{
	"id": "5e1e1578-8145-451f-91ab-77763c09c729",
	"created_at": "2026-04-06T00:12:35.618745Z",
	"updated_at": "2026-04-10T03:19:59.366914Z",
	"deleted_at": null,
	"sha1_hash": "39f8f75c97a6680aca9d4f5dbfcf5552a4729832",
	"title": "Dissecting DEloader malware with obfuscation • Raashid Bhat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 604058,
	"plain_text": "Dissecting DEloader malware with obfuscation • Raashid Bhat\r\nPublished: 2018-09-06 · Archived: 2026-04-05 21:13:43 UTC\r\nSeptember 6, 2018\r\nDissecting DEloader malware with obfuscation\r\nDEloader is a loader malware which is mostly used to load Zeus banking trojan . It is a stealth malware designed\r\nto keep the payload hidden and encrypted in the memory . A payload is dynamically retrieved from a remote https\r\nserver So far there have been 3 versions of DEloader captured in the wild . Version 0x10E0700 , 0x1050500h\r\nand 0x1120300h. More recently in version 0x1120300h they added code obfuscation\r\nMain loader file is a DLL with export named as ‘start’ or ‘begin’ . These exports are called by packer .\r\nEssentially because this DLL is memory loaded image , imports and images are relocated via the code in these\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 1 of 12\n\nexports\r\nEarlier version included a share file map as a marker for infection . Shared file mapping would contain necessary\r\ninformation for the Deloader to run\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 2 of 12\n\nIf the mapping is found, the data from the map is fed to decoding algorithm which is based on Rc4 and decodes\r\nusing a fixed state buffer . This Algorithm is later used to decode buffer downloaded from c2 .\r\nBuffer can be either downloaded from c2 or the previously saved one is extracted from registry , which is later\r\ndecoded using an embedded rc4 state buffer .\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 3 of 12\n\nC2’s are present in an embedded structure known baseconifg which consists configuration and c2’s address\r\nnecessary for the loader to operate . In both the versions static config in encoded state\r\nIt can have single or multiple c2’s . Each of them is separated by a semi-colon ‘;’ .\r\nIn earlier versions c2 url was present as an encoded resource on a remote https server . And was downloaded using\r\na get HTTP/HTTPSs request\r\nHowever in the latest version, it includes a URL where encoded system internal data is posted and in return an\r\nencoded data buff is returned back .\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 4 of 12\n\nThis data is encoded with the same rc4state buffer extracted from static config embedded in the binary .Depending\r\nupon an internal flag it could be compressed as well . The compression algorithm used is unrv2b which happens to\r\nbe the same one used in traditional Zeus malware .Also integrity of data is checked against a CRC32 hash\r\nDWORD present at the end of the data packet\r\nraw response can represented as\r\nstruct RawResponse\r\n{\r\n BYTE Data[len - 4];\r\n DWORD CRC32Data;\r\n};\r\n struct\r\n{\r\n __int64 DecompressionLength;\r\n BYTE CompressedData[]\r\n};\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 5 of 12\n\nAfter decompression data packet is arranged in a structure which consists of\r\nstruct InternalC2Parsed\r\n{\r\n unsigned int PlaceHolder = 0x1000000;\r\n unsigned int Version; // 4\r\n void *PEBuffer_32bit;\r\n unsigned int PEBuffer_32bit_len;\r\n void *PEBuffer_64bit;\r\n unsigned int PEBuffer_64bit_len;\r\n void *C2StructDecompressed;\r\n int C2StructDecompressed_len;\r\n};\r\nDepending upon the type of system a particular type of payload(32bit or 64bit ) payload in injected in process\r\nmemory . If the system happens to be 64bit , a well known technique “heavens gate” is used to inject to 64bit\r\nprocess from a 32 bit running process\r\nFollowing python script demonstrates the ability to decode and decompress\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 6 of 12\n\n#!