClientFiles
get_DicrFiles
set_DicrFiles
SecurityUtils
AvailableLanguages
Softwares
Processes
SystemHardwares
Browsers
FtpConnections
InstalledBrowsers
ScannedFiles
GameLauncherFiles
ScannedWallets
NordAccounts
Open
Proton
MessageClientFiles
DicrFiles
SystemHardware
k__BackingField
k__BackingField
get_Counter
set_Counter
get_HardType
set_HardType
Counter
HardType
ScanningArgs
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
k__BackingField
get_ScanBrowsers
set_ScanBrowsers
get_ScanFiles
set_ScanFiles
get_ScanFTP
set_ScanFTP
get_ScanWallets
set_ScanWallets
get_ScanScreen
set_ScanScreen
get_ScanTelegram
set_ScanTelegram
get_ScanVPN
set_ScanVPN
get_ScanSteam
set_ScanSteam
get_ScanDiscord
set_ScanDiscord
get_ScanFilesPaths
set_ScanFilesPaths
get_ScanChromeBrowsersPaths
set_ScanChromeBrowsersPaths
get_ScanGeckoBrowsersPaths
set_ScanGeckoBrowsersPaths
get_Configs
set_Configs
ScanBrowsers
ScanFiles
ScanFTP
ScanWallets
ScanScreen
ScanTelegram
ScanVPN
ScanSteam
ScanDiscord
ScanFilesPaths
ScanChromeBrowsersPaths
ScanGeckoBrowsersPaths
Configs
ScanResult
get_Hardware
set_Hardware
get_ReleaseID
set_ReleaseID
get_MachineName
set_MachineName
get_OSVersion
set_OSVersion
get_Language
set_Language
get_Resolution
set_Resolution
get_ScanDetails
set_ScanDetails
get_Country
set_Country
get_City
set_City
get_TZ
set_TZ
get_IPv4
set_IPv4
get_Monitor
set_Monitor
get_ZipCode
set_ZipCode
get_FileLocation
set_FileLocation
get_SeenBefore
set_SeenBefore
Hardware
ReleaseID
MachineName
OSVersion
Language
Resolution
Country
City
IPv4
ZipCode
FileLocation
SeenBefore
Cast
<>9__7_0
<>9__8_0
<>9__1_0
Stack`1
ThreadStaticAttribute
FieldInfo
get_IsPrimitive
get_IsEnum
get_IsArray
GetElementType
Push
get_IsGenericType
GetGenericTypeDefinition
GetGenericArguments
GetConstructor
IList
IDictionary
IEqualityComparer`1
IgnoreDataMemberAttribute
IsDefined
TryGetValue
GetFields
get_FieldType
ICollection
get_Keys
get_CanRead
ObsoleteAttribute
EnumDesktopWindowsProc
<>9__22_0
TrimExcess
<>9__34_1
<>9__34_7
<>9__34_2
<>9__34_9
<>9__34_4
<>9__34_11
<>9__34_5
<>9__34_13
<>9__34_6
<>9__34_15
Repeat
<>9__6_0
STAThreadAttribute
SetWindowsHookEx
CallNextHookEx
GetModuleHandle
GetWindowThreadProcessId
GetKeyState
GetKeyboardState
GetKeyboardLayout
ToUnicodeEx
MapVirtualKey
GetWindowText
Keys
<>9__23_0
Mutex
WaitHandle
FlagsAttribute
StealerSettingConfigParce
get_discord
set_discord
get_files
set_files
get_ftp
set_ftp
get_steam
set_steam
get_telegram
set_telegram
get_vpn
set_vpn
get_endbled
set_endbled
get_grabber
set_grabber
discord
files
steam
telegram
endbled
grabber
IAsyncStateMachine
TaskAwaiter`1
StringContent
ByteArrayContent
GetAwaiter
get_IsCompleted
AwaitUnsafeOnCompleted
GetResult
SetStateMachine
OnCompleted
<>9__48_0
<>9__49_0
<>9__57_0
<>9__71_0
ElapsedEventArgs
Find
Action`3
<>9__9_0
RuntimeMethodHandle
Module
get_Module
ResolveMethod
get_MethodHandle
GetFunctionPointer
PtrToStructure
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
DebuggableAttribute
DebuggingModes
AssemblyTitleAttribute
AssemblyDescriptionAttribute
AssemblyConfigurationAttribute
AssemblyCompanyAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
AssemblyTrademarkAttribute
ComVisibleAttribute
GuidAttribute
AssemblyFileVersionAttribute
TargetFrameworkAttribute
System.Runtime.Versioning
UnverifiableCodeAttribute
ui+vi
mk+nk
{ Type = {Type} }
Type
Name
Name
Username
Name
Password0
Name
AccountT
\tNamespace
BrowserExtension
Name
Name
Name
Value1
Name
AutofillT
\tNamespace
BrowserExtension
Name
BrowserName
Name
BrowserProfile\t(
Name
Logins\t(
Name\tAutofills\t(
Name
CC\t(
Name
Cookies7
Name
ScannedBrowserT
\tNamespace
BrowserExtension
Name
HolderName
Name
Month
Name
Year
Name
Number+
Name
\tNamespace
BrowserExtension
Name
Host
Name
Http
Name
Path
Name
Secure
Name
Expires6
Name
ScannedCookieT
\tNamespace
BrowserExtension
Name
NameOfBrowser
Name
Version
Name
PathOfFile7
Name
BrowserVersionT
\tNamespace
BrowserExtension:
Name
NameOfFile
Name
Body
Name
NameOfApplication
Name\tDirOfFile4
Name
ScannedFileT
\tNamespace
BrowserExtension
Name\tDirectory
Name
Pattern
Name
Recoursive7
Name
FileScannerArgT
\tNamespace
BrowserExtension%
Name
HardwareType
Name
os_crypt
Name
LocalState
Name
encrypted_key
Name
OsCrypt
Name
SecurityUtils
Name
AvailableLanguages
Name\tSoftwares
Name\tProcesses
Name
SystemHardwares\t(
Name
Browsers\t(
Name
FtpConnections\t(
Name
InstalledBrowsers
Name
ScannedFiles
Name
GameLauncherFiles
Name
ScannedWallets
Name
Nord
Name
Open
Name
Proton
Name
MessageClientFiles
Name\tDicrFiles4
Name
ScanDetailsT
\tNamespace
BrowserExtension
Name
Counter
Name
HardType7
Name
SystemHardwareT
\tNamespace
BrowserExtension\t
Name
ScanBrowsers
Name\tScanFiles
Name
ScanFTP
Name
ScanWallets
Name
ScanScreen
Name
ScanTelegram
Name
ScanVPN
Name\tScanSteam
Name
ScanDiscord
Name
ScanFilesPaths#
Name
ScanChromeBrowsersPaths”
Name
ScanGeckoBrowsersPaths
