{ "id": "b5aee6b3-a8e5-4684-a69d-c767bd68dc15", "created_at": "2026-04-06T00:21:50.398656Z", "updated_at": "2026-04-10T13:11:35.265061Z", "deleted_at": null, "sha1_hash": "4b845c21ea6941d61421666b3e8523e0b5a7d6b7", "title": "FlowCloud Version 4.1.3 Malware Analysis | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1612355, "plain_text": "FlowCloud Version 4.1.3 Malware Analysis | Proofpoint US\r\nBy June 10, 2020 Dennis Schwarz\r\nPublished: 2020-06-10 · Archived: 2026-04-05 14:27:07 UTC\r\nProofpoint researchers are continuing to track the threat actor TA410’s use of FlowCloud, a remote access trojan\r\n(RAT). Below is a new in-depth analysis of another version of the FlowCloud RAT, version 4.1.3. While we do\r\nnot have many campaign details or targeting information on this particular sample, this is another version of\r\nFlowCloud in the wild. Earlier this week we provided an analysis of version 5.0.1, which was used during the\r\ntargeting of critical U.S. utility providers last year.\r\nIt is currently unclear which of the versions is the “newer one” or if there are distinct variants of FlowCloud being\r\nused for different purposes. The version we previously detailed had an older compilation date (December 15, 2018\r\n– it is unclear whether the date is forged), but a newer internal version (5.0.1) than the sample discussed here.\r\nOne major difference between the two is that version 5.0.1 is written in C++ using extensive object-oriented\r\nprograming, Boost library, and a C++ implementation of Protocol buffers—version 4.1.3 was written in C without\r\nany object-oriented techniques and used a C implementation of Protocol buffers. Version 5.0.1 also makes use of\r\nSHA512, a modified (or broken) AES, and TEA algorithms instead of the MD5 and RC4 as described below. In\r\ngeneral, version 5.0.1 was a larger and more difficult malware to reverse engineer. \r\nFlowCloud has typical RAT functionality such as access to the filesystem, processes, and services, screenshots,\r\nkeylogging, command shell, and added functionality via plugins. It also includes port mapping and Nmap port\r\nscanning to help facilitate lateral movement. Although the additional functionality was not implemented in the\r\nanalyzed sample below, there are indicators in the code and configuration data that suggests support for audio\r\nrecording, clipboard stealing, and exfiltrating files based on specific search criteria such as file type and name\r\npattern. These might be implemented via FlowCloud’s plugin mechanism or may be present in other versions of\r\nthe malware.\r\nIn this blog post we will analyze the following FlowCloud sample:\r\nSHA256 b75e1391fcb558e42cc05399fa716829114323e1d01aa284445955548302d71f\r\nPer its metadata, it is version 4.1.3 and was compiled on March 21, 2019 (it is unclear whether the date is forged).\r\nIt was recently uploaded to VirusTotal on May 12, 2020 by a submitter from Taiwan. At the time of research, the\r\ncommand and control (C\u0026C) server (114.55.109[.]199) was still active.\r\nNaming \r\nThe name “FlowCloud” comes from a debugging string left in one of the earlier samples we found: \r\ng:\\FlowCloud\\trunk\\Dev\\src\\fcClient\\Release\\fcClientDll.pdb \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 1 of 13\n\nThe name was also used in the configuration data of the sample analyzed for this blog post as the\r\n“product_name”: \r\n1 (product_name): \"flowcloud\" \r\n2 (product_version): \"v4.1.3\" \r\nProtocol Buffers \r\nFlowCloud makes extensive use of a data structure known as Protocol buffers (“protobufs”) in its configuration\r\nand C\u0026C communications. “Protocol buffers are Google's language-neutral, platform-neutral, extensible\r\nmechanism for serializing structured data – think XML, but smaller, faster, and simpler. You define how you want\r\nyour data to be structured once, then you can use special generated source code to easily write and read your\r\nstructured data to and from a variety of data streams and using a variety of languages.” \r\nAs an example, in the analyzed sample, FlowCloud stores its configuration data as a 3344-\r\nbyte serialized protobuf as shown in Figure 1: \r\nFigure 1 Configuration data serialized as a protobuf\r\nUsing the Protocol buffer compiler (“protoc”), the serialized data can be deserialized into a more human-readable\r\nformat as