/usr/bin/env python\r\nimport ucl\r\ndef PRGA(S):\r\n i = 0\r\n j = 0\r\n while True:\r\n i = (i + 1) % 256\r\n j = (j + S[i]) % 256\r\n S[i], S[j] = S[j], S[i] # swap\r\n K = S[(S[i] + S[j]) % 256]\r\n yield K\r\nif __name__ == '__main__':\r\n plaintext = open(\"Bindata\", \"rb\").read()\r\n import array\r\n keystream = [\r\n 0xD7, 0x81, 0x83, 0xA6, 0x59, 0x4B, 0x88, 0x32, 0xFB, 0x8D, 0x7A, 0x64, 0x08, 0x9F, 0x6D, 0x01,\r\n 0x2C, 0xD8, 0x50, 0xCE, 0xA3, 0x4A, 0xF9, 0x21, 0x40, 0x91, 0xE4, 0x28, 0x22, 0xAA, 0x41, 0x0D,\r\n 0x68, 0x44, 0xA7, 0xB8, 0xA5, 0xFE, 0x3A, 0x2F, 0x7C, 0xDA, 0x37, 0x94, 0x46, 0x92, 0x86, 0x0A,\r\n 0x25, 0xEA, 0x45, 0xB1, 0xAE, 0x7B, 0xE2, 0x3F, 0xBC, 0x7D, 0x84, 0x9A, 0xE5, 0x77, 0x0F, 0xA2,\r\n 0xDD, 0x1A, 0x5F, 0xFA, 0x78, 0x67, 0x12, 0x02, 0x03, 0x3B, 0x65, 0x62, 0xF5, 0xBE, 0x8C, 0x27,\r\n 0x9D, 0x69, 0xA8, 0x56, 0x5E, 0xE6, 0x61, 0xFF, 0x72, 0x5C, 0x19, 0xD6, 0xD4, 0x6A, 0x52, 0xD2,\r\n 0xDC, 0x55, 0xDF, 0x70, 0x18, 0x0C, 0xEE, 0x87, 0x95, 0x07, 0xA1, 0x05, 0xA4, 0x5D, 0xE1, 0x06,\r\n 0xB0, 0xC0, 0x29, 0x80, 0x53, 0xE7, 0xE3, 0x93, 0x16, 0xF2, 0x1B, 0x96, 0xDB, 0x90, 0xAC, 0xF6,\r\n 0x7E, 0x6F, 0xF1, 0x6C, 0xB6, 0xF4, 0x63, 0xB3, 0x8A, 0xC3, 0xFC, 0x8F, 0x1F, 0x3D, 0x9C, 0x2B,\r\n 0xB9, 0xCB, 0x35, 0x2D, 0xA0, 0xC6, 0x74, 0xFD, 0xBF, 0x23, 0xEB, 0xB5, 0x89, 0x82, 0x30, 0xBB,\r\n 0x0B, 0x76, 0x17, 0x4F, 0x4E, 0x1E, 0xD9, 0x58, 0x13, 0x6B, 0x26, 0x9E, 0xD0, 0xE0, 0x48, 0xF0,\r\n 0x6E, 0xB4, 0x0E, 0xC4, 0xEC, 0x00, 0xD1, 0xCF, 0xC8, 0x7F, 0x20, 0x38, 0x79, 0xCD, 0x49, 0xC7,\r\n 0x47, 0xED, 0x31, 0xCA, 0xC1, 0x39, 0xC9, 0x98, 0x1D, 0x33, 0x5A, 0x3E, 0x51, 0x4C, 0x8B, 0x24,\r\n 0xB2, 0xB7, 0x4D, 0xE8, 0x54, 0xEF, 0x9B, 0xC5, 0x09, 0xF7, 0x2A, 0x3C, 0xBD, 0x36, 0x71, 0x2E,\r\n 0x15, 0xF3, 0xA9, 0x60, 0x10, 0xAF, 0xC2, 0x73, 0x97, 0x34, 0x66, 0x99, 0x8E, 0xDE, 0xAD, 0xAB,\r\n 0xBA, 0xF8, 0x11, 0xD5, 0x75, 0x43, 0x57, 0x04, 0xCC, 0xE9, 0x42, 0x85, 0x14, 0x1C, 0x5B, 0xD3\r\n]\r\n arr = array.array(\"B\", keystream)\r\n keystream = PRGA(arr)\r\n import sys\r\n finBuf = array.array(\"B\")\r\n i = 0\r\n for c in plaintext:\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 7 of 12\n\nfinBuf.append(ord(c) ^ keystream.next())\r\n i = i + 1\r\n open(\"FinalData.bin\", \"wb\").write(finBuf.tostring())\r\nand to finally decomrpess the data we can use CTYPES to call the following subroutine in python \r\nhttps://github.com/wt/coreboot/blob/master/payloads/bayou/nrv2b.c\r\n#ifndef ENDIAN\r\n#define ENDIAN 0\r\n#endif\r\n#ifndef BITSIZE\r\n#define BITSIZE 32\r\n#endif\r\n#define GETBIT_8(bb, src, ilen) \\\r\n (((bb = bb \u0026 0x7f ? bb*2 : ((unsigned)src[ilen++]*2+1)) \u003e\u003e 8) \u0026 1)\r\n#define GETBIT_LE16(bb, src, ilen) \\\r\n (bb*=2,bb\u00260xffff ? (bb\u003e\u003e16)\u00261 : (ilen+=2,((bb=(src[ilen-2]+src[ilen-1]*256)*2+1)\u003e\u003e16)\u00261))\r\n#define GETBIT_LE32(bb, src, ilen) \\\r\n (bc \u003e 0 ? ((bb\u003e\u003e--bc)\u00261) : (bc=31,\\\r\n bb=*(const uint32_t *)((src)+ilen),ilen+=4,(bb\u003e\u003e31)\u00261))\r\n#if ENDIAN == 0 \u0026\u0026 BITSIZE == 8\r\n#define GETBIT(bb, src, ilen) GETBIT_8(bb, src, ilen)\r\n#endif\r\n#if ENDIAN == 0 \u0026\u0026 BITSIZE == 16\r\n#define GETBIT(bb, src, ilen) GETBIT_LE16(bb, src, ilen)\r\n#endif\r\n#if ENDIAN == 0 \u0026\u0026 BITSIZE == 32\r\n#define GETBIT(bb, src, ilen) GETBIT_LE32(bb, src, ilen)\r\n#endif\r\nstatic unsigned long unrv2b(uint8_t * src, uint8_t * dst, unsigned