{
	"id": "5d8bce05-0264-4bad-bcdf-091235adf9ff",
	"created_at": "2026-04-06T00:07:07.115464Z",
	"updated_at": "2026-04-10T13:12:23.953928Z",
	"deleted_at": null,
	"sha1_hash": "29135676591edaaae51ba9724d6907971e3e40e1",
	"title": "The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2532656,
	"plain_text": "The Avast Abuser: Metamorfo Banking Malware Hides By\r\nAbusing Avast Executable\r\nBy Chen Erlich\r\nPublished: 2020-04-09 · Archived: 2026-04-05 13:30:40 UTC\r\nSource: ensilo.com/BreakingMalware\r\nTwitter: @chen_erlich\r\nSUMMARY\r\nIn May 2019, enSilo’s Threat Intelligence team observed activity by a cybercrime group, spreading Metamorfo —\r\nA Brazilian banking trojan. The variants we discovered abuse an executable digitally signed by Avast, which is\r\none of the most popular AV products in the world for consumers. We were able to connect this activity to a\r\ncampaign reported by TrendMicro which targeted an executable by a different Anti-Virus vendor, Avira. This\r\nfurther highlights the Modus-Operandi of the group.\r\nThis blog post describes in detail one of the variants used in this campaign and highlights unique Tactics,\r\nTechniques and Procedures (TTPs) used in this campaign which were not previously disclosed.\r\nTECHNICAL ANALYSIS\r\nIn May 2019, enSilo detected a new activity by a Brazilian cybercrime group. Both loader variants and their\r\nrespective payloads that were analyzed share similar TTPs and code associated with a Brazilian cybercrime group.\r\nExecution Flow Overview\r\nOn execution, the MSI downloader starts by checking if it is running in a virtual machine. If not, downloads a zip\r\nfile, unzips it, deletes itself, establishes persistency and restarts the system.\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 1 of 15\n\nThe zip file contains the following files:\r\n1. jesus.exe — Signed AVDump32 — Avast’s memory dump utility. Renamed to a random name.\r\n2. dbghelp.dll — Malicious file to be side loaded by AJWrDz.exe.\r\n3. jesus.dmp — Payload to be loaded by the injected Windows Media Player\r\nexecutable (wmplayer.exe). Later renamed to the same random name as\r\njesus.exe with a .dmp extension.\r\n4. ssleay64.dll — Known variant of Metamorfo. Will be loaded and used in the\r\ninjected wmplayer.exe.\r\n5. ssleay32.dll — OpenSSL Shared Library.\r\n6. borlndmm.dll — Borland Memory Manager.\r\n7. libeay32.dll — OpenSSL Shared Library.\r\nDuring the rest of the analysis we will refer jesus.exe as “AJWrDz.exe” which is the random name generated in\r\nthis execution. After the system reboots, the file “AJWrDz.exe” executes, which in turn triggers the side-loading\r\nof the malicious (and fake) DLL file “dbghelp.dll”. This malicious DLL file injects itself to Windows Media\r\nPlayer process — wmplayer.exe, and reflectively loads the renamed jesus.dmp file, “AJWrDz.dmp”.\r\nThe following diagram describes the high-level execution flow of the variants in this campaign:\r\nPress enter or click to view image in full size\r\nFigure 1: Execution flow\r\nMSI DOWNLOADER\r\nThe following is the static characteristics of the Windows Installer (MSI) downloader which starts the infection,\r\nthis MSI downloader is similar to the one used in the earlier part of the campaign:\r\nFile Name: HNR-Not03958576535323.msi\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 2 of 15\n\nSHA1: F1498E679885389C32FDF5EC39813FE5D4D34F23\r\nSize: 287232 bytes\r\nCreation Time: 2009–12–11 11:47:44\r\nDuring the time of analysis this variant had very low detection rate in VirusTotal, as can be seen in figure 2:\r\nPress enter or click to view image in full size\r\nFigure 2: VirusTotal detection rate\r\nAll MSI files in this campaign have different names, but share unique characteristics:\r\n1. Disguised as “Adobe Acrobat Reader Installer” to look legitimate as seen in figure 3:\r\nPress enter or click to view image in full size\r\nFigure 3: Disguise as Adobe Acrobat Reader\r\n2. Created using the “Advanced Installer” tool, which is imported in all of them, as shown in figure 4.