shown in Figure 2: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 2 of 13\n\nFigure 2 Configuration data that has been deserialized (truncated for readability)\r\nTo recover the names of the fields, the\r\nassociated ProtobufCMessageDescriptor and ProtobufCFieldDescriptor structures can be identified as shown in\r\nFigure 3: \r\nFigure 3 Configuration data’s associated ProtobufCMessageDescriptor\r\nWe have included an IDA Pro Python script on our GitHub that can be used to parse and display some of the\r\nimportant fields of these structures as shown in Figure 4: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 3 of 13\n\nFigure 4 Parsed ProtobufCMessageDescriptor and ProtobufCFieldDescriptor (truncated for readability)\r\nThe “id” numbers from the structures can be matched with the deserialized data for labeling as shown in Figure 5: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 4 of 13\n\nFigure 5 Labeled protobuf for configuration data (truncated for readability)\r\nThe ProtobufCMessageDescriptor structure also starts with magic bytes (e.g. 0x28aaeef9), so these can be used to\r\nidentify all the protobufs compiled into the malware. In the analyzed sample there were 78 protobufs included. \r\nConfiguration \r\nIn the analyzed sample, a working directory was setup in: \r\nC:\\Windows\\Fonts\\zitbee.fon\\ \r\nThe fully labeled configuration data is available on our GitHub . Most of its fields are self-identifying and include\r\nthings such as: \r\nC\u0026C addresses (e.g. “exchange_server”)\r\nC\u0026C ports (e.g. “exchange_server_port”)\r\nEncryption keys (e.g. “xchg_server_key”)\r\nVarious installation options (e.g. “install_config”)\r\nVarious command options (e.g. “keyboard_policy”)\r\nThe configuration data is also stored as a serialized protobuf and encrypted in a “winver.dat” file. It is encrypted\r\nusing a basic XOR and addition algorithm. We have included a Python script that can be used to decrypt this\r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 5 of 13\n\nconfig file on our GitHub . \r\nDependencies \r\nFlowCloud uses HTTP to download some dependencies from its C\u0026C server (“exchange_server:\r\nexchange_server_port+1” from the config). Figure 6 shows an example:\r\nFigure 6 Example dependency download\r\nThe URIs are hardcoded into the sample. The response data starts with an encrypted 16-byte header: \r\nHeader key (DWORD)\r\nCRC32 checksum (DWORD)\r\nDecrypted/decompressed data length (DWORD)\r\nEncrypted/compressed data length (DWORD)\r\nThe header key is used with some XOR and ROR operations to decrypt the remaining bytes of the header. \r\nAfter the header there is RC4 encrypted data. The RC4 key is generated by taking a hardcoded string (e.g.\r\n“y983nfdicu3j2dcn09wur9*^\u0026(y4r3inf;'fdskaf'SKF”) and hashing its hex digest 1000 times with MD5. \r\nThe decrypted data starts with another 16-byte header as described above. The data that follows this inner header\r\nis ZLIB compressed and once decompressed contains a PE file. \r\nThe downloaded dependencies include: \r\n/SL3716/S8437AEB.DAT - SQLite\r\n/WC413/21FB9FCF.DAT - Nmap\r\n/WC413/6EE2EFF7.DAT - Packet.dll (used with Nmap)\r\n/WC413/67B1B02F.DAT - wpcap.dll (used with Nmap)\r\nWe have included a Python script on our GitHub that can be used to decrypt these dependencies. \r\nCommand and Control \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 6 of 13\n\nC\u0026C uses a binary protocol over TCP to “exchange_server:exchange_server_port” from the config. An example\r\nexchange is shown in Figure 7: \r\nFigure 7 Example C\u0026C exchange\r\nBoth requests and responses are structured similarly. They start with a 28-byte header called “HHDR”: \r\nHeader key (DWORD)\r\nCRC32 checksum (DWORD)\r\n“HHDR” (DWORD)\r\nUnknown counter (DWORD)\r\nUnknown hardcoded 1 (DWORD)\r\nData length (DWORD)\r\nUnknown hardcoded 1 (BYTE)\r\nHash type (BYTE)\r\n1 is MD5 \r\nCompression type (BYTE)\r\n1 is ZLIB\r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 7 of 13\n\nCrypto type (BYTE)\r\n2 is RC4 \r\nThe header key is used with some XOR and ROR operations to decrypt the remaining bytes of the header.