Name
Configs5
Name
ScanningArgsT
\tNamespace
BrowserExtension\t
Name
WalletConfigT
\tNamespace
BrowserExtension
Name
Hardware
Name\tReleaseID
Name
MachineName
Name\tOSVersion
Name
Language
Name
ScreenSize
Name
ScanDetails
Name
Country
Name
City
Name
TimeZone
Name
IPv4
Name
Monitor
Name
ZipCode
Name
FileLocation
Name
SeenBefore3
Name
ScanResultT
\tNamespace
BrowserExtension\t
Name
discord
Name
files
Name
Name
steam
Name
telegram
Name
Name
endbled
Name
grabber@
Name
StealerSettingConfigParceT
\tNamespace
SettingsParces
WrapNonExceptionThrows
$fb27641d-4694-4b93-9361-8f5262570e64
1.0.0.0
.NETFramework,Version=v4.7.2
FrameworkDisplayName
.NET Framework 4.7.2
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
+————————————-+
| FLOSS STATIC STRINGS: UTF-16LE (32) |
+————————————-+
Login Data, CommandLine: , Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall-*.lo–gNoDefrdDefVPNDefID: CommandLineOpera GX Stabletdata\tdataZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg==AFileSystemntivFileSystemirusPrFileSystemoduFileSystemct|AntiFileSystemSpyWFileSystemareProFileSystemduct|FireFileSystemwallProdFileSystemuct[^\u0020-\u007F]Profilesexpiraas21tion_yas21ear%appdata%\discord\Local Storage\leveldbmoz_cookiesTotalVisibleMemorySizeis_securewaasflletasfWeb DataDisplayVersionautofill
//settString.Replaceing[@name=\UString.Replacesername]/vaString.Replaceluepath%appdata%{0}\FileZilla\recentservers.xmlUser Data{0}\FileZilla\sitemanager.xml MB or SELECT * FROM Cookiesconfig
Local StateProfile_%localappdata%\valuecookiesTotal of RAMwaasflleasft.datasfcard_number_encryptedwindows-1251
isSecureSoftware\Valve\SteamROOT\SecurityCenterv10ssfnexpiryname_on_cardSteamPath//settinString.Removeg[@name=\PasswString.Removeord]/valuString.Removeeencrypted_valueNWinordVWinpn.eWinxeWinDisplayName\Program Files\Program Files (x86)\profiles1.1l1d1begram.exehost_keyAppData\Local\ProcessIdUnknownExtensionexpires_utcuser.config\Telegram Desktop\tdataAppData\Roaming\OpHandlerenVPHandlerN ConHandlernectName%USERPEnvironmentROFILE%\AppDEnvironmentata\RoaEnvironmentmingUNKNOWNOpera GXv11\Program Data\name{}:,[]”.Profile_Unknownloginscookies.sqliteROOT\SecurityCenter2coMANGOokies.sqMANGOliteLocalPrefs.json\Windows*.vstring.Replacedfexpiras21ation_moas21nth%DSK_23%TelTReplaceokReplaceenReplaces.tReplacextdisplayName[AString-ZaString-z\d]{2String4}.[String\w-]{String6}.[\wString-]{2String7}Local Extension Settingshost
- 6$7%8&?’@7A:CGzV
“&%’%/.21:9;9FEJIPOQOSRTRURVRWRXRYRZR[R\R]R^R_R`RaRbRcRdReRfRgRhRiRjRkRlRmRnRoRpRutvtwtyxzx{x|x}x~x
abcdefghijklmnop
estu
yxyz
wosoqulwj2u, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
resource
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
CompanyName
FileDescription
FileVersion
1.0.0.0
InternalName
dfgfghfghfghfghfgh.exe
LegalCopyright
LegalTrademarks
OriginalFilename
dfgfghfghfghfghfgh.exe
ProductName
ProductVersion
1.0.0.0
Assembly Version
1.0.0.0
RAT Capabilities & Theft Targets
FLOSS string extraction from the dumped payload revealed extensive financial data theft operations targeting cryptocurrency users, gamers, and business users.
Modular Configuration System
The malware uses a modular configuration with distinct scanning modules:
Configuration Flags:
├─ ScanBrowsers → Browser credential harvesting
├─ ScanWallets → Cryptocurrency wallet extension theft
├─ ScanFiles → Document/file enumeration
├─ ScanFTP → FTP client credential theft
├─ ScanTelegram → Telegram data exfiltration
├─ ScanVPN → VPN configuration theft
├─ ScanSteam → Steam account credential theft
├─ ScanDiscord → Discord token harvesting
└─ ScanScreen → Screenshot capability
This modularity allows operators to enable/disable capabilities per target, reduce detection surface by disabling unused features, and customize theft profiles for different campaigns.

Cryptocurrency Wallet Targeting (24 Extensions)
The malware contains a base64-encoded list of 24 cryptocurrency wallet browser extensions:
Primary Targets:
- Metamask (Ethereum, ~21M users)
- Coinbase (major exchange wallet)
- BinanceChain (Binance ecosystem)
- Phantom (Solana ecosystem)
- BraveWallet (Brave browser integrated)
Multi-Chain Wallets:
- MathWallet, GuardaWallet, AtomicWallet, Coin98Wallet, BitAppWallet
Gaming/NFT Focused:
- RoninWallet (Axie Infinity), GuildWallet, Wombat (EOS gaming), NiftyWallet
Blockchain-Specific:
- TronLink (Tron), TerraStation (Terra/Luna), HarmonyWallet, KardiaChain, TonCrystal, YoroiWallet (Cardano)
Additional:
- EqualWallet, JaxxxLiberty, iWallet, MewCx (MyEtherWallet)
The inclusion of RoninWallet (Axie Infinity), GuildWallet, and Wombat indicates operators specifically target blockchain gaming communities and NFT traders. Multi-chain wallet support (MathWallet, Coin98, AtomicWallet) targets DeFi traders who manage portfolios across multiple blockchains. It appears very flexible.