\r\n3. Contain a vmdetect.exe [MD5: 55FFEE241709AE96CF64CB0B9A96F0D7] to avoid detection, as shown in\r\nfigure 4:\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 3 of 15\n\nPress enter or click to view image in full size\r\nFigure 4: Embedded aicustact.dll and vmdetect.exe\r\n4. Use the CustomActions table. The CustomAction table enables integration of custom code and data into an\r\ninstallation. The source of the code that is executed can be a stream contained within the database, a recently\r\ninstalled file, or an existing executable file. The attackers abused this feature to add the malicious JavaScript/VBS\r\npayload as shown in figure 5.\r\nPress enter or click to view image in full size\r\nFigure 5: Malicious JavaScript payload in CustomActions table\r\nThe JavaScript payload\r\nThe downloader’s JavaScript payload is obfuscated:\r\nFigure 6: Obfuscated MSI payload\r\nAfter deobfuscation:\r\nFigure 7: Deobfuscated MSI payload\r\nThe samples in this campaign communicate with a URL in the following format: https://s3-eu-west-1[.]amazonaws[.]com/{random}/image2[.]png.\r\nThe ”{random}” part may change between different MSI downloaders. The image2.png file is actually a zip file\r\nwhich is downloaded and extracted to a target folder. In this variant it is extracted to %APPDATA%\\Macromedia.\r\nNext, the MSI downloader creates in this location a desktop.txt file containing the string “NULL”.\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 4 of 15\n\nThe purpose of the desktop.txt file is to indicate whether the system is infected by the malware. If it exists, the\r\nMSI will exit after it will open Adobe’s website to explain how to install updates. It does so by executing:\r\n“c:\\Windows\\System32\\cmd.exe /C start /MAX https://helpx.adobe[.]com/br/acrobat/kb/install-updates-reader-acrobat.html”\r\nOtherwise, it will open legal terms of use page in Adobe’s site and continue the payload execution. This following\r\ncommand executes to open the terms of use page:\r\n“c:\\Windows\\System32\\cmd.exe /C start /MAX https://adobe.ly/2RY5GJR”\r\nwhich will redirect to “https://www.adobe.com/br/legal/terms.html”.\r\nNote that both URLs are with the Brazilian 2-letter abbreviation, suggesting the victims’ origin.\r\nThe files are extracted to a newly created folder with a randomized name under the same path, and the zip file is\r\nthen deleted. The “AJWrDz.exe” executable path is written to the registry Run key\r\n“HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” to achieve persistency. As a final step the system is\r\nrestarted to trigger its execution.\r\nTHE AVAST ABUSE\r\nAfter the system restart, the “AJWrDz.exe” file executes. Its static characteristics are:\r\nFile Name: AJWrDz.exe (renamed from jesus.exe)\r\nSHA1: 2A1A5D7C85560924EDC434A1D2F23ED3445D86F4\r\nSize: 814296 bytes\r\nCreation Time: 2018–10–08 13:07:15\r\nThis is a legitimate file, AVDump32.exe, digitally signed by “AVAST Software” as shown in figure 8:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 5 of 15\n\nFigure 8: AJWrDz.exe VirusTotal details\r\nAvDump32.exe legitimate use is to create *.dmp files of Avast processes in case there is an unhandled exception.\r\nWhen Avast is installed legitimately on a system the file is located in Its original location: C:\\Program\r\nFiles\\AVAST Software\\Avast.