{
	"id": "5619b719-a30c-4c09-8fbc-8c135a8ed77a",
	"created_at": "2026-04-06T01:32:02.38362Z",
	"updated_at": "2026-04-10T03:20:58.862882Z",
	"deleted_at": null,
	"sha1_hash": "50f9336e790da83c7109ac83be6c18bba43ce804",
	"title": "Golang wrapper on an old obscene malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 286602,
	"plain_text": "Golang wrapper on an old obscene malware\r\nPublished: 2020-02-28 · Archived: 2026-04-06 00:40:10 UTC\r\nThe malware in this report has been blogged about before by a Russian researcher1, he referred to is as “Obscene\r\nTrojan” so that’s what I will also call it and we will go over it’s functionality in depth later in this blog but the\r\nmore interesting part to me is the initial layer around the malware, it’s in Golang! This layer serves both as a\r\nwrapper layer that you would normally expect to see with crypters but also a dropper as it drops the decoded\r\nmalware to detonate it instead of loading it into memory but the concept of a golang crypter is interesting\r\nnonetheless and after going through all the layers I stepped back and checked what the detection ratings were and\r\nwas incredibly surprised to find that these wrapper layers took a 12 year old malware from completely detected to\r\nalmost FUD.\r\nInitial sample: 769d1396b0cef006bcaafd2de850fc97bf51fd14813948ef2bc3f8200bcb5eab\r\nThis Golang wrapper is designed to ZLIB decompress and RC4 decrypt the next file hidden inside itself.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 1 of 13\n\nDumping the data blog out we can verify this manually.\r\n\u003e\u003e\u003e open('test.zz', 'wb').write(t)\r\n\u003e\u003e\u003e zobj = zlib.decompressobj()\r\n\u003e\u003e\u003e t2 = zobj.decompress(t)\r\n\u003e\u003e\u003e t2[:100]\r\n'\\x9e\\xd6\\x02\\x1e\\x19n\\xa0^\\xd0\\x83Ga\\xcfq\\xd6\\x08\\x943\\x00\\x7f\\xf4n\\x96\\x05\\xe5\\xf7\\x8aM8\\x17\\x8a\\xfb\\xe3\\\\]}\\x\r\n\u003e\u003e\u003e rc4 = ARC4.new('vckxjm')\r\n\u003e\u003e\u003e t3 = rc4.decrypt(t2)\r\n\u003e\u003e\u003e t3[:100]\r\n'MZ\\x90\\x00\\x03\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\x8b\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\x00\\x00\\x00\r\nNext layer: 0015001917bc98a899536c6d72fcf0774e5b14ab66f07ccbdc4cc205d70475dd\r\nAfter decoding the next exe file out we are left with another golang wrapped file that does the same thing as the\r\nprevious layer but it has a differen’t RC4 key.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 2 of 13\n\nNext unpacked file: de2688f007dac98b579d5ed364febc8bb07bc3dc26e4b548d659ecb1974d9f46\r\nThis file appears to be a SFX RAR exe but at the end of the day it is also just another layer and is designed to drop\r\nan EXE file to disk and detonate it.\r\nDropped binary: afa085105a16b1284a811da11db2457778c4a267f2fa8a551dec3b8a665c11f9\r\nThis file looks like a compiled lua binary but we don’t really need to decompile it as we can see a large base64\r\nblob inside it and a similar looking 6 byte string below it.\r\n\u003csnip\u003e\r\ndIMAASIwzdmExocRQqzw0ytzQGCfKbvWFXldCcNuyFmZY0eOxzmzJtMrzn1VV6VBF8hH6CZpopOVvkCx\r\nQpeoBQy3fp/3XNCVyDc90aYiPtcwqjfbX3jSEDbspcg8AT08aUmJqm+RU53bFB8u3vL+HQzNNv17YHeX\r\nkHA5yz6ttQuwpZ0rzTHvh11DBxVFQwWLaVi1Y718ORqmrc5DcWTMCvEjagiP4qeJWUmP2N0XwQ08fXU1\r\nbuFfXfD6xBg8ugXKanSFFTsGuIJIC+QPePPjvTWoeJueb4y5IvPVJUT688HgNTo18eufF2CCyjMs/Zem\r\nXb+7K1DeYNbF/mPbJrcqtovOdd7X4HSwcbh+0MwwWNnWak4kCT/JRumZBztD1iBMuVIJZv0V/48+rBq9\r\nnHigHzW0fv6XFFZhzThqkHx0GEr9i/MMromlXCHSm7A=\r\nrc4_key\r\nyovzgz\r\n tmp_file\r\ngetenv\r\nTEMP\r\ntmpname\r\n.exe\r\nBase64 decoding and then RC4 decrypting this blob gives us our next binary:\r\n1ca71bba30fb17e83fea05ef5e2d467f86bff27b6087b574fa51f94f0f725441\r\nThis binary is the unpacked trojan that a blog from 2008 calls “Obscene Trojan”[1], coincidentally it also has a\r\ncompilation timestamp of 2008 so I’m unsure if it was just recently uploaded or if someone is testing the crypter\r\nlayers for detection.\r\nHas some anti debugging by using obscure opcodes that some debuggers can have problems with.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 3 of 13\n\nAlso a VM check[3].