{
	"id": "97c3aca0-4c9e-488d-813f-4d2fdd9362b0",
	"created_at": "2026-04-06T00:16:37.199358Z",
	"updated_at": "2026-04-10T13:11:58.412947Z",
	"deleted_at": null,
	"sha1_hash": "7edc67f7b3780a18dddfc85f0c8968cd105aa851",
	"title": "BackDoor.Spyder.1 — Dr.Web Malware description library",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1020901,
	"plain_text": "BackDoor.Spyder.1 — Dr.Web Malware description library\r\nPublished: 2020-03-01 · Archived: 2026-04-05 21:57:09 UTC\r\nPacker: absent\r\nCompilation date: 01.12.2016 05:57:59\r\nSHA1 hash:\r\n4c871eae022c8088f6e8d46e17002cd0c0006650\r\nDescription\r\nA backdoor written in C++ and designed to run on 64-bit Microsoft Windows operating systems. It is used for\r\ntargeted attacks on information systems, collecting information about an infected device, loading functional\r\nmalicious modules, coordinating their work, and providing communication with the C\u0026C server. In the infected\r\nsystem, it exists as a DLL file and is loaded by the system service using the DLL Hijacking method. After\r\ninjection, it functions in the computer's RAM.\r\nOperating routine\r\nThe backdoor is a malicious DLL file. The function names in its export table duplicate the exported functions of\r\nthe apphelp.dll system library.\r\nOn the infected computer, the backdoor file was located in C:\\Windows\\System32\\oci.dll catalog. The file’s\r\noriginal name from the export table is dll. It was loaded by the MSDTC system service using the DLL Hijacking\r\nmethod (Microsoft Distributed Transaction Coordinator Service).\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 1 of 22\n\nFrom a functional point of view, the sample is a loader for the main payload, which is stored in the .data section as\r\na DLL, with some elements of the DOS and PE headers equal to zero.\r\nThe loader operation\r\nLoading is performed in a function designated as malmain_3 and called from the DLL entry point via two\r\ntransitional functions.\r\nFirst, the header signatures are checked. If they are not standard, the ERROR_BAD_EXE_FORMAT error value\r\nis set; however, this action does not affect the loader operation in any way.\r\nThe memory for the image is then allocated according to the\r\nIMAGE_NT_HEADERS64.OptionalHeader.SizeOfImage value, and the loader_struc auxiliary structure is\r\nformed.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 2 of 22\n\nstruct loader_struc\r\n{\r\n IMAGE_NT_HEADERS64 *pPE_header;\r\n LPVOID ImageBase;\r\n HMODULE *p_imported_modules\r\n QWORD number_of_imported_modules\r\n HMODULE (__stdcall *pLoadLibrary)(LPCSTR lpLibFileName);\r\n FARPROC (__stdcall *pGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);\r\n BOOL (__stdcall *pFreeLibrary)(HMODULE hLibModule);\r\n QWORD unk;\r\n};\r\nThis is followed by the standard process of loading the PE module into memory and calling the loaded module's\r\nentry point (DllMain) with the DLL_PROCESS_ATTACH argument, and after exiting it, calling it again with\r\nDLL_PROCESS_DETACH.\r\nThe main module operation\r\nIn the main module, the values of all signatures required for the correct file loading are equal to zero.\r\nIMAGE_DOS_HEADER.e_magic\r\nIMAGE_NT_HEADERS64.Signature\r\nIMAGE_NT_HEADERS64.FileHeader.Magic\r\nIn addition, TimeDateStamp and section names also have a null value. The remaining values are correct, thus after\r\nmanually editing the necessary signatures, the file can be downloaded for analysis as a proper PE module.\r\nThe analysis of the main module is complicated, since atypical methods of calling functions are periodically used.\r\nThe UT hash library is used for storing and processing structures. It allows one to convert standard C structures to\r\nhash tables by adding a single member of the ut_hash_handle type. All library functions, such as adding elements,\r\nsearch, delete, etc., are implemented as macros, which leads them to be forcibly inlined by the compiler in the\r\ncode of the main (calling) function.\r\nThe mbedtls library is used to interact with the C\u0026C server.