Browser Data Theft
Chromium-Based Browsers:
Target Files:
Login Data→ SQLite database with encrypted credentialsCookies→ Session cookies for session hijackingLocal State→ Contains master encryption key for passwordsWeb Data→ Autofill data, payment methods*/User Data/Default→ Profile-specific data
Credit Card Theft:
card_number_encrypted,name_on_card,expiration_month,encrypted_value
Supported Browsers: Chrome, Edge, Opera GX, Brave, any Chromium-based browser
Firefox-Based:
Target Files:
cookies.sqlite,logins.json,key4.db(master password),cert9.db
Access to Local State and key4.db allows decryption of all stored passwords, enabling complete credential harvesting from browser password managers.
Application-Specific Targeting
Discord Token Theft:
Target Path: %appdata%\discord\Local Storage\leveldb\
Target Files: *.ldb, Tokens.txt
Potential Impact:
├─ Complete account takeover
├─ Access to all DMs and servers
├─ Ability to send messages as victim
└─ Two-factor bypass (token-based auth)
(Discord's token security sucks :p)
Telegram Data Exfiltration:
Target Path: \Telegram Desktop\tdata\
Target Files: key_datas, *s files, user_data, usertag, settings*
Impact:
├─ Complete message history access
├─ Contact list exfiltration
├─ Media file access
└─ Session hijacking
Steam Account Theft:
Registry Target: Software\Valve\Steam\SteamPath
File Targets: ssfn*, config/loginusers.vdf, config/config.vdf
Impact:
├─ Complete account access
├─ Inventory theft (CS:GO skins, TF2 items)
├─ Steam Market access
└─ Trading functionality
FileZilla FTP Credentials:
Target Paths: %appdata%\FileZilla\
Target Files: recentservers.xml, sitemanager.xml (plaintext passwords)
Impact:
├─ Website/server access
├─ Database credentials (if stored)
├─ Ability to deface websites
└─ Lateral movement to server infrastructure
VPN Configuration Theft:
Target Extensions: *.ovpn, *.vd, profiles*.ld, *.conf
Specific Targets: OpenVPN, NordVPN, ProtonVPN, WireGuard
Impact:
├─ Corporate network access
├─ VPN credential theft
├─ Bypass of IP geolocation restrictions
└─ Enterprise network penetration
System Reconnaissance
The malware performs comprehensive system profiling before data exfiltration.
Security Software Enumeration:
WMI Queries:
├─ ROOT\SecurityCenter → Windows Security Center status
├─ ROOT\SecurityCenter2 → Windows Defender status
├─ AntiSpyWareProduct → Installed anti-malware products
└─ FirewallProduct → Firewall configuration
System Information Collection:
Data Points:
├─ CommandLine → Process command-line arguments
├─ DisplayVersion → Windows version/build
├─ DisplayName → Installed software names
├─ TotalVisibleMemorySize → Total RAM capacity
├─ ProcessorId → CPU identifier
└─ UserName → Current user account
File System Scanning:
Target Directories:
├─ %appdata%
├─ %localappdata%
├─ %USERPROFILE%\AppData\Roaming
├─ %USERPROFILE%\AppData\Local
├─ \Program Files\
└─ \Program Files (x86)\
String Obfuscation
The malware employs multiple layers of obfuscation for sensitive string storage:
- Layer 1: XOR encryption with key 0xD0 (208 decimal)
- Layer 2: Base64 encoding over XOR-encrypted data
- Layer 3: Calli obfuscation prevents string-to-usage mapping
Network Infrastructure Analysis
Active Command & Control
Primary C2 Server:
IP Address: 45.141.87.249
Port: 15847
ASN: Media Land LLC
Country: Russian Federation
Status: Offline (failed connection during analysis)
Protocol: TCP

The malware also contacts binance servers (hosted on AWS) dynamic ip etc:
IP Address: 52.223.34.155
Port: 443 (HTTPS)
ASN: AMAZON-02 (AWS)
Country: United States
Data Observed: 829 bytes upload, 5 KB download
Purpose: Likely data exfiltration or secondary C2
Status: Active (successful connection)

The Russian C2 was offline during analysis (connection attempts failed).
Cryptocurrency Operations Infrastructure
Binance Smart Chain (BSC) Nodes:
Primary Nodes:
├─ bsc-dataseed1.ninicoin.io
├─ bsc-dataseed2.ninicoin.io
├─ bsc-dataseed3.ninicoin.io
└─ bsc-dataseed4.ninicoin.io
Binance Official: bsc-dataseed1.binance.org
Protocol: JSON-RPC over HTTPS
Port: 443

Network Traffic Pattern
Wireshark Analysis Results:
Russian C2 Connection Attempt
- 45.141.87.249:15847
- Status: FAILED (RST packet received)
- Retries: 3 attempts, all failed
- Conclusion: C2 server offline/blocked
AWS Connection
- 52.223.34.155:443
- Status: SUCCESS (TLS handshake complete)
- Data Transfer: 829 bytes up, 5 KB down
- TLS Version: 1.2
BSC Node Queries
- bsc-dataseed[1-4].ninicoin.io:443
- Status: SUCCESS (multiple queries)
- Request Pattern: eth_call JSON-RPC
- Frequency: ~15 queries per minute
AliyunWrap.dll Deep Dive
AliyunWrap.dll is one of the most interesting components. It’s a 493 KB DLL heavily detected by AV (39/72) that initially appeared suspicious but dependency testing proved it’s required for E-Consol.exe to function.
Removing AliyunWrap.dll causes E-Consol.exe to fail immediately with “AliyunWrap.dll was not found” error. It appears to be an essential component.