\r\nFigure 9 suggests that this file was submitted to VirusTotal as “jesus.exe”, which is the name of the file in the\r\ndownloaded zip, before it’s being renamed in the MSI payload:\r\nPress enter or click to view image in full size\r\nFigure 9: AvDump32.exe name variations\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 6 of 15\n\nAvDump32.exe is abused by the Metamorfo to side-load the “dbghelp.dll” by leveraging the DLL search order.\r\nNote that this is a common issue which makes it possible to leverage the DLL side-loading attack, often referred\r\nto as DLL Hijacking. Figure 10 shows the DLL files imported by this executable:\r\nPress enter or click to view image in full size\r\nFigure 10: ADWrDz.exe (AvDump32.exe) imports\r\nYou can find another example of abusing the DLL search order in one of our previous blog posts.\r\nThe side loaded “dbghelp.dll” is a malicious file written in Delphi and compiled using the Embarcadero Delphi\r\nIDE with the following characteristics:\r\nFile Name: dbghelp.dll\r\nSHA1: 08823578841AEED044EAD81ED6DB16DD95B6FF4B\r\nSize: 5595136 bytes\r\nCreation Time: 2019–04–27 22:17:17\r\nAfter being side-loaded by AvDump32.exe, the DLL’s execution starts with the following steps:\r\n1. Resolves WINAPI functions\r\n2. Hides its GUI using ShowWindow WINAPI call\r\n3. Compares if the DLL is being ran by wmplayer. More on this later.\r\nNext, the DLL file creates the mutex — [7F4HRE-375E-AEF3-BE9A-OBJT389F53] and writes to\r\nHKCU\\Software\\index (as shown in figure 11) the name of the running process which is later used to know the\r\nname of the .dmp file that should be loaded. Finally, it injects itself to Windows Media Player executable —\r\nwmplayer.exe.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 7 of 15\n\nFigure 11: Registry artifact\r\nThe process wmplayer.exe is a rather strange victim for injection given that various Windows distributions don’t\r\ncome with Windows Media Player installed by default, so it can only be implied that this software is probably\r\nmore common in the victim’s origin, and that it probably targets home users.\r\nMetamorfo uses a DLL injection technique with a twist. Instead of getting a handle to the victim process using\r\nOpenProcess, which relies on having a running process, the injection uses CreateProcess with\r\nCREATE_SUSPENDED flag. Then it creates a remote thread which loads the malicious DLL and executes it. The\r\nprocess’ main thread is never resumed and thus only the malware code executes. Figure 12 shows the\r\nCreateProcess call:\r\nPress enter or click to view image in full size\r\nFigure 12: The start of the DLL injection\r\nThe injection flow is as follows:\r\nPress enter or click to view image in full size\r\nFigure 13: DLL injection flow\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 8 of 15\n\nINJECTED PAYLOAD\r\nUpon injection, the DLL validates that it runs under the wmplayer.exe process by checking the process name and\r\ngoes on to execute its malicious activity. It creates a second mutex — One-InstanceJes, resolves more WINAPI\r\nfunctions, checks for the registry “index” key (which was previously written)the execution location and for the\r\n“ADWrDz.dmp” file. If this file exists, it extracts it in-memory using RtlDecompressFragment and reflectively\r\nloads it.\r\nNo DEP\r\ndbghelp.dll is incompatible with DEP (Data Exception Prevention), as shown in Figure 14. Thus, when it loads the\r\noperating system will disable DEP for the injected wmplayer.exe process. This means that code can be executed\r\nfrom memory regions that are not marked as executable in the context of this process.\r\nMetamorpho uses this to execute the reflectively loaded payload from a non-executable region. This makes the\r\npayload harder to detect by memory forensics toolkits and security products which many times look specifically\r\nfor executable memory.