\r\nDllMain function\r\nAt the beginning of execution, the Global\\\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f45853}, event,\r\nexecution mode (from the configuration), and the command line are checked, then the operating threads are\r\nstarted.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 3 of 22\n\nThe module has an embedded configuration with the following structure:\r\nstruct cfg_c2_block\r\n{\r\n int type;\r\n char field_4[20];\r\n char addr[256];\r\n}\r\nstruct cfg_proxy_data\r\n{\r\n DWORD dw;\r\n char str[256];\r\n char proxy_server[256];\r\n char username[64];\r\n char password[32];\r\n char unk[128];\r\n};\r\nstruct builtin_config\r\n{\r\n int exec_mode;\r\n char url_C2_req[100];\r\n char hash_id[20];\r\n char string[64];\r\n char field_BC;\r\n cfg_c2_block srv_1;\r\n cfg_c2_block srv_2;\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 4 of 22\n\ncfg_c2_block srv_3;\r\n cfg_c2_block srv_4;\r\n cfg_proxy_data proxy_1;\r\n cfg_proxy_data proxy_1;\r\n cfg_proxy_data proxy_1;\r\n cfg_proxy_data proxy_1;\r\n int CA_cert_len;\r\n char CA_cert[cert_len];\r\n};\r\nThe hash field contains a value that can be an identifier. This value is used when communicating with the C\u0026C\r\nserver and can be represented as a b2e4936936c910319fb3d210bfa55b18765db9cc string, which is the same\r\nlength as the SHA1 hashes.\r\nThe string field contains a single character string: 1.\r\nCA_cert is a certificate of the certificate authority in the DER format. It is used to establish a connection to the\r\nC\u0026C server over the TLS 1.2 protocol.\r\nCertificate information can be found in the notes to this description.\r\nThe DllMain function enables for the creation of multiple operating threads depending on a number of conditions.\r\nMain thread — thread_1_main\r\nNew server request thread — thread_2_get_new_C2_start_communication\r\nEncrypted module execution thread — thread_4_execute_encrypted_module\r\nFor execution, the value of the builtin_config.exec_mode parameter must be non-zero.\r\nif the builtin_config.exec_mode value is 1 or 2, and the process command line contains the -k netsvcs\r\nsubstring, the main thread and the thread for getting the new C\u0026C server address are started;\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 5 of 22\n\nIf builtin_config.exec_mode is equal to 2, a thread that decrypts and runs the module stored in the system\r\nis started;\r\nIf the value is 3, the main thread and the thread for getting the new C\u0026C server address are started.\r\nIn the examined sample, the value of the exec_mode parameter is 3.\r\nThe main thread\r\nFirst, the backdoor checks the OS version then prepares a structure for initializing functions and a structure for\r\nstoring a certain configuration fields. The procedure looks artificially complicated.\r\n3 pointers to functions are inserted to the funcs_struc structure of the funcs_1 type that will be called in turn inside\r\nthe init_global_funcs_and_allocated_cfg function.\r\nIn the set_global_funcs_by_callbacks function, each initializer function is called in turn.\r\nThe general order of structure forming is as follows:\r\n1. Two structures are passed to each function: the first contains pointers to some functions; the second is\r\nempty.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 6 of 22\n\n2. Each function transfers function pointers from one structure to another.\r\n3. After calling the initializer function, the function pointers are moved from the local structure to the global\r\narray of structures at a certain index.\r\nAs a result, after all the unusual transformations, a certain number of global structures that are combined into a\r\nsingle array remain.\r\nUltimately, the function call can be represented as follows.\r\nThe use of complex transformations like copying local structures with functions and transferring them to global\r\nstructures is probably intended to complicate the analysis of a malicious sample.\r\nThe backdoor then uses the UT hash library to generate a hash table of service structures responsible for storing\r\nthe network connection context, connection parameters, etc.\r\nBelow is the fragment of the hash table generation code.