Ghidra Analysis: Legitimate Cloud APIs
Static analysis in Ghidra revealed AliyunWrap.dll contains a complete, professional implementation of Alibaba Cloud Log Service APIs.

Exported DLL Functions:
AliyunOpenSession, AliyunCloseSession, AliyunSendInfo
AliyunAddParamToSessionA/W, AliyunEnableUserInfoCollect
AliyunGetUserUid, AliyunInstallConfigFilePath
AliyunInstallInitUid, AliyunIsEnableUserInfoCollect
AliyunStopProcess, AliyunUninstallStart/End
SendLogToCloud (main cloud upload function)
Configuration System:
[Config Section Keys]
LOGENDPOINT, ACCESSKEYID, ACCESSKEYSECRET
PROJECTNAME, LOGSTORENAME, LOGSTORENAME2
ProductName, AllowSendUrl, SZUID
bAllowSendInfo, bAutoAddUid, bAutoAddTimestamp
nLimitKeyvalueMaxLen, nLimitPairsCount
nMaxItemCount, nMaxItemDays, nMaxIdleMinutes
Network Protocol Implementation:
POST http://[project].[domain]/logstores/[logstore]/shards/lb HTTP/1.1
Host: [project].[domain]
Content-Type: application/x-protobuf
x-log-apiversion: 0.6.0
x-log-compresstype: lz4
x-log-signaturemethod: hmac-sha1
x-log-bodyrawsize: [size]
x-acs-security-token: [token]
Content-MD5: [hash]
Authorization: LOG [accesskey]:[signature]
User-Agent: log-c-lite_0.1.0
Date: [RFC 822 timestamp]
[Protocol Buffers binary data - LZ4 compressed]
System Profiling Capabilities:
Hardware enumeration:
├─ HARDWARE\DESCRIPTION\System\CentralProcessor\0
├─ ProcessorNameString (CPU model)
├─ SystemBiosVersion
└─ ~MHz (CPU frequency)
Process monitoring:
├─ CreateToolhelp32Snapshot (enumerate processes)
├─ Process32FirstW/Process32NextW (iterate)
└─ OpenProcess (access process handles)
Network adapter info:
├─ GetAdaptersInfo (MAC addresses)
└─ Network interface details
Credential Harvesting Infrastructure:
.netrc file parsing:
├─ machine [hostname]
├─ login [username]
└─ password [password]
Authentication methods supported:
├─ LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, GSSAPI
├─ EXTERNAL, NTLM, SCRAM-SHA-1, SCRAM-SHA-256
├─ XOAUTH2, OAUTHBEARER, AWS_SIGV4
Protocol support:
├─ IMAP (CAPABILITY, AUTHENTICATE, FETCH)
├─ SMTP (MAIL FROM, RCPT TO)
├─ POP3
└─ STARTTLS
Code Signing Certificate:
Signer: CHENGDU YIWO Tech Development Co., Ltd.
Location: Wuhou District, Chengdu, Sichuan
Organization ID: 91510107765360104N
CA: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Valid: 2024-07-09 to 2027-07-09 (REVOKED)
PDB Debug Paths:
D:\svn\share_lib\99_publiclibrary\aliyunlog-2017\userinfocollect\aliyun-vs2017-lib\aliyun\src\log_api.cpp
D:\EPM\_EPM_main\ShareLib\aliyunlog\Release_x64\AliyunWrap.pdb
The professional implementation uses correct Alibaba Cloud authentication (HMAC-SHA1), proper Protocol Buffers serialization, and LZ4 compression. The PDB paths reveal SVN version control and professional development environment.
The Runtime Reality: Required But Not Used for Cloud
Dependency testing proved AliyunWrap.dll is required for E-Consol.exe to start (removing it causes immediate failure). However, dynamic analysis revealed zero Alibaba Cloud traffic.
AliyunWrap.dll IS loaded by E-Consol.exe (hard dependency), and some functions from it are used (likely crypto/PNG extraction), but the Alibaba Cloud networking functions are not used (no cloud traffic).
E-Consol.exe likely imports AliyunWrap.dll for its crypto/decompression functions (needed to extract Jeadpietpour.rky payload) but doesn’t use the cloud upload functionality. The cloud API code is vestigial from an earlier version or repurposed from legitimate software.
Definitive Evidence: Import Analysis
Analysis of E-Consol.exe’s import table definitively resolves whether AliyunWrap.dll’s extensive credential harvesting and cloud upload code is active.
E-Consol.exe imports one single function from AliyunWrap.dll:
ALIYUNWRAP.DLL
└─ SendLogToCloud
E-Consol.exe does not import any of the other 26 exported functions
What This Proves:
- E-Consol.exe cannot call functions it doesn’t import
- The credential harvesting code requires those other functions – they’re part of the “user info collect” and “session” APIs
- Only
SendLogToCloud()is used – despite its misleading name, this is the decryption/extraction function - All other code is vestigial – present in the DLL but unreachable by E-Consol.exe
The FTP/IMAP/SMTP/credential harvesting code in AliyunWrap.dll is definitively inactive in this sample. E-Consol.exe’s import table proves it only uses the single SendLogToCloud() function, which despite its name, is repurposed for payload decryption rather than cloud data exfiltration.
Why the Cloud Code Remains
Evidence Supporting Repurposed Library Theory:
- Code Signing Certificate:
- Signed by legitimate Chinese software company (CHENGDU YIWO Tech)
- Certificate was revoked (indicating abuse/theft)
- Suggests this is real Aliyun SDK code from a legitimate product
- Professional Development:
- PDB paths show SVN version control:
D:\EPM\_EPM_main\ShareLib\aliyunlog\ - Production quality code with proper error handling
- Too polished to be fake/decoy code
- PDB paths show SVN version control:
- Functional Crypto Library:
- Contains working implementations of HMAC-SHA1, MD5, Base64, LZ4
- These functions ARE used by E-Consol.exe (for Jeadpietpour.rky extraction)
- Only the cloud UPLOAD functions are unused
- Dependency Requirement:
- E-Consol.exe hard-coded to require AliyunWrap.dll
- Not just present as misdirection – actually imported and loaded
- Removing it causes immediate execution failure
AliyunWrap.dll is a repurposed legitimate library from Alibaba Cloud SDK or telemetry software. The malware authors kept the crypto/compression functions they need, left the cloud upload code intact (easier than removing), and never use the credential harvesting code. The YIWO Tech certificate being revoked supports this – it was legitimate software that was stolen and repurposed for malware.
