{ "id": "4c110c6f-a991-4a61-b02d-0b7a4c830cdb", "created_at": "2026-04-06T00:11:04.186395Z", "updated_at": "2026-04-10T13:12:14.164018Z", "deleted_at": null, "sha1_hash": "46ac65e7ae29c59f5b976bf19433cfe9a69ee6b3", "title": "New modular downloaders fingerprint systems, prepare for more - Part 1: Marap | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1003835, "plain_text": "New modular downloaders fingerprint systems, prepare for more -\r\nPart 1: Marap | Proofpoint US\r\nBy August 16, 2018 Proofpoint Staff\r\nPublished: 2018-08-16 · Archived: 2026-04-05 15:36:55 UTC\r\nOverview\r\nProofpoint researchers recently discovered a new downloader malware in a fairly large campaign (millions of\r\nmessages) primarily targeting financial institutions. The malware, dubbed “Marap” (“param” backwards), is notable\r\nfor its focused functionality that includes the ability to download other modules and payloads. The modular nature\r\nallows actors to add new capabilities as they become available or download additional modules post infection. To\r\ndate, we have observed it download a system fingerprinting module that performs simple reconnaissance.\r\nCampaign Analysis\r\nOn August 10, 2018, we observed several large email campaigns (millions of messages) leading to the same\r\n“Marap” malware payload in our testing. They shared many features with previous campaigns attributed to the\r\nTA505 actor [1]. The emails contained various attachment types:\r\nMicrosoft Excel Web Query (“.iqy”) files\r\nPassword-protected ZIP archives containing “.iqy” files\r\nPDF documents with embedded “.iqy” files\r\nMicrosoft Word documents containing macros\r\nThe campaigns are outlined below:\r\n”sales” “.iqy” attachment campaign: Messages purporting to be from '\"sales\" \u003c[random address]\u003e' with the subject\r\n\"REQUEST [REF:ABCDXYZ]\" (random letters) and attachment \"REP_10.08.iqy\" (campaign’s date)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 1 of 12\n\nFigure 1: “Sales” example email message with “.iqy” attachment\r\n“Major bank” “.iqy” attachment campaign: Messages purporting to be from '\"[recipient name]\"\r\n\u003crandom_name@[major bank].com\u003e' with subject \"IMPORTANT Documents - [Major Bank]\" and attachment\r\n\"Request 1234_10082018.iqy\" (random digits, campaign's date); note that this campaign abuses the brand and name\r\nof a major US bank and has been obscured throughout the example.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 2 of 12\n\nFigure 2: “Major bank” sample message with “.iqy” attachment; bank branding obscured\r\nPDF attachment campaign: Messages purporting to be from '\"Joan Doe\" \u003cnetadmin@[random domain]\u003e' (random\r\ndisplay name) with subject \"DOC_1234567890_10082018\" (random digits, campaign’s date; also \"PDF\",\r\n\"PDFFILE\", \"SCN\") and matching attachment \"DOC_1234567890_10082018.pdf\" (with embedded .iqy file)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 3 of 12\n\nFigure 3: Message sample with PDF attachment with embedded .iqy file\r\nPassword-protected ZIP campaign: Messages purporting to be from '\"John\" \u003cJohn@[random company]\u003e' (random\r\nname) with subject \"Emailing: PIC12345\" (random digits) and matching attachment \"PIC12345.zip\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 4 of 12\n\nFigure 4: Message sample with password-protected zip attachment that contains a .iqy file\r\nMicrosoft Word attachment campaign: Messages purporting to be from '\"Joan\" \u003cJoan@[random domain]\u003e' (random\r\nname) with subject \"Invoice for 12345.10/08/2018\" (random digits, today's date) with matching attachment\r\n\"Invoice_ 12345.10_08_2018.doc\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 5 of 12\n\nFigure 5: Message sample with Microsoft Word attachment (incorrectly described as “PDF format” in the message\r\nbody) with malicious macros\r\nMalware Analysis\r\nAs noted, Marap is a new downloader, named after its command and control (C\u0026C) phone home parameter “param”\r\nspelled backwards. The malware is written in C and contains a few notable anti-analysis features.