\r\nFollowing “HHDR” is a 24-byte header called “HCMD”: \r\nHeader key (DWORD) \r\nCRC32 checksum (DWORD) \r\n“HCMD” (DWORD) \r\nCommand (DWORD) \r\nSubcommand (DWORD)\r\nData length (DWORD) \r\nThe header key is used with some XOR and ROR operations to decrypt the remaining bytes of the header. \r\nFollowing the “HCMD” header is a 16-byte header as described above in the “Dependencies” section. \r\nAfter the third header there is RC4 encrypted data. The RC4 key for this data is generated by taking the\r\n“xchg_server_key” from the config and hashing its hex digest one time with MD5. \r\nOnce the data is decrypted there is a final 16-byte header and ZLIB compressed data (see the “Dependencies”\r\nsection above). \r\nWe have included a Python script on our GitHub  that can be used to decrypt these requests or responses. Figure\r\n8 is an example output of our script: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 8 of 13\n\nFigure 8 Example parsing of a C\u0026C request\r\n The decrypted data is a serialized protobuf. For example, the names of the protobufs involved with command\r\n1 subcommand 2 are: \r\nFcNet__MsgUsr \r\nFcNet__MsgUsr__System \r\nFcNet__MsgUsr__System__Adapter \r\nThis command is used to send various system information to the C\u0026C server as shown in Figure 9: \r\nFigure 9 Labeled protobuf for command 1 subcommand 2 (edited for privacy)\r\nC\u0026C Commands \r\nWe have identified the following commands that can be executed via C\u0026C command polls: \r\nCommand 2 – filesystem related\r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 9 of 13\n\nSubcommand 0 - get drive information\r\n1 - get directory listing\r\n2 - create directory\r\n3 - rename directory\r\n4 - write file\r\n5 - read file\r\n6 - remove directory\r\n7 - get file attributes\r\n8 - set file attributes and times\r\n9 - add file to \"filemgr\" list (see below)\r\n10 - search directory for files with a given file name pattern\r\n11 - ShellExecute \"open\" file with arguments\r\n12 - add directory to \"folderimage\" list (see below) \r\n3 – take a screenshot \r\n5 – Exfiltrate data related (see below)\r\n0 - get exfiltrate data size\r\n1 - get exfiltrate data file count\r\n2 - get exfiltrate data item list\r\n3 - change status of exfiltrate data \r\n6 – process related\r\n0 - get process list\r\n1 - kill process \r\n7 – service related\r\n0 - get service list\r\n1 - start service\r\n2 - stop service\r\n3 - delete service\r\n4 - set service start type \r\n9 – system related\r\n0 - get installed software\r\n4097 – reboot\r\n4098 – reboot\r\n4099 – NtRaiseHardError\r\n4100 – copy %SYSTEM%\\winver.exe to %WIN%\\System\\winver.exe then NtRaiseHardError \r\n10 – cmd.exe command shell\r\n4097 – write command to shell \r\n11 – lateral movement related\r\n4097 - setup port mapping using https://github.com/windworst/LCX\r\n4098 - remove port mapping\r\n4099 - get port mappings\r\n8193 - start Nmap scan\r\n8194 - replies with \"Unsupported yet.\"\r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 10 of 13\n\n8195 - get Nmap scan results \r\nData Exfiltration Managers \r\nIn addition to the C\u0026C commands, FlowCloud has some additional functionality organized as “data\r\nexfiltration managers\" that include: \r\n“filemgr” – exfiltrate files as specified by a C\u0026C command \r\n“folderimage” – exfiltrate directories as specified by a C\u0026C command \r\n“screen” - exfiltrate screenshots \r\n“keylog” - exfiltrate keylogging data\r\nKeylogging data is gathered by an external program and sent to FlowCloud via a named pipe\r\n(e.g. “\\\\.\\pipe\\namedpipe_keymousespy_english”)\r\n“audio” - possibly audio recording\r\nThe config and code hint at this functionality, but it is not implemented in the analyzed sample\r\n“smtfile” - possibly search for and exfiltrate files based on file types and name patterns\r\nThe config and code hint at this functionality, but it is not implemented in the analyzed sample\r\n“plugin” - download and execute additional plugins\r\nPE file exports associated with plugins:\r\n“pluginInfo”\r\n“startModule”\r\n“setOtherInterface2”\r\n“clipboard” - possibly steal clipboard contents\r\nThe config and code hint at this functionality, but it is not implemented in the analyzed sample \r\nThese exfiltration managers run in their own execution threads and some are controlled by “policies” in the\r\nconfig. They store their data in various SQLite databases and then another execution thread will eventually\r\nexfiltrate the data to the C\u0026C server. \r\nAs an example, the “screen” exfiltration manager takes continuous