\r\nPress enter or click to view image in full size\r\nFigure 14: dbghelp.dll is incompatible with NX\r\nLeveraging CreateTimerQueueTimer\r\nOnce “ADWrDz.dmp” is loaded into memory Metamorfo leverages the CreateTimerQueueTimer WINAPI call to\r\nexecute it (as shown in figure 14).\r\nCreateTimerQueueTimer is a WINAPI that creates a queue for timers. These timer objects allow the selection of a\r\ncallback function at a specified time. The original function of the API is to be part of the process chain by creating\r\na timer routine, but here, the callback function of the API is the entry point of the malware’s actual payload.\r\nGet Chen Erlich’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 9 of 15\n\nThe use of CreateTimerQueueTimer makes detection harder since the payload will not run in the remote thread\r\ncontext.\r\nThis kind of technique was previously used in malware variants such as Emotet and Hancitor.\r\nFigure 15: CreateTimerQueueTimer exploit\r\nThroughout the “ADWrDz.dmp” execution, it outputs debug comments in Portuguese as shown in figure 16:\r\nPress enter or click to view image in full size\r\nFigure 16: Debugged output “Tela Azul” in Portugese which means “Blue Screen”\r\nEntering the CreateTimerQueueTimer callback, Metamorfo creates another mutex — libea54, and starts checking\r\nfor the existence of directories and files relevant for its execution. Since there are multiple variations of\r\nMetamorfo in this campaign, the attackers used different locations in the file system to drop their files, see IOCs\r\nsection.\r\nNext, Metamorfo checks for the existence of “mreb.xml” and “mreboot”, as can be seen in figure 17. These\r\nartifacts were not available to us and we couldn’t verify their purpose.\r\nPress enter or click to view image in full size\r\nFigure 17: Metamorfo looks for mreb.xml \u0026 mreboot folder\r\nIf they aren’t found, it creates another mutex by the name — [7F4HRE-375E-AEF3-BE9A-OBJT389F53]. Then,\r\nit checks internet connection by trying to resolve “goole.com” (Misspelled) address. If internet connection is\r\navailable,\r\nit sends a GET request to “https://www.localizaip.com[.]br/api/iplocation.php” to retrieve geo data.\r\nMetamorfo’s C\u0026C communication is encrypted using the dropped OpenSSL libraries libeay32.dll and\r\nssleay32.dll.\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 10 of 15\n\nBased on the gathered data, if the victim is not from Brazil or Portugal it will print the following output and send\r\nthe collected data to the C\u0026C “https://x1-lb12.internal[.]gocache.me”, which resided in Brazil, and finish.\r\nPress enter or click to view image in full size\r\nFigure 18: Debug output of the collected data\r\nIf the victim is from Brazil or Portugal, it will start monitoring running applications in the system using a message\r\nloop:\r\nPress enter or click to view image in full size\r\nFigure 19: Debugging running application\r\nThe ssleay64.dll payload\r\nIf the malware identifies a file named “mreb.xml” or a folder named “mreboot”, it loads a malicious\r\n“ssleay64.dll”, also written in Delphi, compiled by Borland Delphi, which has the following characteristics:\r\nFile Name: ssleay64.dll\r\nSHA1: F5E63580710E8FA884377A746FC822E5\r\nSize: 1445888 bytes\r\nCreation Time: 2019–04–08 12:15:27\r\nThe DLL holds various resources. Some of them are encrypted and will be used as payloads to steal victim’s data,\r\nwhile others are cursor related resources.