\r\nIt is worth noting that the hash table contains a signature value that allows one to determine the library used:\r\ng_p_struc_10-\u003ehh.tbl-\u003esignature = 0xA0111FE1;.\r\nThe backdoor in question is characterized by the distribution of relevant fields and data across several structures\r\ncreated specifically for this purpose. This feature makes it difficult to create meaningful names for structures\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 7 of 22\n\nduring analysis.\r\nAfter the preparatory steps, the backdoor proceeds to initialize the connection to the C\u0026C server.\r\nInitializing the connection to the C\u0026C server\r\nIt is noteworthy that the program code associated with the network connection contains its own error codes, in\r\naddition to the codes from the mbedtls library.\r\nA list of error codes found in the sample.\r\nenum ERROR_CODES\r\n{\r\n ERROR_CODE_1392 = 0x1392,\r\n ERROR_BAD_ARGS = 0x5208,\r\n ERROR_CODE_520B = 0x520B,\r\n ERROR_CODE_520D = 0x520D,\r\n ERROR_CODE_59D8 = 0x59D8,\r\n ERROR_CODE_59DB = 0x59DB,\r\n ERROR_CODE_59DC = 0x59DC,\r\n ERROR_INVALID_ARGUMENT = 0x59DE,\r\n ERROR_CODE_59DF = 0x59DF,\r\n ERROR_CODE_61A8 = 0x61A8,\r\n ERROR_BAD_ALLOCATION = 0x61A9,\r\n ERROR_BAD_PACKET_SIGNATURE = 0x61AA,\r\n ERROR_CODE_61AB = 0x61AB,\r\n ERROR_CODE_61AC = 0x61AC,\r\n ERROR_CODE_61AD = 0x61AD,\r\n ERROR_CODE_61AF = 0x61AF,\r\n ERROR_CODE_61B0 = 0x61B0,\r\n ERROR_CODE_61B1 = 0x61B1,\r\n ERROR_BUFFER_NOT_EMPTY = 0x61B2,\r\n ERROR_CODE_6590 = 0x6590,\r\n ERROR_CODE_6592 = 0x6592,\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 8 of 22\n\nERROR_BAD_ALLOC = 0x6593,\r\n};\r\nAfter a series of preparatory actions, the backdoor resolves the address of the C\u0026C server stored in the\r\nconfiguration and retrieves the port. Addresses in the configuration are stored as strings: koran.junlper[.]com:80\r\nand koran.junlper[.]com:443. Next, the program creates a TCP socket for the connection. After that, it creates a\r\ncontext for the secure connection and performs a TLS handshake.\r\nAfter establishing secure connection, the backdoor expects a packet with a command from the C\u0026C server. The\r\nprogram works with two packet formats:\r\nThe packet received after processing the TLS protocol is a \"transport\" packet.\r\nThe packet received after processing the transport packet is a \"data\" packet. It contains the command ID\r\nand additional data.\r\nThe transport packet header is represented by the following structure.\r\nstruct transport_packet_header\r\n{\r\n DWORD signature;\r\n WORD compressed_len;\r\n WORD uncompressed_len;\r\n};\r\nThe data is placed after the header and packed by the LZ4 algorithm. The backdoor checks the value of the\r\nsignature field. It must be equal to 0x573F0A68.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 9 of 22\n\nAfter unpacking, the resulting data packet has a header in the following format.\r\nstruct data_packet_header\r\n{\r\n WORD tag;\r\n WORD id;\r\n WORD unk_0;\r\n BYTE update_data;\r\n BYTE id_part;\r\n DWORD unk_1;\r\n DWORD unk_2;\r\n DWORD len;\r\n};\r\nThe tag and id fields together define the backdoor action, which means they denote the command ID.\r\nThese header structures are used in both directions of interaction.\r\nThe order of processing server commands:\r\nClient verification\r\nSending the information about the infected system\r\nProcessing commands by IDs\r\nThere is a variable that stores the state of the dialog in the structure responsible for communicating with the C\u0026C\r\nserver. Therefore, before directly executing commands, performing the first two steps is required, which can be\r\nconsidered as a second handshake.\r\nA verification step\r\nTo perform the verification step, the values of the tag and id fields in the primary packet received from the C\u0026C\r\nserver must be equal to 1.\r\nThe verification process is as follows:\r\n1. The backdoor forms a buffer from an 8-byte array that follows the packet header and the hash_id field\r\ntaken from the configuration. The result can be represented as the structure:\r\nstruct buff\r\n{\r\n BYTE packet_data[8];\r\n BYTE hash_id[20];\r\n}\r\n2. The SHA1 hash of the data in the resulting buffer is calculated. The result is placed in the packet (after the\r\nheader) and sent to the server.