\r\nThe malware has most of its important strings encoded using a single byte XOR.\r\nPython\u003efor addr in XrefsTo(0x40f09e, flags=0):\r\naddr = addr.frm\r\nprint(hex(addr)),\r\naddr = idc.PrevHead(addr)\r\noffset = GetOperandValue(addr, 0)\r\nt = GetString(offset)\r\nt = bytearray(t)\r\nfor i in range(len(t)):\r\nt[i] ^= 2\r\nprint(t)\r\nPython\u003e\r\n0x40f22eL advapi32.dll\r\n0x40f256L kernel32.dll\r\n0x40f27eL GetProcAddress\r\n0x40f2acL GetEnvironmentVariableA\r\n0x40f2daL WinExec\r\n0x40f308L CopyFileA\r\n0x40f336L SetFileAttributesA\r\n0x40f364L RegSetValueExA\r\n0x40f392L RegOpenKeyA\r\n0x40f3c0L RegCloseKey\r\n0x40f3eeL http://fewfwe.com/\r\n0x40f400L http://fewfwe.net/\r\n0x40f421L cftmon.exe\r\n0x40f442L spools.exe\r\n0x40f463L ftpdll.dll\r\n0x40f541L Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\r\n0x40f5d8L SYSTEM\\CurrentControlSet\\Services\\Schedule\r\n0x40f68bL SystemDrive\r\n0x40f8c2L windir\r\n0x40f8deL COMRUTERNAME\r\n0x40f8f0L \\system32\r\n0x40f911L USERPROFILE\r\n0x40f938L \\Local Settings\\Application Data\r\n0x40f97fL \\drivers\\\r\n0x40f9b7L \\Local Settings\\Application Data\\\r\n0x40f9efL \\update.dat\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 4 of 13\n\n0x40fa16L \\drivers\\\r\n0x40fa2dL sysproc.sys\r\n0x40fa54L \\mpr.dat\r\n0x40fa7bL \\mpr2.dat\r\n0x40faa2L \\mpr32.dat\r\n0x40fb61L \\mpz.tmp\r\n0x40fb88L \\r43q34.tmp\r\n0x40fda5L wininet.dll\r\n0x40fdcbL InternetOpenA\r\n0x40fdf7L InternetOpenUrlA\r\n0x40fe23L InternetReadFile\r\n0x410007L Content-Type: application/x-www-form-urlencoded\r\n0x410304L c:\\stop\r\nThere is also an encoded file stored inside of it which was also blogged about in 2008 but was discussed as being\r\ndownloaded by the previous trojan instead of being dropped directly[2]:\r\nf198e63cc1ba3153e27905881bcb8a81fa404f659b846b972b1c8f228e4185d4\r\nThe trojan sets the filename that it will have.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 5 of 13\n\nThis DLL will hook send, WSASend, recv and WSARecv; primarily for harvesting data from traffic over ports\r\n110, 80, 25 and 21. The harvested data is written to files while the main trojan piece will read the files and ship the\r\ndata off.\r\nReceiving function hooks:\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 6 of 13\n\nSending function hooks:\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 7 of 13\n\nThe receiving hook checks which port is being used before harvesting data.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 8 of 13\n\nThe data being harvested looks like email data which will be written to one of the files.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 9 of 13\n\nThe send hook function performs similar harvesting but it also has different code for port 21 and 80 traffic. For\r\nport 21 it will check for ‘USER’ and ‘PASS’ such as with FTP traffic.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 10 of 13\n\nThe data will then be harvested.\r\nThe data will be written to a different file.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 11 of 13\n\nThe send hook code will also look for ‘gzip,’ in outbound over port 80 and overwrite it, probably to prevent an\r\nAccept-Encoding header from including gzip.\r\nAs I mentioned at the beginning of the blog the most interesting aspect of this to me personally is the ability of a\r\nfew simple wrappers and a golang crypter taking an old malware to almost FUD.\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 12 of 13\n\nReferences:\r\n1. https://habr.com/ru/post/27040/\r\n2. https://habr.com/ru/post/27053/\r\n3. https://www.aldeid.com/wiki/VMXh-Magic-Value\r\nSource: https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nhttps://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html"
	],
	"report_names": [
		"Golang-Wrapper-on-an-old-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439122,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50f9336e790da83c7109ac83be6c18bba43ce804.pdf",
		"text": "https://archive.orkl.eu/50f9336e790da83c7109ac83be6c18bba43ce804.txt",
		"img": "https://archive.orkl.eu/50f9336e790da83c7109ac83be6c18bba43ce804.jpg"
	}
}