\r\nAnti-Analysis Features\r\nMost of the Windows API function calls are resolved at runtime using a hashing algorithm. API hashing is common\r\nin malware to prevent analysts and automated tools from easily determining the code’s purpose. This algorithm\r\nappears to be custom to Marap. Our implementation of the hashing algorithm in Python is available on Github [3]. It\r\nis likely that the XOR keys used in our code will be different in other samples.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 6 of 12\n\nThe second anti-analysis technique is the use of timing checks at the beginning of important functions (Figure 6).\r\nThese checks can hinder debugging and sandboxing of the malware. If the calculated sleep time is too short, the\r\nmalware exits.\r\nFigure 6: Anti-analysis timing checks\r\nMost of the strings in the malware are obfuscated using one of three methods:\r\n1. Created on the stack (stack strings)\r\n2. Basic XOR encoding (0xCE was the key used in the analyzed sample, but it is likely this will change from\r\nsample to sample)\r\n3. A slightly more involved XOR-based encoding (An IDA Pro script implementing the decryption is available\r\non Github [4])\r\nThe last anti-analysis check compares the system’s MAC address to a list of virtual machine vendors. If a virtual\r\nmachine is detected and a configuration flag is set, the malware may exit.\r\nConfiguration\r\nMarap’s configuration is stored in an encrypted format in the malware binary and/or in a file named “Sign.bin” in\r\nthe malware’s working directory (e.g., C:\\Users\\[username]\\AppData\\Roaming\\Intel\\Sign.bin). It is DES-encrypted\r\nin CBC mode using an IV of “\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00”. The key is generated using the following\r\nprocess:\r\n164 bytes of data are generated using a linear congruential generator (LCG) and two hardcoded seeds (it is\r\nlikely the seeds are different in other samples). An implementation of the LCG in Python is available on\r\nGithub [5].\r\nThe data is hashed with SHA1\r\nAn 8-byte DES key is created using CryptDeriveKey and the hash\r\nAn example decrypted configuration looks like:\r\n15|1|hxxp://185.68.93[.]18/dot.php|hxxp://94.103.81[.]71/dot.php|hxxp://89.223.92[.]202/dot.php\r\nIt is pipe-delimited and contains configuration parameters for:\r\nSleep timeout between C\u0026C communications\r\nFlag indicating whether the malware should exit if it detects that it is running on a virtual machine\r\nUp to three C\u0026C URLs\r\nCommand and Control\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 7 of 12\n\nMarap uses HTTP for its C\u0026C communication but first it tries a a number of legitimate WinHTTP functions to\r\ndetermine whether it needs to use a proxy and if so what proxy to use. An example C\u0026C beacon is shown in Figure\r\n7 below.\r\nFigure 7: Example C\u0026C beacon\r\nThe request contains one parameter -- “param” -- and its data is encrypted using the same method as used for the\r\nconfiguration, with the addition of base64 encoding. An example of the plaintext request looks like:\r\n62061c6bcdec4fba|0|0\r\nIt is pipe-delimited and contains the following:\r\nBot ID (generated by hashing the hostname, username, and MAC address with the same hashing algorithm\r\nused with API function hashing described above)\r\nHardcoded to “0”\r\nHardcoded to “0”\r\nThe response is encrypted similarly and an example decrypted response looks like:\r\n319\u00261\u00260\u0026hxxp://89.223.92[.]202/mo.enc\r\nIt is “\u0026”-delimited and contains the following:\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 8 of 12\n\nCommand ID\r\nCommand\r\nFlag controlling response type\r\nCommand arguments (there can be two arguments separated by a “#”)\r\nIdentified commands:\r\n0: Sleep and beacon again\r\n1: Download URL, DES decrypt, and manually load the MZ file (allocate a buffer, copy the PE header and\r\nsections, reallocate, and resolve the import table). This command can pass back data from the downloaded\r\nmodule to the C\u0026C\r\n2: Update configuration and write a DES-encrypted version to the file “Sign.bin”\r\n3: Download URL, DES decrypt, save the MZ file to “%TEMP%/evt”, and execute with a command line\r\nargument\r\n4: Download URL, DES decrypt, create/hollow out a process (same executable as malware), and inject the\r\ndownloaded MZ file\r\n5: Download URL, DES decrypt, save the MZ file as “%TEMP%/zvt”, and load it with the LoadLibrary API\r\n6: Download URL, DES decrypt, and manually load the MZ file\r\n7: Remove self