{
	"id": "a02d94c8-db52-41c7-ae95-09a17268c96b",
	"created_at": "2026-04-06T00:19:15.401773Z",
	"updated_at": "2026-04-10T03:21:58.894315Z",
	"deleted_at": null,
	"sha1_hash": "72120246efcae9b3e5ff4ce2377221e3d205c874",
	"title": "MalwareAnalysisReports/WikiLoader/WikiLoader Shellcode pt3.md at main · VenzoV/MalwareAnalysisReports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 338191,
	"plain_text": "MalwareAnalysisReports/WikiLoader/WikiLoader Shellcode\r\npt3.md at main · VenzoV/MalwareAnalysisReports\r\nBy VenzoV\r\nArchived: 2026-04-05 17:00:14 UTC\r\nSummary part 2\r\nLoading bingmaps.dll\r\nLong busy loop to slow down execution.\r\nRetrieving once again API via PEB walking\r\nFunction used to load API from: Kernel32.dll\r\nFunction Used to load native API to perform indirect syscalls: ntdll.dll\r\nChecks if native calls are hooked.\r\nNew thread is created and execution is switched, the thread points to bingsmap.dll and jumps back and\r\nforth to shellcode.\r\nAnti analysis checks for common malware analysis tools (x64dbg.exe, pe-bear, process hacker etc.)\r\nShellcode is writte into explorer.exe\r\nOverview\r\nOverwrites PEB structure\r\nCreates a mutex 330117\r\nDynamically loads API\r\nDeobfuscation of strings through even positioned characters.\r\nGathers system information to send to C2\r\nC2 requests look for GMAIL tag for extra data (Decryption key)\r\nData blob is decrypted and execution is swtiched to new location.\r\nString \"Obfuscation\"\r\nThe obfuscation is simple and is only based on getting the character sitting in an even position. So position:\r\n0,2,4,6.. etc\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 1 of 9\n\nWe can easily get the strings and write any python script to deobfuscate them all in one go.\r\nStrings:\r\n[\"WurtirtAenPWrSoycOePsVsDMlewmropruyN\",\r\n\"DKeiljegtferFDiNlNeBAP\",\r\n\"VfitrltEuCaQlyAelWlkoYct\",\r\n\"CCoToCkaiweX:l ejkfikQUwgZ=c7F5I8O8R8F2L1c0W\",\r\n\"GpeTtPCJogmjpduztBeDriNiaDmretEYxUAG\",\r\n\"LIoOasdgLsidbnrHagrmyGAS\",\r\n\"FxrreyePLsiyblrlaxrJyC\",\r\n\"WginnQiAnyePtc.ldVlslO\",\r\n\"IKnktjemrinJeJtwOBpeeRnRAC\",\r\n\"IfnSteeZrEnSeCtmCdoKnZnFetcLtNAw\",\r\n\"HptHtMprOhpJeEngRfeWqnuKefsotLAx\",\r\n\"HBtdtyphAudEdVRaeBqBueeTsFtbHnevaPdlebrNsPAs\",\r\n\"HktLtopzSFeMnmdKRfeNqjuceRsxtDAT\",\r\n\"HXtNtfpaEknDdvRdeFqbureosMtFAp\",\r\n\"IDnktseHrhnfegtVRseeaFdpFqiblReN\",\r\n\"IUnTtveLrcnyeItiCmlroxsSepHsaZngdClJeh\",\r\n\"MWoLzwijlhlLaN/V5H.D0m a(JLSiqnFuGxa;z GUC;y CAEnadLrYoOiGdF d4s.m0N.h3G;p KeQnS-fgvbN;t jKpFgTYTs QBXuAiklwdH/\r\n\"CDrZyypots3E2a.pdLlglp\",\r\n\"BFCirjyIpatcGFeOntRcajnVdIoOmF\",\r\n\"BGcyrbylpltb.jdqlClO\",\r\n\"CWrfyPpjtjSmtSrYiwnzgDTtokBWisnRalrqyXAd\",\r\n\"CRrnyJpNtYBYiSnOayriypThoGSLtorOimnUgtAI\",\r\n\"VzivrpteuMaPlJFlrueTeP\",\r\n\"VYihrItiuTallePbrtottJeYcGtw\",\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 2 of 9\n\n\"GYeatsTniAcjkvCOoAuOnWtA6H4w\",\r\n\"SdlDeneyps\",\r\n\"GWevtXSiySsEtMeEmyTmicmSej\",\r\n\"wosCpCrSiVnZtwfNAX\",\r\n\"GBextkCdosmipYuWtkeiruNnaRmjeoAk\",\r\n\"GdeltlUJskeHrENeaNmsehAi\",\r\n\"IDsvUXsueQrcAknZAqdymyicny\",\r\n\"IzsbWUiXnHdFoxwwsXSRerrVvteart\",\r\n\"GGeRtrUTsGeJrZDsepfvaRuUlTtjUAItLxaJnxgZujaPgden\",\r\n\"RNtulSGkeDtiVieSrwsJitornc\",\r\n\"GMeqthVeegrxsGigoingEWxMAC\",\r\n\"AwdhvoaVpyiH3u2x.jdKlPly\",\r\n\"SkhzeElylD3z2Q.wdnlglV\",\r\n\"UKsoeMrI3Y2L.AdTlmlM\",\r\n\"330117\",\r\n\"CArleYaztVeIMmuOtwecxMAu\",\r\n\"GMeltvLGaLsbtLEqrwrtoKra\",\r\n\"lrsjtYrwlrejnqAF\",\r\n\"lusMtZrylUevnAWI\",\r\n\"BnCerpywpRtIOgpReIniAOlIgLorrUiktLhRmhPyrGonvpibdaeIrc\",\r\n\"ByCHrpyXpGtzGZettoPRrDoepveUrXttyB\",\r\n\"BqCzrqyVpRtPSTeQtqPDrboypceerVttyn\",\r\n\"BOCorbyQpQtgGhevnqewrlaGteekSAykmSmXeGtzrHimciKtedyx\",\r\n\"BRCprayjpYtaDGeocqrJyipztx\",\r\n\"BXCarFyJpxtfDuePsvturloqyKKzefyK\",\r\n\"BwCmruyKpUtDCmlNoosBeAALlKgNoQrHigtKhRmOPSrDoHvciFddeqrJ\",\r\n\"hgtmtNplst:M/k/WtHhOiWcuhIgmisbNaLnI.UcloVmH/D8DsEjCdwtWuR.Zpkhnpn?oindf=C1C\",\r\n\"hJtctZpZsa:b/C/OktaGsDhQmDizrewIojrNlSdVwCiXdmeS.ecIoimU/CiblqwK4YkTlp.upnhRpo?EiKdJ=Z1d\",\r\n\"hVtitUpZsn:T/w/DtJhJeskOoosttNepntfBanmfidlayYsX.ScfoDmX/wmh1HbV7goH3a.ypAhxpE?Eibde=v1r\",\r\n\"hitZtopwsB:z/t/KmMuBlFtSiotzryaDdieErfsR.nnVehtG/UyqvB7icblFrc.JpLhTpz?AindM=f1j\",\r\n\"hqtGtOpeso:O/d/PkFaYsPhXmtiqrpwCoDrBladJwNipdieE.zcmoAmn/hialfwf4kkzlw.ypehcpU?ciPdo=J1H\",\r\n\"hGtutwpPsf:Q/Z/KthhtiQcThigjiQbcaOni.WcHopmL/x8SscjJdGtXuC.kphhupx?xiIdk=C1M\",\r\n\"hXtYtRpvsV:X/i/WtohBeskDoWsotVednEfkaomkiolayMsy.KcEobmj/Rmt1Ebi7Rou3Z.ipohlpC?liHdw=d1z\",\r\n\"hOtxtTpxsH:N/O/emDuQlktqiJtnrCaDdMeUrRsr.GnpeGtg/VyQvo7ScllWrV.zpRhcpz?Ziidf=o1g\"]\r\nDeobfuscated strings:\r\nWriteProcessMemory\r\nDeleteFileA\r\nVirtualAlloc\r\nCookie: jfkUg=75888210\r\nGetComputerNameExA\r\nLoadLibraryA\r\nFreeLibrary\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 3 of 9\n\nWininet.dll\r\nInternetOpenA\r\nInternetConnectA\r\nHttpOpenRequestA\r\nHttpAddRequestHeadersA\r\nHttpSendRequestA\r\nHttpEndRequestA\r\nInternetReadFile\r\nInternetCloseHandle\r\nMozilla/5.0 (Linux; U; Android 4.0.3; en-gb; KFTT Build/IML74K) AppleWebKit/537.36 (KHTML, like Gecko) Silk/3.68\r\nCrypt32.dll\r\nBCryptGenRandom\r\nBcrypt.dll\r\nCryptStringToBinaryA\r\nCryptBinaryToStringA\r\nVirtualFree\r\nVirtualProtect\r\nGetTickCount64\r\nSleep\r\nGetSystemTime\r\nwsprintfA\r\nGetComputerNameA\r\nGetUserNameA\r\nIsUserAnAdmin\r\nIsWindowsServer\r\nGetUserDefaultUILanguage\r\nRtlGetVersion\r\nGetVersionExA\r\nAdvapi32.dll\r\nShell32.dll\r\nUser32.dll\r\n301\r\nCreateMutexA\r\nGetLastError\r\nlstrlenA\r\nlstrlenW\r\nBCryptOpenAlgorithmProvider\r\nBCryptGetProperty\r\nBCryptSetProperty\r\nBCryptGenerateSymmetricKey\r\nBCryptDecrypt\r\nBCryptDestroyKey\r\nBCryptCloseAlgorithmProvider\r\nhxxps[://]thichgiban[.]com/8sjdtu[.]php?id=1\r\nhxxps[://]kashmirworldwide[.]com/ilw4kl[.]php?id=1\r\nhxxps[://]thekostenfamilys[.]com/m1b7o3[.]php?id=1\r\nhxxps[://]multitraders[.]net/yv7clr[.]php?id=1\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 4 of 9\n\nhxxps[://]kashmirworldwide[.]com/ilw4kl[.]php?id=1\r\nhxxps[://]thichgiban[.]com/8sjdtu[.]php?id=1\r\nhxxps[://]thekostenfamilys[.]com/m1b7o3[.]php?id=1\r\nhxxps[://]multitraders[.]net/yv7clr[.]php?id=1\r\nMutex\r\nUsing similar method to load API, the malware retrieves GetProcAddress() from the PEB. It will load\r\nCreateMutexA, and attempt to create one with the value:\r\n330117 Then it will call GetLastError(), and check for the error code 183 which equates to:\r\nERROR_ALREADY_EXISTS\r\nHost Information Gathering\r\nInside the Main block of the code, some system checks are performed. The information gathered is appended into\r\na memory section, in preparation to be sent out. Also, with this information a random number is generated of\r\nlength 48, this is done by loading Bcrypt.dll and calling on BCryptGenRandom()\r\nFollowing the API called to check system:\r\nGetComputerNameExA -\u003e Empty so appended \"-\" to the buffer that has the randomnumber.