{ "id": "05f0aad3-b1aa-4cd9-a0fd-5fd17fd01d3b", "created_at": "2026-04-06T00:21:00.962959Z", "updated_at": "2026-04-10T13:11:20.465449Z", "deleted_at": null, "sha1_hash": "3770824fad66a3c0254661f0e17ca27b301dafdb", "title": "Reverse Engineering Redosdru String Decryption", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2744115, "plain_text": "Reverse Engineering Redosdru String Decryption\r\nBy Andrew Petrus\r\nPublished: 2024-06-17 · Archived: 2026-04-05 13:40:07 UTC\r\nRedosdru is malware primarily functioning as a downloader, commonly associated with APT27/Iron Tiger.\r\nReported by Microsoft as early as July 2009\r\nSurprisingly, for its age, I couldn’t find much information about it, which made dissecting it even more appealing.\r\nI wanted to share the decryption process of the C2 URL, which I found quite interesting.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 1 of 8\n\nLow amount of submissions on Malware Bazaar considering age\r\nFinding the C2 URL\r\nThe majority of strings in this binary are either encrypted or refer to APIs/libraries.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 2 of 8\n\nEncrypted strings\r\nAfter loading the binary into IDA, I came across an intriguing string in Main that was passed to another function.\r\nPress enter or click to view image in full size\r\nWithin sub_40287F, the encrypted string is passed to strlen and then to sub_401CBC, which serves as the main\r\ndecryption function.\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 3 of 8\n\nDelving into sub_401CBC, I’ve labeled some variables for easier understanding. We have an XOR key of 0x59\r\nand another subtraction key set to 0x86.\r\nA couple of other points worth mentioning:\r\nFirstly, there’s function sub_401917, which I’ve identified as a kind of preamble decryption function. It\r\ntakes the encrypted string through the initial stage of decryption, returning it in a ready-to-XOR state for\r\nsubsequent processing in the decryption loop.\r\nPress enter or click to view image in full size\r\nsub_401CBC (main decryption function) part 1\r\nSince sub_401917 is quite complex, explaining it fully would require a dedicated blog post. Therefore, I’ll\r\nsimplify it as much as possible.\r\nIn the main decryption loop of sub_401917, the function handles the encrypted_string in 4-byte parts. It uses\r\nanother function, sub_401B13, to decode each byte, using bitwise operations to rebuild the original data.\r\nGet Andrew Petrus’s stories in your inbox\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 4 of 8\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nHere’s a link to the two main functions that make up sub_401917.\r\nPress enter or click to view image in full size\r\nEncrypted string before preamble decryption function (sub_401917)\r\nEncrypted string after preamble decryption function (sub_401917)\r\nSecondly, I’ve identified a loop as the main decryption loop, which decrypts the string byte by byte. To\r\nsummarize this decryption process, it takes the first byte from the string returned by sub_401917, subtracts\r\nit by the subtraction key (0x86), and then performs an XOR operation using the XOR key (0x59).\r\nPress enter or click to view image in full size\r\nsub_401CBC (main decryption function) part 2\r\nWe can observe the subtraction instruction in our debugger.\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 5 of 8\n\nSubtracting 0x86 (subtracting_key) from 0xB7 (first byte) = 0x31\r\nHere, for instance, 0x31 XOR’d with 0x59 decrypted the first byte to ‘h’ (as shown in the hex/ASCII dump\r\nbelow).\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 6 of 8\n\nXOR 0x31 (from last operation) with 0x59 (XOR key) = 0x68 (‘h’)\r\nThe decryption function compares the current length of the decrypted string with 0x23 (0x401CF9), which is 35 in\r\ndecimal.\r\nWhen the comparison succeeds, the loop ends, revealing our final C2 URL.\r\nDecrypted C2 URL which appears to download a malicious DLL file\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 7 of 8\n\nOh yeah!\r\nHash, dynamic analysis, and samples\r\nSHA256:\r\n506c946ecc0877b13de8fb977de24a7b9e14054d44ca547e518084c914334a6b\r\nDynamic Analysis:\r\nhttps://www.vmray.com/analyses/_vt/506c946ecc08/report/network.html\r\nSamples:\r\nhttps://bazaar.abuse.ch/browse.php?search=tag%3Aredosdru\r\nThanks for tuning in\r\nSo, that wraps up our dive into this decryption method used by Redosdru. Writing this post has been really fun,\r\nand I hope you learned something new.\r\nUntil next time, stay safe out there!\r\nSource: https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nhttps://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@andrew.petrus/reverse-engineering-redosdru-string-decryption-595599087dbb" ], "report_names": [ "reverse-engineering-redosdru-string-decryption-595599087dbb" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434860, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3770824fad66a3c0254661f0e17ca27b301dafdb.pdf", "text": "https://archive.orkl.eu/3770824fad66a3c0254661f0e17ca27b301dafdb.txt", "img": "https://archive.orkl.eu/3770824fad66a3c0254661f0e17ca27b301dafdb.jpg" } }