Unintentional Decoy Effect:
While AliyunWrap.dll is functionally necessary, it creates a decoy effect:
- 39/72 AV detection draws attention away from 0/72 clean E-Consol.exe
- Analysts waste time analyzing unused cloud functions
- Attribution confusion (Chinese certificate + Russian C2)
Reverse Engineering AliyunWrap.dll
This section documents the reverse engineering process that revealed how E-Consol.exe loads and decrypts Jeadpietpour.rky using AliyunWrap.dll. Analysis was performed using Ghidra with supplemental dynamic analysis via ANY.RUN sandbox.
Component Architecture
E-Consol.exe (Orchestrator):
- Imports only
SendLogToCloudfrom AliyunWrap.dll - Builds parameter vector via internal functions
- Calls AliyunWrap.dll with configuration data
- Performs post-load operations via
AttemptInstallation
AliyunWrap.dll (Dual-Purpose Library):
- Legitimate Path: Alibaba Cloud Log Service API (unused in this sample)
- Malicious Path: PE reflective loading and decryption
Confirmed Call Chain
E-Consol.exe
├─ FUN_1400017a0 (Main orchestration loop)
│ ├─ FUN_140001e60 (Data preparation)
│ ├─ FUN_140001b20 (Build parameter vector)
│ └─ SendLogToCloud(vector<pair<wchar_t*, wchar_t*>>)
│
AliyunWrap.dll
├─ SendLogToCloud (Vector entry point - 0x180004050)
│ └─ Data conversion: wchar_t → char
│ └─ SendLogToCloud (Raw pointer wrapper - 0x180003fa0)
│ └─ Retry logic (attempts twice on failure)
│ └─ SendLogToCloud_Interface (Orchestrator - 0x180003d20)
│ ├─ LoadCloudConfig (Parse AliyunConfig.ini)
│ ├─ ExtractDomain/ExtractEndpoint (Parse settings)
│ ├─ GetCloudContext (Initialize context)
│ ├─ UploadDataToCloud (Protocol Buffers encoding)
│ └─ [Unknown routing logic] ← GAP IN ANALYSIS
│ └─ ReflectivePELoader (PE loader - 0x180008e30)
│ ├─ API resolution via hashing
│ ├─ File operations (CreateFileW/ReadFile - obfuscated)
│ ├─ PE header parsing
│ ├─ Memory allocation + VirtualProtect
│ └─ Payload execution
Analysis Gap: The exact conditional logic that routes from SendLogToCloud_Interface to ReflectivePELoader is obfuscated. Static analysis shows both functions exist, but the dispatcher mechanism uses either encrypted parameters or function pointer indirection that wasn’t fully resolved.
Import Analysis: Definitive Proof of Unused Code
E-Consol.exe’s import table confirms which AliyunWrap.dll functions are used:

Imported Functions:
✓ SendLogToCloud (vector<pair<wchar_t*, wchar_t*>>) - USED
Not Imported:
✗ AliyunOpenSession
✗ AliyunEnableUserInfoCollect
✗ AliyunSendInfo
✗ All other 26+ cloud API functions
This proves the extensive Alibaba Cloud code (HMAC-SHA1, Protocol Buffers, HTTP client) is vestigial – present in the DLL but unreachable by E-Consol.exe. The credential harvesting code discovered in FLOSS analysis is definitively inactive.
AliyunWrap.dll Obfuscation Analysis
Static analysis of AliyunWrap.dll revealed significant anti-analysis techniques that prevented complete code tracing:
API Hashing: Function calls throughout the DLL use dynamic resolution via hash-based lookups (multiplicative hash: hash * 2 + byte). This prevents static identification of which Windows APIs are called, though constants matching standard file I/O parameters (GENERIC_READ, OPEN_EXISTING) were observed.
String References: Analysis confirmed Jeadpietpour.rky is explicitly referenced in AliyunWrap.dll code at address 0x180008e30, with ASCII-to-wide-char conversion patterns consistent with Windows file operations.
Code Patterns: The function at 0x180008e30 contains:
- Hash-based function resolution loops
- Constants matching PE structure offsets (0x3c, 0x2c)
- Memory protection constant 0x40 (PAGE_EXECUTE_READWRITE value)
- Memory copy operations
These patterns are consistent with reflective PE loading techniques, though the exact execution flow could not be definitively traced due to obfuscation.
Analysis Limitation: The routing mechanism from SendLogToCloud to internal payload processing functions uses either encrypted parameters or function pointer indirection that static analysis could not fully resolve. Import table analysis remains the definitive proof of which functions E-Consol.exe actually uses.
Technical Findings Summary
Observed Evidence:
- Function at 0x180008e30 exists and is registered in Windows SEH exception table
- References “Jeadpietpour.rky” string explicitly
- Converts filename to wide char for Windows APIs
- Uses API hashing to obfuscate Windows function calls
- Contains constants matching standard file I/O and PE structure parameters
- Contains constant 0x40 (PAGE_EXECUTE_READWRITE value)
- Contains memory copy loops and indirect function calls
Inferred Behavior (based on code patterns):
- Function likely performs file operations on Jeadpietpour.rky
- Code patterns consistent with PE loading techniques
- Memory operations suggest executable payload loading
Unknown Elements:
- Exact decryption algorithm (AES-256 suspected based on AliyunWrap.dll crypto functions)
- Decryption key source (embedded, derived, or from Meck.xkd)
- Precise routing logic from SendLogToCloud_Interface to payload loading
- Complete API hash to function name mapping
- Meck.xkd purpose (83KB file – possibly staging data or key material)
Why This Design is Effective
The separation of concerns provides multiple evasion layers:
- Clean Executables: E-Consol.exe (0/72 detection) and FluInterface32.exe (0/68 detection) contain no malicious code on disk
- Repurposed Library: AliyunWrap.dll appears as legitimate Alibaba SDK with valid (revoked) code signature
- Encrypted Payload: Jeadpietpour.rky remains encrypted on disk until runtime
- Memory-Only Execution: Malicious code never touches disk in decrypted form
- API Obfuscation: Hashing prevents signature-based detection of malicious API sequences
Automated Analysis: CAPA Findings
CAPA (FLARE Capability Analysis) was run against both E-Consol.exe and AliyunWrap.dll to identify capabilities through automated pattern matching. Key findings support and extend our manual analysis.