\r\nLike samples from previous campaigns Metamorfo can display fake forms on targeted banking sites and steal\r\ncredentials from the victims. On previous campaigns Metamorfo used Windows Update to hide its malicious\r\nactivity. Similarly, in this campaign Metamorfo uses a fake “Blue Screen” window. It does so after disabling the\r\ntaskbar as can be seen in Figures 20 and 21:\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 11 of 15\n\nFigure 20: Disabling Taskbar\r\nPress enter or click to view image in full size\r\nFigure 21: “Blue Screen”\r\nEvading Banking Protection \u0026 Anti-Fraud Products\r\nMetamorfo also makes efforts to evade banking protection and anti-fraud products by setting a hook on\r\nLoadLibraryW function and checking which DLL is loaded, the trampoline can be seen in Figure 22:\r\nFigure 22: Trampoline based hook in LoadLibraryW\r\nWith the help of this trampoline, for every LoadLibraryW call the attackers will check if the DLL to be loaded\r\ncontains one of the following anti-fraud and banking protection strings:\r\nGbpinj\r\nScpbrad\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 12 of 15\n\nScpad\r\nTrusteer\r\nWarsaw\r\nGblplugin\r\nIpsbho\r\nHook\r\nIf one of them is matched, the DLL LoadLibraryW call is trying to load wouldn’t load.\r\nFigure 23 shows a few searched strings:\r\nPress enter or click to view image in full size\r\nFigure 23: Some of the banking protection and anti-fraud searched strings\r\nIOCS\r\nHashes:\r\nMSI — F1498E679885389C32FDF5EC39813FE5D4D34F23\r\nOther related samples https://gist.github.com/chenerlich/4e7a22a6263383a4ce3810082a8ac991\r\nAvDump32.exe — 2A1A5D7C85560924EDC434A1D2F23ED3445D86F4\r\nDbghelp.dll — 08823578841AEED044EAD81ED6DB16DD95B6FF4B\r\nOther related samples https://gist.github.com/chenerlich/0095444e60ae4d04ab75721dec522287\r\nSsleay64.dll -\r\nF5E63580710E8FA884377A746FC822E5\r\nC00BF102482C61E4CAB3C6B6666697779092FADC\r\n6242CC3009A96F97AB9586C970DB26EDE5512F9A\r\n03A5BEF2B9DE1DF5C19C9F4D2AEC6F780F4749D0\r\nC15154D7323EA0C7A40912C799599DACCEB4E7CE\r\nURLs:\r\nhttps://s3-eu-west-1[.]amazonaws.com/disenyrt3/image2.png\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 13 of 15\n\nhttps://s3-eu-west-1[.]amazonaws.com/sharknadorki/image2.png\r\nhttps://s3-eu-west-1[.]amazonaws.com/jasonrwk5wg/image2.png\r\nhttps://s3-eu-west-1[.]amazonaws.com/frezaaaewrwty/image2.png\r\nhttps://s3-eu-west-1[.]amazonaws.com/cadeaadl54t4gw4/image2.png\r\nhttps://s3-eu-west-1[.]amazonaws.com/sharknadorki/image2.png\r\nhttps://s3-eu-west-1[.]amazonaws.com/jooosan/image2.png\r\nhttps://s3-eu-west-1[.]amazonaws.com/shhakkr/image2.png\r\nwww.goole[.]com\r\nhttps://www.localizaip.com[.]br/api/iplocation.php\r\nmrs04s09-in-f206.1e100[.]net\r\nlhr25s13-in-f78.1e100[.]net\r\ndub08s01-in-f14.1e100[.]net\r\nlhr25s11-in-f46.1e100[.]net\r\nFiles:\r\n%APPDATA%\\Macromedia\r\n%APPDATA%\\Macromedia\\desktop.txt\r\n%APPDATA%\\TeamViewer\r\n%APPDATA%\\TeamViewer\\desktop.txt\r\n%APPDATA%\\DMCache\r\n%APPDATA%\\DMCache\\desktop.txt\r\n%APPDATA%\\AnyDesk\r\n%APPDATA%\\AnyDesk\\desktop.txt\r\nRegistry:\r\nHKCU\\Software\\index\r\nMutexes:\r\n[7F4HRE-375E-AEF3-BE9A-OBJT389F53]\r\nlibea54\r\nOne-InstanceJes\r\nThanks for reading. Follow me on Twitter for more posts like this one.\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 14 of 15\n\nSource: https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nhttps://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767"
	],
	"report_names": [
		"the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767"
	],
	"threat_actors": [],
	"ts_created_at": 1775434027,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29135676591edaaae51ba9724d6907971e3e40e1.pdf",
		"text": "https://archive.orkl.eu/29135676591edaaae51ba9724d6907971e3e40e1.txt",
		"img": "https://archive.orkl.eu/29135676591edaaae51ba9724d6907971e3e40e1.jpg"
	}
}