screenshots according to its “screen_policy”: \r\nstate – is policy active \r\ncycle_time – sleep time between screenshots \r\ncache_count – maximum number of screenshots waiting to be exfiltrated \r\nbit_depth – bit depth of screenshot \r\nA screenshot is taken. Depending on its size, the data may be broken up into chunks. The data is then compressed\r\nwith ZLIB and encrypted with RC4 (uses “file_key” from config). As described above, 16-byte encrypted headers\r\nare attached to the compressed and encrypted data. \r\nTwo additional headers are prepended to the compressed and encrypted data. They are encrypted similarly to the\r\n16-byte, 28-byte, and 24-byte headers above. The first header is 96-bytes: \r\nHeader key (DWORD)\r\nCRC32 checksum of header (DWORD)\r\nCRC32 checksum of data (DWORD)\r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 11 of 13\n\nProduct name (16-bytes)\r\nProduct version (16-bytes)\r\nUnknown hardcoded 1 (DWORD)\r\nTimestamp (QWORD)\r\nFile attributes (DWORD)\r\nData length (QWORD)\r\nCreation time (QWORD)\r\nLast access time (QWORD)\r\nLast write time (QWORD)\r\nLength of the next header (DWORD)\r\nThe second header is at least 24-bytes, but its length depends on the number of data chunks and length\r\nof a filename: \r\nHeader key (DWORD)\r\nCRC32 checksum of header (DWORD)\r\nHeader length (DWORD)\r\nOffset to end of chunk list (DWORD)\r\nOffset to start of chunk list (DWORD)\r\nNumber of chunks (DWORD)\r\nFile name and chunk list (variable length)\r\nThe encrypted screenshot data is then saved to a SQLite database. In the analyzed sample this was\r\nstored in the file “data\\E70EEF62”. We have included an example of the schema used on our GitHub, but it\r\nbasically consists of a “file” table to store metadata about the data to exfiltrate and a “file_data” table that stores\r\nthe data. \r\nPeriodically a separate execution thread will go through the SQLite databases created by the exfiltration managers\r\nand send the data to the C\u0026C server. It uses the same C\u0026C protocol as described above, but using the\r\n“file_server,” “file_server_port,” and “file_server_key” values from the config. \r\nThe Proofpoint threat research team analyzed and performed reverse engineering on a recently discovered\r\nversion (4.1.3) of the FlowCloud RAT. While the version that we analyzed is for Windows only, we believe that\r\nthere may be additional variants. One piece of evidence that may support the theory that there are additional\r\nFlowCloud variants, is the “plateform” (sic) field detailed in Figure 9 above. This is an enumerated data type\r\nthat can have the following values: \r\nFC_NET__USR_LIST__USR__SYSTEM__PLATEFORM_TYPE__WINDOWS\r\nFC_NET__USR_LIST__USR__SYSTEM__PLATEFORM_TYPE__LINUX\r\nFC_NET__USR_LIST__USR__SYSTEM__PLATEFORM_TYPE__MAC\r\nFC_NET__USR_LIST__USR__SYSTEM__PLATEFORM_TYPE__ANDROID \r\nWhile we have only seen versions of FlowCloud for Windows, this implies there may be other implementations\r\nof FlowCloud for other operating systems. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 12 of 13\n\nET and ETPRO Suricata/SNORT Signatures\r\n2842895 - ETPRO MALWARE FlowCloud Dependency Download M1\r\n2842896 - ETPRO MALWARE FlowCloud Dependency Download M2\r\n2842897 - ETPRO MALWARE FlowCloud Dependency Download M3\r\n2842898 - ETPRO MALWARE FlowCloud Dependency Download M4\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nhttps://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis\r\nPage 13 of 13\n\n https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis \nET and ETPRO Suricata/SNORT Signatures \n2842895-ETPRO MALWARE FlowCloud Dependency Download M1\n2842896-ETPRO MALWARE FlowCloud Dependency Download M2\n2842897-ETPRO MALWARE FlowCloud Dependency Download M3\n2842898-ETPRO MALWARE FlowCloud Dependency Download M4\nSource: https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis \n Page 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis" ], "report_names": [ "flowcloud-version-413-malware-analysis" ], "threat_actors": [ { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434910, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b845c21ea6941d61421666b3e8523e0b5a7d6b7.pdf", "text": "https://archive.orkl.eu/4b845c21ea6941d61421666b3e8523e0b5a7d6b7.txt", "img": "https://archive.orkl.eu/4b845c21ea6941d61421666b3e8523e0b5a7d6b7.jpg" } }