E-Consol.exe Capabilities
File Operations:
✓ read .ini file (6 matches) - Configuration file parsing
✓ write file on Windows - Dropper functionality
✓ delete file (2 matches) - Cleanup operations
✓ check if file exists (2 matches) - Pre-execution validation
✓ set current directory - Environment manipulation
Process Management:
✓ check mutex and exit - Anti-rerun protection
✓ create mutex - Single instance enforcement
✓ parse PE header - PE file manipulation capability
Network Communication:
✓ download URL - File retrieval capability
✓ receive data - C2 communication potential
✓ HTTP client - Web-based communication
Runtime Behavior:
✓ link function at runtime (5 matches) - Dynamic API resolution via GetProcAddress
✓ reference anti-VM strings - VM detection capability
✓ query registry value - System reconnaissance
AliyunWrap.dll Capabilities
Anti-Analysis Techniques:
✓ check for software breakpoints (0x180015B90) - Anti-debugging
✓ reference anti-VM strings - VM detection
Cryptographic Operations (Confirms Our Analysis):
✓ hash data using djb2 (0x18001E090) - API hashing function
✓ hash data with MD5 - Integrity checking
✓ hash data using SHA1 (2 matches) - HMAC operations
✓ authenticate HMAC - Alibaba Cloud authentication
✓ encrypt data using RC4 PRGA (2 matches) - Stream cipher
✓ encrypt data using DES - Block cipher
✓ encrypt or decrypt via WinCrypt - Windows Crypto API usage
✓ encode data using XOR (2 matches) - Simple obfuscation
✓ encode data using Base64 - Data encoding
Key Discovery – API Resolution:
✓ resolve function by parsing PE exports (0x180008AC4)
This function at 0x180008AC4 is part of the API hashing infrastructure we documented in ReflectivePELoader. It parses PE export tables to resolve function addresses by hash, confirming our static analysis findings.
Key Discovery – DJB2 Hashing:
✓ hash data using djb2 (0x18001E090)
The DJB2 hash algorithm is commonly used for API hashing in malware. However, our manual analysis of ReflectivePELoader showed a simpler hash * 2 + byte algorithm. This suggests:
- Multiple hashing schemes are present in AliyunWrap.dll
- DJB2 may be used elsewhere (possibly for config or string obfuscation)
- The ReflectivePELoader uses a custom variant
Network & Communication (Extensive Capabilities):
✓ send data (15 matches) - Comprehensive exfiltration capability
✓ receive data (5 matches) - C2 communication
✓ HTTP status code checking (3 matches) - Robust HTTP client
✓ resolve DNS - Domain resolution
✓ initialize Winsock library - Network stack initialization
✓ socket operations (11+ matches) - Raw socket communication
Process & System Manipulation:
✓ create process on Windows (2 matches) - Process spawning capability
✓ enumerate processes (2 matches) - System reconnaissance
✓ terminate process (2 matches) - Process control
✓ enumerate process modules - Advanced process inspection
✓ create thread (2 matches) - Multi-threading support
File System Operations:
✓ read file on Windows (4 matches) - File I/O confirmed
✓ write file on Windows (2 matches) - File creation
✓ read .ini file (4 matches) - Configuration parsing
✓ copy file (2 matches) - File duplication
✓ move file - File relocation
✓ delete file - File cleanup
Analysis Correlations
Confirmed from Manual Analysis:
- API Hashing: CAPA identified djb2 hashing (0x18001E090) and PE export parsing (0x180008AC4), validating our observation of API obfuscation in ReflectivePELoader
- Cryptographic Capabilities: Multiple encryption schemes (RC4, DES, HMAC-SHA1) confirm AliyunWrap.dll’s crypto functionality for Jeadpietpour.rky decryption
- File Operations: Read/write capabilities support our conclusion that the DLL performs file I/O despite not seeing direct CreateFileW in decompiled code
- Anti-Analysis: Software breakpoint detection and anti-VM strings confirm sophisticated evasion techniques
New Discoveries:
- Process Enumeration: Two separate implementations suggest capability to identify security products or sandboxes
- Thread Creation: Multi-threading support may indicate asynchronous operations or persistence mechanisms
- Named Pipes: Read pipe capability (0x180040160) suggests potential for inter-process communication or cmd.exe output capture
- Luhn Algorithm: Payment card validation (0x180033B40) indicates potential credit card theft functionality beyond our initial analysis
CAPA Limitations
CAPA identifies capabilities but cannot determine:
- Whether capabilities are actually used (many may be vestigial from legitimate Alibaba SDK)
- The routing logic between components
- Encrypted strings or obfuscated parameters
- Runtime behavior under specific conditions
Our manual analysis provides context for which CAPA-detected capabilities are actively exploited versus dormant code.
Conclusion
This Arechclient2/SectopRAT variant demonstrates advanced adversary tradecraft through component separation and multi-layer evasion.
The Component Strategy
AliyunWrap.dll serves a dual purpose: it’s both functionally necessary and analytically misleading.
Functional Necessity:
- Dependency testing proved E-Consol.exe crashes without AliyunWrap.dll
- Contains crypto/decompression functions (CAPA identified DES, RC4, SHA1, HMAC implementations)
- Likely provides Windows CryptoAPI wrapper functions for decrypting Jeadpietpour.rky
Analytical Misdirection:
- Contains extensive Alibaba Cloud API code that never executes
- Contains FTP/IMAP/SMTP credential harvesting code that’s definitively unused (import analysis proves this)
- PDB paths suggest legitimate software origin, not purpose-built malware
- Heavy AV detection (39/72) draws attention while clean components (0/72) execute
The most likely explanation: AliyunWrap.dll is repurposed from legitimate Alibaba Cloud SDK or telemetry software. The malware authors kept the crypto/compression functions they need, left the cloud upload code intact (easier than removing), and never use the credential harvesting code. The YIWO Tech certificate being revoked supports this.
