{ "id": "85385187-acb8-4ce4-9cc2-101d79b606be", "created_at": "2026-04-06T00:17:15.546967Z", "updated_at": "2026-04-10T03:35:47.25793Z", "deleted_at": null, "sha1_hash": "58a9a849daeb0d0083576d1bf2763073ccb28f57", "title": "Aria-Body Loader? Is that you?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3433578, "plain_text": "Aria-Body Loader? Is that you?\r\nBy BlueMonkey\r\nPublished: 2021-09-29 · Archived: 2026-04-05 18:51:43 UTC\r\nHello! This is my first time writing a blog on a loader which I had gotten hold of. So, I am a new analyst in the\r\nMalware Analysis field and I am trying to do a research into cobalt strike. Recently, I ran a modified public YARA\r\nrule for cobalt strike on Virus Total and from the scan, I found two samples which I find interesting.\r\n1e56c3f05bb53d2dfa60bc016e8509b12fd3beb5f567d274a184bb67af1eb19c\r\nc5696e660f3cfa9232756418e40ad18729cfe32fb284bba2314dd523ba527258\r\nThese two samples have a relative large size (17.05 MB) as compared to other files and their size is exactly the\r\nsame. Additionally, their upload timing is quite close to each other, around 3 minutes apart. I started to analyze the\r\nfiles and from my finding, it doesn’t look anything like a cobalt strike loader. Turning to my friend who have\r\nmuch more experience in malware analysis, I told him my findings and he told me that from what I had described,\r\nit sounds a little bit like Aria-Body instead. So I did some read up on Aria-Body and here are what I had found….\r\nIn 2020, Check Point Research release a write up (http://research[.]checkpoint[.]com/2020/nikon-apt-cyber-espionage-reloaded) describing how Naikon APT group is using Aria-body. In the report, they summarized the\r\nloader to have these capabilities:\r\n1. Establish persistence via the Startup folder or the Run registry key [some variants].\r\n2. Inject itself to another process such as rundll32.exe and dllhost.exe [some variants].\r\n3. Decrypt two blobs: Import Table and the loader configuration.\r\n4. Utilize a DGA algorithm if required\r\n5. Contact the embedded / calculated C\u0026C address in order to retrieve the next stage payload.\r\n6. Decrypt the received payload DLL (Aria-Body backdoor).\r\n7. Load and execute an exported function of the DLL — calculated using djb2 hashing algorithm.\r\nTake note on these points as I will be mentioning some of them in this post.\r\nAnalysis of the samples\r\nAs I had mentioned in the intro, the first thing that I noticed about the two sample is that both of them have\r\nexactly the same size. When I loaded them into PE studio, I noticed that they share the same compiler, debugger\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 1 of 13\n\nand exports timestamp.\r\nNow looking at the section’s metadata, we can see that all but two of them have the same hash. The two sections\r\nwith the different hash is the .text and the .data section. Although they have a different hash, we can see that the\r\nraw-size, virtual-size, raw-address and virtual-address are the same.\r\nLooking into the import and export section, this two samples also have a same import and export.\r\nLooking at the static properties analysis, these two files seems like twins. They could have the same origins or\r\nthey might be built using a builder. But this is just my speculation at this point as there are not enough information\r\nto support the claim.\r\nLooking for the “action”\r\nNow that I had done the analysis on the files properties and confirmed that it is a 64 bit DLL, it’s time to throw the\r\nsample 1e56c3f05bb53d2dfa60bc016e8509b12fd3beb5f567d274a184bb67af1eb19c into IDA for analysis. After\r\nIDA has finished loading, the first thing that it displayed is this:\r\nDllMain\r\nThat’s all ._. not helpful at all. Seems like I have to find the “action” through other means~~\r\nSince this is a DLL, we can try to look for the “action” by checking the export functions.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 2 of 13\n\nExport Functions\r\nFrom this list of 30 export functions, two of them DllEntryPoint and ILCreateFromPath caught my attention.\r\nAfter looking through the two functions, I had determined that the ILCreateFromPath function contains the\r\n“actions” that we are interested in.\r\nObfuscation\r\nWhile scrolling through the ILCreateFromPath function, I noticed a pattern:\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 3 of 13\n\nEncoded String\r\nNoticed that the value “]prt-.p,^p,0tnpN.,wSlyowp,b” in the variable aPrtPP0tnpnWsly was lea into rcx followed\r\nby calling the sub function sub_180001010 then followed by a call rax. From my analysis, the function\r\nsub_18001010 consist of two parts.\r\n1 — Decode the string\r\nFirst it will decode a string that is passed in as argument which in this case is the value in the variable\r\naPrtPP0tnpnWsly.\r\nDecode Section\r\nThis function decodes the characters by applying the concept of Substitution cipher where it takes the ASCII value\r\nof each character, add 28 follow by mod 81 and finally add 42. This is the formula for the substitution cipher that I\r\nhad just describe: plain_text = (cipher_text + 28) % 81 + 42. Thus, the value of variable aPrtPP0tnpnWsly\r\ndecodes into RegisterServiceCtrlHandlerW which is a Win32 API.\r\nUsing this formula, I wrote a simple python script to do the decryption and ran it on all the strings found in the\r\nsame data section as aPrtPP0tnpnWsly and here are the decrypted strings:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 4 of 13\n\nDecoded String\r\nLooking at the de-obfuscated strings, it seems like they are hiding function calls in strings and decode them during\r\nruntime so that we cannot most of its capabilities just from looking at imports table. From the list of the De-obfuscated strings, we can see that some of the capabilities of this malware includes creating thread and writing\r\ninto memory.\r\n2 — GetProcAddress\r\ngetProcAddress\r\nOnce the string is decoded, the function will then call LoadLibraryA and GetProcAddress before returning the\r\naddress of the call.\r\nGet BlueMonkey’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 5 of 13\n\nRemember me for faster sign in\r\nAlright, now that we know that this malware has the ability to hide its function calls what’s next?