and exit\r\n8: Update self\r\nAfter command execution a response message can be sent back to the C\u0026C. It is pipe delimited and contains the\r\nfollowing:\r\nBot ID\r\nHardcoded “1”\r\nCommand ID\r\nCommand\r\nFlag controlling response type\r\nCommand return value\r\nCommand status code (various error codes)\r\nResponse data\r\nEither a simple status message\r\nOr verbose “#” delimited data from modules\r\nSystem Fingerprinting Module\r\nAt the time of publication, we have only seen a system fingerprinting module being sent from a C\u0026C server. It was\r\ndownloaded from “hxxp://89.223.92[.]202/mo.enc” and contained an internal name of “mod_Init.dll”. The module\r\nis a DLL written in C and gathers and sends the following system information to the C\u0026C server:\r\nUsername\r\nDomain name\r\nHostname\r\nIP address\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 9 of 12\n\nLanguage\r\nCountry\r\nWindows version\r\nList of Microsoft Outlook .ost files\r\nAnti-virus software detected\r\nConclusion\r\nAs defenses become more adept at catching commodity malware, threat actors and malware authors continue to\r\nexplore new approaches to increase effectiveness and decrease the footprint and inherent “noisiness” of the malware\r\nthey distribute. We have observed ransomware distribution drop dramatically this year while banking Trojans,\r\ndownloaders, and other malware have moved to fill the void, increasing opportunities for threat actors to establish\r\npersistence on devices and networks. This new downloader, along with another similar but unrelated malware that\r\nwe will detail next week, point to a growing trend of small, versatile malware that give actors flexibility to launch\r\nfuture attacks and identify systems of interest that may lend themselves to more significant compromise.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times\r\n[2] https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\n[3] https://github.com/tildedennis/malware/blob/master/marap/func_hashes.py\r\n[4] https://github.com/tildedennis/malware/blob/master/marap/str_decrypt3.py\r\n[5] https://github.com/tildedennis/malware/blob/master/marap/lcg.py\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nbea0276c51bd6dbccb64110a8655fd623cbb9ebf6e0105c57f62e53e209361b6 SHA256\r\n“REP_10.08.iqy”\r\nattachment\r\n1c6661cc19d071df75ef94c58829f223b8634c00a03d1dadcde222c25475fa05 SHA256\r\n“Request [random\r\ndigits]_10082018.iqy”\r\nattachment\r\n2c5729e17b64cd4e905ccfeabbc913ed945e17625c35ec1d6932194aae83d7c6 SHA256 PDF attachment\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 10 of 12\n\n8a03144025cd2804a714cd4e3833c341b02edf0c745c810c88efd053cc813233 SHA256\r\nPassword-protected\r\nZIP attachment\r\nhxxp://i86h[.]com/data1.dat URL\r\nRemote Excel cell\r\ncontent\r\nhxxp://i86h[.]com/data2.dat URL\r\nIntermediate\r\nPowershell script\r\nhxxp://i86h[.]com/data3.dat URL Payload\r\nhxxp://r53x[.]com/1.rar URL\r\nRemote Excel cell\r\ncontent\r\nhxxp://r53x[.]com/1.zip URL\r\nIntermediate\r\nPowershell script\r\nhxxp://r53x[.]com/a3.dat URL Payload\r\nbc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5 SHA256 Marap\r\nhxxp://185.68.93[.]18/dot.php URL Marap C\u0026C\r\nhxxp://94.103.81[.]71/dot.php URL Marap C\u0026C\r\nhxxp://89.223.92[.]202/dot.php URL Marap C\u0026C\r\nSign.bin File\r\nMarap’s encrypted\r\nconfiguration file\r\nhxxp://89.223.92[.]202/mo.enc URL Encrypted Marap\r\nsystem fingerprinting\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 11 of 12\n\nmodule download\r\nURL\r\na6a31f6b6ac73131a792daa255df88d71ba8c467abfa2a5580221a694c96c2cc SHA256\r\nEncrypted Marap\r\nsystem fingerprinting\r\nmodule\r\n1b9f592fcf8b0f1349db7f49f3061396f21d38728eb0d84e1c90ad39e5ddb3ab SHA256\r\nMarap system\r\nfingerprinting module\r\nDLL\r\nET and ETPRO Suricata/Snort Signatures\r\n2832142 || ETPRO TROJAN Win32/Marap CnC Beacon\r\n2832143 || ETPRO TROJAN Win32/Marap CnC Beacon Response\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "report_names": [ "new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434264, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46ac65e7ae29c59f5b976bf19433cfe9a69ee6b3.pdf", "text": "https://archive.orkl.eu/46ac65e7ae29c59f5b976bf19433cfe9a69ee6b3.txt", "img": "https://archive.orkl.eu/46ac65e7ae29c59f5b976bf19433cfe9a69ee6b3.jpg" } }