Evasion Through Separation
The multi-layer evasion strategy operates across the entire attack lifecycle:
- Delivery Phase: Clean PNG (0/97) bypasses email/web filters via steganography
- Installation Phase: Clean executables (0/72) bypass AV signature scans
- Execution Phase: Process injection hides malicious code in memory-only execution
- Analysis Phase: Calli obfuscation defeats debuggers and decompilers
- Network Phase: Legitimate infrastructure (BSC, AWS) appears as normal traffic
Financial Targeting
The comprehensive cryptocurrency targeting (24 wallet extensions) combined with gaming (Steam), messaging (Discord/Telegram), and business (FTP) credentials reveals operators specifically hunting high-value targets:
- Blockchain Gamers: RoninWallet (Axie Infinity) targets play-to-earn users
- DeFi Traders: Multi-chain wallets target users with diversified portfolios
- NFT Collectors: Wallets like MewCx and NiftyWallet target NFT traders
- Enterprise Users: FTP and VPN theft enables lateral movement
Evolution from Standard SectopRAT
This variant represents significant evolution from standard SectopRAT deployments:
| Evolution Point | Standard SectopRAT | This Variant |
|---|---|---|
| Delivery | Direct download | HijackLoader steganography |
| Injection | MSBuild.exe (LOLBin) | Custom FluInterface32.exe |
| Obfuscation | Basic ConfuserEx | Strategic clean/obfuscated separation |
| C2 | Dynamic (Pastebin) | Hardcoded Russian + AWS backup |
| Targeting | ~10 wallets | 24 wallets + comprehensive apps |
The shift to steganographic delivery, combined with custom injection targets and intentional decoy modules, shows commodity malware adopting APT-level techniques.
What Was Definitively Proven
Confirmed findings:
- Steganographic delivery via PNG (IDAT chunk + XOR decryption)
- Multi-component architecture with clean droppers (0/72 detection)
- Component dependencies: E-Consol.exe requires AliyunWrap.dll and Jeadpietpour.rky
- Process injection into FluInterface32.exe (confirmed via Hollows Hunter)
- Comprehensive RAT/infostealer capabilities from memory dump (24 crypto wallets, Discord, Telegram, Steam, FTP, VPN)
- C2 infrastructure: Russian C2, AWS backup, BSC blockchain queries
- AliyunWrap.dll credential harvesting is DEFINITIVELY INACTIVE (import analysis proves this)
- Calli obfuscation prevents debugging
Unknown or speculative:
- Exact decryption mechanism in AliyunWrap.dll (likely AES-256)
- Meck.xkd purpose (83KB file – possibly key file or config)
- Jeadpietpour.rky internal structure (PNG container with encrypted payload)
- Injection technique details (exact API calls unknown)
- Full C2 protocol (server was offline during analysis)
Static Analysis: CAPA Capability Detection
CAPA analysis confirms the capabilities observed during reverse engineering and reveals additional functionality in both components.
E-Consol.exe Capabilities
Core Functionality:
parse PE header → Confirms PE manipulation capability
create mutex → Single-instance enforcement
check mutex and exit → Prevents multiple executions
File System Operations:
read .ini file (6 matches) → Configuration file processing
check if file exists (2 matches) → File verification
delete file (2 matches) → Cleanup operations
write file on Windows → Component deployment
set current directory → Working directory manipulation
Network Operations:
download URL → File download capability
receive data → C2 communication
get MAC address on Windows → System fingerprinting
Anti-Analysis:
reference anti-VM strings → VM detection capability
link function at runtime (5 matches) → Dynamic API resolution
AliyunWrap.dll Capabilities
Command & Control:
send data (15 matches) → Extensive C2 communication
receive data (5 matches) → Command reception
check HTTP status code (3 matches) → HTTP-based C2 validation
resolve DNS → Domain resolution
get socket information (11 matches) → Network operations
initialize Winsock library → Windows sockets initialization
Cryptography & Encoding:
hash data using MD5 → Data integrity/identification
hash data using SHA1 (2 matches) → Cryptographic hashing
hash data using djb2 → Fast hashing (likely for API hashing)
authenticate HMAC → Message authentication (Alibaba Cloud)
encrypt data using RC4 (2 matches) → Stream cipher encryption
encrypt data using DES → Block cipher encryption
encode data using XOR (2 matches) → Simple obfuscation
encode data using Base64 → Data encoding
Process & System Interaction:
create process on Windows (2 matches) → Process spawning (FluInterface32.exe)
enumerate processes (2 matches) → System reconnaissance
enumerate process modules → Module enumeration
terminate process (2 matches) → Process control
read pipe → Inter-process communication
create thread (2 matches) → Threading capability
Anti-Analysis & Evasion:
check for software breakpoints → Anti-debugging
reference anti-VM strings → VM detection
resolve function by parsing PE exports → Dynamic API resolution (confirms our findings)
Data Theft Infrastructure:
get MAC address on Windows → Network fingerprinting
get local IPv4 addresses (11 matches) → Network enumeration
query environment variable (2 matches) → System information gathering
get session user name → User identification
get user security identifier → SID enumeration
File Operations:
read file on Windows (4 matches) → File reading (Jeadpietpour.rky)
write file on Windows (2 matches) → File writing
copy file (2 matches) → File copying
move file → File relocation
delete file → Cleanup operations
check if file exists (2 matches) → File verification
read .ini file (4 matches) → Configuration parsing
Notable Technical Details:
linked against libcurl → Uses libcurl for HTTP operations
validate payment card number using luhn → Credit card validation capability
generate random numbers via WinAPI → PRNG for cryptographic operations
Key Observations
1. Dual-Purpose Design: AliyunWrap.dll contains both legitimate Alibaba Cloud functionality (HMAC, HTTP, Base64) and malicious capabilities (process enumeration, anti-debugging, PE parsing for injection).