long *ilen_p)\r\n{\r\n unsigned long ilen = 0, olen = 0, last_m_off = 1;\r\n uint32_t bb = 0;\r\n unsigned bc = 0;\r\n const uint8_t *m_pos;\r\n // skip length\r\n src += 4;\r\n /* FIXME: check olen with the length stored in first 4 bytes */\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 8 of 12\n\nfor (;;) {\r\n unsigned int m_off, m_len;\r\n while (GETBIT(bb, src, ilen)) {\r\n dst[olen++] = src[ilen++];\r\n }\r\n m_off = 1;\r\n do {\r\n m_off = m_off * 2 + GETBIT(bb, src, ilen);\r\n } while (!GETBIT(bb, src, ilen));\r\n if (m_off == 2) {\r\n m_off = last_m_off;\r\n } else {\r\n m_off = (m_off - 3) * 256 + src[ilen++];\r\n if (m_off == 0xffffffffU)\r\n break;\r\n last_m_off = ++m_off;\r\n }\r\n m_len = GETBIT(bb, src, ilen);\r\n m_len = m_len * 2 + GETBIT(bb, src, ilen);\r\n if (m_len == 0) {\r\n m_len++;\r\n do {\r\n m_len = m_len * 2 + GETBIT(bb, src, ilen);\r\n } while (!GETBIT(bb, src, ilen));\r\n m_len += 2;\r\n }\r\n m_len += (m_off \u003e 0xd00);\r\n m_pos = dst + olen - m_off;\r\n dst[olen++] = *m_pos++;\r\n do {\r\n dst[olen++] = *m_pos++;\r\n } while (--m_len \u003e 0);\r\n }\r\n *ilen_p = ilen;\r\n return olen;\r\n}\r\nFinally after decoding and decompression a vaid PE file is obtained . A file size of 1.05MB.\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 9 of 12\n\nSource code level obfuscation . #\r\nIn a more recent version 0x1120300h source code level obfuscation was added . This type of obfuscation is known\r\nas opaque predicates which makes the process of reverse engineering bit difficult . The basic Idea behind this\r\ntechnique is to include calculation based comparison instruction which end with a conditional jump , which are\r\nnot the part of the original code , but are the part of code path .\r\nIn the images below a comparison is shown between a CRC32() function in version 0x1120300h and an earlier\r\nversion 0x1050500h. Which demonstrates the multiple junk instructs and paths added with inclusion of opaque\r\npredicates\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 10 of 12\n\nThis happens to be quite evident in the entropy comparison of the binary in whole .\r\nEven the downloaded payload which happens to be a version of traditional Zeus banking malware is also\r\nobfuscated , which generally in its unpacked form is detected by most of then antivirus scans , but due to code\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 11 of 12\n\nlevel obfuscation is marked clean by most of the major anti virus engines\r\nconclusion :\r\nDeloader is still under heavy development . DeLoader has consistently evolved since past few years . With the\r\naddition of a hard obfuscation technique is it quite sure that the authors of deloader want to make this analysis\r\nhard and apparently makes it slip the anti virus filter . The use of encryption and compression make the data sent\r\naround the command and control server cryptic and hard to detect using a pattern . The payload which s mostly\r\nbeing delivered is a financial malware , designed to steal banking credentials , which makes it clear that authors\r\nare inclined towards monetization of injecting machines .\r\n15\r\nKudos\r\n15\r\nKudos\r\nSource: https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nhttps://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware"
	],
	"report_names": [
		"dissecting-obfuscated-deloader-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434355,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39f8f75c97a6680aca9d4f5dbfcf5552a4729832.pdf",
		"text": "https://archive.orkl.eu/39f8f75c97a6680aca9d4f5dbfcf5552a4729832.txt",
		"img": "https://archive.orkl.eu/39f8f75c97a6680aca9d4f5dbfcf5552a4729832.jpg"
	}
}