\r\nGetComputerNameA -\u003e Appends the computer name\r\nGetUserNameA\r\nIsUserAnAdmin -\u003e if user is admin appends a 1 or 0.\r\nGetUserDefaultUILanguage\r\nWsprintfA -\u003e Append IsUserAnAdmin \u0026 GetUserDefaultUILanguage\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 5 of 9\n\nGetSystemTime\r\nWsprintfA -\u003e Append Systemtime\r\nMemory section containing all the data:\r\nThe above function mw_w_GenRandom works as a wrapper function for BCryptGenRandom()\r\nBefore moving to network function the string seen above is converted to BASE64 with CryptBinaryToStringA().\r\nSimilar to BCryptGenRandom(), this is also located in a wrapper function that loads the .DLL then the function.\r\nC2 Connection\r\nMalware attempts to connect to the 8 hard-coded URLs and read the page. This next part is the same as the\r\nProofpoint research mentioned in references. Basically, the pages contain a tag containing the string \"gmail\",\r\ninside there is another obfuscated URL which contains the next stage payload. For me at the moment non of the\r\nURLs are working and have that tag.\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 6 of 9\n\nThe requests are made to the URLs with cookie Cookie: jfkUg=75888210 + [BASE64 ENCODED SYSTEM\r\nDATA]\r\nCurrently gmail tags are empty:\r\nDecryption Routine\r\nAfter reaching out to C2 there is one other interesting function. This function seems to load BCrypt.dll and\r\nperform some decryption on a large data section contained in the shellcode. The same API from BCrypt.dll are\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 7 of 9\n\ncalled like part 1. Tracing back from BCryptGenerateSymmetricKey(), it seems the key is actually obtained from\r\nresults of the URL connections. If successful, JMP to newly deobfuscted code is made.\r\nEnding\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 8 of 9\n\nUnfortunately, I was not able to go further due to not being able to get information needed from the C2. I will\r\nmaybe go back or look for other samples going forwards to see the final part. Mostly all the flow is the same as\r\nProofPoint's analysis referenced below. Thank you for your time.\r\nReferences\r\nhttps://bazaar.abuse.ch/sample/bef04e3b2b81f2dee39c42ab9be781f3db0059ec722aeee3b5434c2e63512a68/\r\nhttps://www.unpac.me/results/612d6d2c-c45d-47ba-a2bb-a218ec753d3f\r\nhttps://twitter.com/Cryptolaemus1/status/1747394506331160736\r\nhttps://www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion\r\nhttps://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/pebteb/peb/index.htm\r\nhttps://mohamed-fakroud.gitbook.io/red-teamings-dojo/shellcoding/leveraging-from-pe-parsing-technique-to-write-x86-shellcode\r\nSource: https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nhttps://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/VenzoV/MalwareAnalysisReports/blob/main/WikiLoader/WikiLoader%20Shellcode%20pt3.md"
	],
	"report_names": [
		"WikiLoader%20Shellcode%20pt3.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72120246efcae9b3e5ff4ce2377221e3d205c874.pdf",
		"text": "https://archive.orkl.eu/72120246efcae9b3e5ff4ce2377221e3d205c874.txt",
		"img": "https://archive.orkl.eu/72120246efcae9b3e5ff4ce2377221e3d205c874.jpg"
	}
}