2. Comprehensive Crypto Suite: The presence of MD5, SHA1, HMAC, RC4, DES, and XOR indicates multi-layered encryption and authentication – explaining why static analysis of Jeadpietpour.rky reveals only high entropy.
3. API Hashing Confirmed: CAPA detected “resolve function by parsing PE exports” and “hash data using djb2” – confirming the API hashing obfuscation observed in ReflectivePELoader.
4. Anti-Analysis Focus: Both components implement anti-debugging and anti-VM checks, combined with dynamic API resolution – sophisticated evasion for commodity malware.
5. Network Infrastructure: 15 send data functions and 5 receive data functions in AliyunWrap.dll confirm extensive C2 capabilities beyond just the Alibaba Cloud upload functionality.
CAPA Static Analysis
CAPA revealed capabilities supporting our reverse engineering findings:
E-Consol.exe Capabilities
- Parse PE header (0x14001085C)
- Read .ini files (6 matches)
- Create mutex (0x1400031A0)
- Download URL, Receive C2 data
- Anti-VM strings reference
AliyunWrap.dll Capabilities
Cryptographic Operations:
- DES encryption (0x180059500), RC4 PRGA (2 matches)
- MD5 (0x180013D80), SHA1 (2 matches), HMAC (0x18005C1B0)
- Base64/XOR encoding
PE Manipulation:
- Resolve function by parsing PE exports (0x180008AC4) → Confirms API hashing in ReflectivePELoader
- Create process (2 matches) → Confirms FluInterface32.exe spawning
Network:
- Send data (15 matches), receive data (5 matches)
- HTTP status checks (3 matches), libcurl linked
Anti-Analysis:
- Software breakpoint detection (0x180015B90)
- Anti-VM strings
Key Validation:
- PE export parsing (0x180008AC4) validates our API hashing analysis
- Crypto suite (RC4, DES, SHA1, HMAC) supports Jeadpietpour.rky decryption theory
- Process creation confirms FluInterface32.exe spawning capability
Indicators of Compromise (IOCs)
File Hashes (SHA-256)
Initial Delivery:
7dc2ddaac0f6c54d774f6b336fa15a249fd0d5e74a903e7ada07cc00772c8341
└─ XMouseButtonControlSetup.2.20.5.exe (2.80 MB, 41/71 detection)
163810b5276c23ddccfdcbcb85ac97c58957b7968aae5312cb06668e68f6ac98
└─ goto.ps1 (PowerShell dropper, 14/63 detection)
Core Components:
0285dd7f0017a6b8d6dad24b1b876970dc9766db49811647f3d5a68fbfa2143a
└─ E-Consol.exe (178 KB, 0/72 detection)
57ec97f531753ff2c825eabb56134754d0a7c1edb606d278ccbcb8506b5a5a6c
└─ FluInterface32.exe (67 KB, 0/68 detection)
6cc3640cd7e5b027f39ef83fe23bd25ef01addc144fca7bdd0f0c8c763349e85
└─ AliyunWrap.dll (493 KB, 39/72 detection)
[Unknown]
└─ wos....exe (dumped RAT payload)
d6b40125f781c1d44c4e3b497e0705012c7ed9cb253c18e390dd48aaf6dcae89
└─ Jeadpietpour.rky (1.69 MB, encrypted modules)
41e50d05d58f48d5b473b2118fe03d438a662c76873c8d367dbe4dd653a0ee47
└─ Meck.xkd (83 KB, secondary encrypted component)
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
└─ AliyunConfig.ini (2 bytes, configuration file)
Network Indicators
Command & Control:
45.141.87.249:15847/tcp - Primary Russian C2 (offline during analysis)
52.223.34.155:443/tcp - AWS Binance IP (likely)
Cryptocurrency Infrastructure:
bsc-dataseed1.ninicoin.io:443
bsc-dataseed2.ninicoin.io:443
bsc-dataseed3.ninicoin.io:443
bsc-dataseed4.ninicoin.io:443
bsc-dataseed1.binance.org:443
Steganographic Payload:
https://i.postimg.cc/L41T7Xgc/memmmu.png (0/97 detection)
File System Indicators
Installation Paths:
%APPDATA%\Roaming\GoToxW\
%PROGRAMDATA%\Checksystemjxg\
%LOCALAPPDATA%\XMouseButtonControl\
%USERPROFILE%\FluInterface32.exe
Persistence:
%STARTUP%\GoTo.lnk (shortcut to E-Consol.exe)
Targeted Data Locations:
Browser Data:
├─ %LOCALAPPDATA%\Google\Chrome\User Data\Default\
├─ %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\
├─ %APPDATA%\Opera Software\Opera GX Stable\
└─ %APPDATA%\Mozilla\Firefox\Profiles\
Application Data:
├─ %APPDATA%\discord\Local Storage\leveldb\
├─ %APPDATA%\Telegram Desktop\tdata\
├─ %APPDATA%\FileZilla\
└─ Registry: Software\Valve\Steam\
Registry Indicators
HKLM\Software\Microsoft\Tracing\FluInterface32_RASAPI32
HKLM\Software\Microsoft\Tracing\FluInterface32_RASMANCS
Software\Valve\Steam\SteamPath
ROOT\SecurityCenter
ROOT\SecurityCenter2
Behavioral Indicators
Process Artifacts:
Parent-Child Relationships:
├─ E-Consol.exe → powershell.exe (with -ExecutionPolicy Bypass)
├─ powershell.exe → goto.ps1
├─ E-Consol.exe → FluInterface32.exe
└─ E-Consol.exe → attrib.exe +h [path]
Network Behavior:
├─ Failed connections to 45.141.87.249:15847
├─ Successful HTTPS to 52.223.34.155:443
├─ Multiple eth_call JSON-RPC requests to BSC nodes
└─ Connection attempts from FluInterface32.exe (unexpected process)
Memory Indicators:
Process Injection Signs:
├─ FluInterface32.exe with .NET modules loaded (originally native PE)
├─ Undetermined image sizes in memory
├─ RWX (Read-Write-Execute) memory regions
└─ Unsigned code executing in signed process space
