{ "id": "e0044739-c514-4c7c-bcfa-c83ad23ebf8a", "created_at": "2026-04-06T00:14:03.073793Z", "updated_at": "2026-04-10T03:37:49.890253Z", "deleted_at": null, "sha1_hash": "4f6f54c54078b2818579698e52e9ff2bfb88ff49", "title": "Analysis of APT28 hospitality malware (Part 2)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 456684, "plain_text": "Analysis of APT28 hospitality malware (Part 2)\r\nBy Adam Chester\r\nArchived: 2026-04-05 19:52:10 UTC\r\n« Back to home\r\nPosted on 13th August 2017\r\nIn the first part of this malware review, we looked at the VBA code used by APT28 to drop a DLL onto the\r\nvictims’ machine as part of their recently highlighted hospitality campaign.\r\nIn this post, we will look at the dropped file, and understand just what it does, and how we can analyse it using\r\nIDA Pro.\r\nSo we know from the first post that we have a DLL, which is run using the following command:\r\nrundll32.exe %APPDATA%\\user.dat,#1\r\nLoading the extracted DLL into IDA, the first thing that we notice is that we have an exported function of load\r\nwith an ordinal of 1:\r\nhttps://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nPage 1 of 6\n\nWe know from the rundll32.exe command that this will be our entry point, so we start our analysis here.\r\nWithin the load function, a number of strings are constructed on the stack in Unicode, which when decoded\r\nlook like this:\r\nInterestingly, one of the strings of mvtband.dat closely matches with the C2 server identified by FireEye of\r\nmvtband.net .\r\nEntering the first function at address 10001000h , we see another Unicode string constructed on the stack of\r\n“Environment” before RegOpenKeyExW is called to open a handle to HKCU\\Environment .\r\nNext a path is constructed of %appdata%\\mrset.bat and written to the UserInitMprLogonScript registry value\r\nwithin HKCU\\Environment :\r\nhttps://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nPage 2 of 6\n\nNote: If we stop and look for other examples of malware using this technique, we can see a number of related\r\nposts unsurprisingly pointing to other Sofacy malware droppers using the same method.\r\nContinuing to the next function, we find what immediately appears to be a decryption loop, using a fixed XOR\r\nkey of 0x26:\r\nhttps://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nPage 3 of 6\n\nOne the bytes at this address are decrypted, the contents are written to %appdata%\\mvtband.dat .\r\nThis is a perfect opportunity to use IDAPython to recover the encrypted data. We know from the disassembly that\r\nthe loop runs for 0x7600 bytes, and XOR’s a byte at a time from the address 0x10009B90 with a fixed key of\r\n0x26. Translating this into IDAPython, we have the following script:\r\nv = \"\"\r\nbytes = idaapi.get_many_bytes(0x10009B90, 0x7600)\r\nfor i in range(0,len(bytes)):\r\n v += chr(ord(bytes[i]) ^ 0x26)\r\nf = open(\"out.bin\", \"wb\")\r\nf.write(v)\r\nf.close()\r\nOnce executed, this script will decrypt the contents of address 0x10009B90 and write the output to out.bin .\r\nAn initial review of the decrypted contents show that this is a PE32 DLL, and if we upload the sample to\r\nVirusTotal we see that a matching sample was first seen on 17-07-2017 with a name of mvtband.dll and\r\nsignatures matching Sofacy:\r\nhttps://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nPage 4 of 6\n\nContinuing into the final function of this dropper, we find a similar decryption loop for a different memory\r\nlocation and the same XOR key:\r\nRepurposing our above IDAPython script, we can extract the contents with the following:\r\nv = \"\"\r\nbytes = idaapi.get_many_bytes(0x10009B20, 0x6A)\r\nfor i in range(0,len(bytes)):\r\n v += chr(ord(bytes[i]) ^ 0x26)\r\nf = open(\"out2.bin\", \"wb\")\r\nhttps://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nPage 5 of 6\n\nf.write(v)\r\nf.close()\r\nReviewing the decrypted contents, we find the following:\r\nset inst_pck = \"%appdata%\\mvtband.dat\"\r\nif NOT exist %inst_pck % (exit)\r\nstart rundll32.exe %inst_pck %,#1\r\nThis simple .bat file is being used by the UserInitMprLogonScript registry value on reboot to launch the\r\nmvtband.dat payload via rundll32.exe.\r\nOnce the .bat file script is decrypted by the dropper, the contents are written to %appdata%\\mrset.bat before\r\nbeing launched using CreateProcess .\r\nAnd there we have it, APT28’s simple dropper and persistence malware, with a bit of IDAPython reversing\r\nthrown in. We see that this DLL functions to decrypt 2 embedded payloads, “mrset.bat” which is a BAT file\r\nexecuted by “UserInitMprLogonScript”, and “mvtband.dat” which is the main payload of the malware which is\r\nexecuted via rundll32.exe.\r\nSo what are the takeaways from this for our red-team engagements? Well first, we see that adversaries are now\r\nincreasingly using rundll32.exe in malware campaigns, which allows a payload to be stored without a typical .exe\r\nextension. More importantly, this also gives malware a better chance at being successfully executed within a\r\nrestricted environment which whitelists Microsoft signed binaries.\r\nSecondly, we have UserInitMprLogonScript being used for persistence to launch a .bat file as a GPO script.\r\nWhile certainly not unheard of, the use of a GPO value is less likely to draw attention than say, adding a RUN key\r\nvalue, or adding a new schtask.\r\nHopefully this has been a good introduction to the APT28 dropper and how we can use IDAPython during a\r\nreversing exercise, and as always, comments and feedback are welcome via the usual channels.\r\nSource: https://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nhttps://blog.xpnsec.com/apt28-hospitality-malware-part-2/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.xpnsec.com/apt28-hospitality-malware-part-2/" ], "report_names": [ "apt28-hospitality-malware-part-2" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f6f54c54078b2818579698e52e9ff2bfb88ff49.pdf", "text": "https://archive.orkl.eu/4f6f54c54078b2818579698e52e9ff2bfb88ff49.txt", "img": "https://archive.orkl.eu/4f6f54c54078b2818579698e52e9ff2bfb88ff49.jpg" } }