\r\nThreading and New Processes\r\nFollowing down the ILCreateFromPath, I saw that the malware creates a new thread to execute the function called\r\nStartAddress.\r\nCreate New Thread\r\nSo the only thing to do is to follow and look at what does the StartAddress function do.\r\nLooking through the StartAddress function, the first thing that caught my eyes is a variable containing the string\r\n“%s\\\\dllhost.exe /Processid:{%s}” followed by CreateProcessW. It looks like the malware is trying to create a\r\ndllhost process.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 6 of 13\n\nCreate New Process\r\nAfter calling CreateProcessW, the malware then proceeds to call VirtualAllocEx followed by\r\nWriteProcessMemory.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 7 of 13\n\nAllocate And Write To Memory\r\nFrom the above code, we can see that the malware used the WriteProcessMemory function to write the function\r\nsub_181064570 into dllhost process created earlier. Although this seems to be a common process injection, it\r\nmatches the checkpoint’s report, where it mentions that it injects itself to another process such as rundll32.exe and\r\ndllhost.exe.\r\nDecoding Embedded Data\r\nFinally, we have reached the part where we can see what this malware actually wants to do! This is how the first\r\nfew lines of the function written into the process’s memory looks like:\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 8 of 13\n\nWrite to Memory\r\nIt looks like the malware copying two sets of data located at qword_181065CC0 into the memory.\r\nPress enter or click to view image in full size\r\nEncoded Blob in Memory\r\nAfter copying the data into the memory, the malware calls a function which will decode the data.\r\nPress enter or click to view image in full size\r\nFirst Decoded Blob\r\nThe first blob of data contains the URL of the C2 server “news.nyhedmgtxck.com” and a string of characters which\r\ndoesn’t seems to be used in any part of the execution.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 9 of 13\n\nSecond Decoded Blob\r\nAnd the second blob of data contains the imports table which the malware will use in the next phase of its activity.\r\nWait a minute… does the 2 blobs of data sounds familiar?\r\nFrom checkpoint’s report on aria-body loader, they mentioned that one of the functionality of the loader is to\r\ndecrypt two blobs of data into an Import Table and a loader configuration.\r\nDownload and execute payload\r\nBy using the decoded import tables, the malware attempts to connects to the C2 URL to download a file.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 10 of 13\n\nDownload Payload\r\nTo this point, it actually matches the points mentioned in Check Point’s report where Aria-body contact the\r\nembedded / calculated C\u0026C address in order to download retrieve the next stage payload.\r\nToo bad for us, the URL has already been sinkhole. Therefore, I am not be able download the sample for analysis\r\n):\r\nIt’s not the end yet! Although I am not able to analyze the next stage payload, I am still able to see what this loader\r\ndoes before passing control to the next stage payload :D\r\nOnce the payload is downloaded, the malware will first decode the payload with a XOR function. The decoded\r\npayload will then reside only in the memory. Which suggest that it could be a file-less malware.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 11 of 13\n\nDecode Payload and Copy to Memory\r\nNext, the malware then calls a function which checks if the payload contains the magic number “MZ” and “PE”.\r\nPress enter or click to view image in full size\r\nCheck for PE and Section Header\r\nOnce verified, the malware will finally get the entry point to the payload by calculating the djb2 hash of the\r\npayload’s export and comparing it with 0x2E9AD5FB. Without the second stage payload, I am unable to\r\ndetermine what is the export name based on that hash.\r\nDJB2 Hash\r\nFinally, the malware then passes the execution control to the payload.\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 12 of 13\n\nThe way this malware get the entry point also matches what Check Point had described where the loader loads and\r\nexecute an exported function of the DLL — calculated using djb2 hashing algorithm.\r\nConclusion\r\nPhew… Finally! We’ve reached the conclusion~~ v^^v\r\nFrom the analysis, this malware looks like a loader which will download a payload from the C2 and execute the\r\npayload on the memory. The capabilities of this sample is very similar to the Aria-body loader that is described by\r\nCheck Point where 5 out of the 7 points matching the analysis. I am unable to determine if this sample\r\n“establishes persistence via startup folder or run registry” and the “utilization of the DGA algorithm”. Putting the\r\ncapabilities aside, I had look through the sample with the hash “40c49ecbe1b7bdodbb935138661b6ca4”\r\nmentioned in Check Point’s report and code wise, it looks vastly different from this sample.\r\nNoticed that up to this point, I have only talked about the analysis of one of the samples. Well, I had done the\r\nanalysis on both of the sample and in regards of the code executions, they are the same. The only difference\r\nbetween the two sample in regards to what is relevant to the execution and its function, is that the C2 string and\r\nthe string of character in the first blob of data is different. Instead of going to “news[.]nyhedmgtxck[.]com”, the\r\nC2 of the other sample is “www[.]etnwtmrkh[.]com” both of which are sinkholed.\r\nTherefore, based on the capabilities, am I right to say that this could be a variant of Aria-Body loader?\r\nSource: https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nhttps://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/aria-body-loader-is-that-you-53bdd630f8a1" ], "report_names": [ "aria-body-loader-is-that-you-53bdd630f8a1" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434635, "ts_updated_at": 1775792147, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/58a9a849daeb0d0083576d1bf2763073ccb28f57.pdf", "text": "https://archive.orkl.eu/58a9a849daeb0d0083576d1bf2763073ccb28f57.txt", "img": "https://archive.orkl.eu/58a9a849daeb0d0083576d1bf2763073ccb28f57.jpg" } }