{
	"id": "2a6fbe3c-cdba-49b4-b7df-ad2ad26a89f5",
	"created_at": "2026-04-06T01:32:20.418606Z",
	"updated_at": "2026-04-10T13:13:05.023432Z",
	"deleted_at": null,
	"sha1_hash": "609e0b5351ac397199cdfb45c6d91ad22b607738",
	"title": "FTdecryptor: a simple password-based FTCODE decryptor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100761,
	"plain_text": "FTdecryptor: a simple password-based FTCODE decryptor\r\nArchived: 2026-04-06 00:38:49 UTC\r\nHi there, this is Gabriele Pippi, from the Certego Purple Team.\r\nI want to share this simple password-based FTCODE decryptor.\r\nNote #1: this must be considered a beta version of the script; the author assumes no responsibility for\r\nany damage caused by running it.\r\nNote #2: currently the malware sends the password both as plain and cypher text; we believe the\r\nbehavior may change soon as the malware is updated, and the plain text form may not be available\r\nanymore.\r\nNote #3: decrypting files with an incorrect password may make them unrecoverable; so, we recommend\r\ntaking a backup of the files before running the script.\r\nWhy should a password-based decryptor be useful?\r\nSince the first observed campaigns, documented in this article, we have noticed that FTCODE was sending the\r\npassword in plaintext within the body of an HTTP post request to the C\u0026C. Once implemented the relevant\r\nSuricata signatures, I decided to develop this tool internally, in order to make the decryption operation feasible. In\r\nall of the cases we had the opportunity to put hands on, we were able to recover the encrypted files up to version\r\n1018.1.\r\nNetwork Traffic\r\nIn order to be able to decrypt the files successfully, it is necessary to intercept the contents of the POST request\r\nthat the malware sends to the C\u0026C at infection time; an example of such request follows:\r\nhttps://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/\r\nPage 1 of 3\n\next = extension of encrypted files ek = password in plain text r1 = Base64 chunk containing the encrypted\r\npassword\r\nIn order to intercept the POST request, we developed the following Suricata signature, and deployed it to our\r\nnetwork monitoring system:\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"CERTEGO TROJAN FTCODE Registration Request (m.bompani)\";\r\nflow:to_server; content:\"POST\"; http_method; content:\"ext=\";\r\nhttp_client_body; content:\"guid=\";\r\nhttp_client_body; content:\"ek=\"; http_client_body; classtype:trojan-activity; sid:9000931; rev:1;)\r\nWhat does the tool do?\r\nGiven the extension and the password, the tool is able to recursively decrypt the encrypted files in all the mounted\r\ndisks or in a given path.\r\nIt offers the following features.\r\nIn-memory fileless utilization: it is possible by wrapping the script in a function, leveraging the built-in\r\nPowerShell cmdlet Invoke-Expression\r\nLogger: it traces the activities carried out, leveraging two cmdlets described at Start/Stop Transcript\r\nBackup: it backs up all the files that the tool will try to decrypt.\r\nSome options were added to the script for possible future uses.\r\nAdditional details\r\nFor further technical details and demonstrations, please refer to the official github project FTdecryptor\r\nhttps://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/\r\nPage 2 of 3\n\nFor further FTCODE details, please refer to this article FTCODE article\r\nAuthor:\r\nGabriele Pippi, Threat Research Lead Engineer\r\nSource: https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/\r\nhttps://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/"
	],
	"report_names": [
		"ftdecryptor-a-simple-password-based-ftcode-decryptor"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439140,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/609e0b5351ac397199cdfb45c6d91ad22b607738.pdf",
		"text": "https://archive.orkl.eu/609e0b5351ac397199cdfb45c6d91ad22b607738.txt",
		"img": "https://archive.orkl.eu/609e0b5351ac397199cdfb45c6d91ad22b607738.jpg"
	}
}