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 10 of 22\n\nSending system information\r\nThe next packet received from the C\u0026C server must have the tag value equal to 5 and id value equal to 3. The\r\nsystem data is formed as a sysinfo_packet_data structure.\r\nstruct session_info\r\n{\r\n DWORD id;\r\n DWORD State;\r\n DWORD ClientBuildNumber;\r\n BYTE user_name[64];\r\n BYTE client_IPv4[20];\r\n BYTE WinStationName[32];\r\n BYTE domain_name[64];\r\n};\r\n \r\nstruct sysinfo_block_2\r\n{\r\n WORD field_0;\r\n WORD field_2;\r\n WORD field_4;\r\n WORD system_def_lang_id;\r\n WORD user_def_lang_id;\r\n DWORD timezone_bias;\r\n DWORD process_SessionID;\r\n BYTE user_name[128];\r\n BYTE domain_name[128];\r\n DWORD number_of_sessions;\r\n session_info sessions[number_of_sessions];\r\n};\r\n \r\nstruct sysinfo_block_1\r\n{\r\n DWORD unk_0; //0\r\n DWORD bot_id_created;\r\n DWORD dw_const_0; //0x101\r\n DWORD os_version;\r\n WORD dw_const_2; //0x200\r\n BYTE cpu_arch;\r\n BYTE field_13;\r\n DWORD main_interface_IP;\r\n BYTE MAC_address[20];\r\n BYTE bot_id[48];\r\n WCHAR computer_name[128];\r\n BYTE cfg_string[64];\r\n WORD w_const; //2\r\n WORD sessions_size;\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 11 of 22\n\n};\r\n \r\nstruct sysinfo_packet_data\r\n{\r\n DWORD id;\r\n sysinfo_block_1 block_1;\r\n sysinfo_block_2 block_2;\r\n};\r\nThe sysinfo_packet_data.id field contains a 0x19C0001 constant.\r\nThesysinfo_packet_data.block_1.bot_id value is extracted from the registry. The backdoor locates it in the\r\ninstance parameter of the SOFTWARE\\Clients\\Mail\\Hotmail\\backup key, which, in turn, depending on the\r\nprivileges, can be located in the HKLM or HKCU sections.\r\nIf the value is missing, a random GUID is generated using UuidCreate, then formatted as a XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX string and saved. If the ID already existed, the\r\nsysinfo_packet_data.block_1.bot_id_created parameter is assigned the 1 value. If the ID was created, the\r\nparameter is assigned the 2 value.\r\nThe sysinfo_packet_data.block_1.cpu_arch parameter value:\r\n1 — x86\r\n2 — x64\r\nThe process of determining the MAC address and IP address values by the backdoor is noteworthy. First, the\r\nprogram searches for the network interface through which the largest number of packets passed, then gets its\r\nMAC address and searches for the IP address of this interface.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 12 of 22\n\nThe OS version is encoded with a value from 1 to 13 (0 if an error occurs, starting with 5.0 and then ascending the\r\nversion.\r\nThe sysinfo_packet_data.block_1.cfg_string field contains the string value from the backdoor configuration,\r\nwhich is equal to the character 1.\r\nProcessing commands\r\nAfter the verification step and sending the system information, BackDoor.Spyder.1 begins processing the main\r\ncommands. Unlike most backdoors, whose commands are quite specific (pick up a file, create a process, etc.), in\r\nthis instance, they are more of a service nature and represent instructions for storing and structuring the received\r\ndata. In fact, all these service commands are aimed at loading new modules in PE format, storing them, and\r\ncalling certain exported functions. It is worth noting that the modules and their information are stored in memory\r\nin the form of hash tables using UT-hash.\r\ntag id Description\r\n6 1 Send the number of received modules to the server.\r\n2 Save the parameters of the received module in memory.\r\n3 Save the body of the module in the memory.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 13 of 22\n\n4\r\nLoad a previously saved module. The search is performed in the hash table by the ID obtained\r\nfrom the packet with the command. The module is loaded into memory, its entry point is called,\r\nthen the addresses of the 4 exported functions are obtained, which are stored in the structure for\r\nfurther call. Call the exported function No.1.\r\n5 Call the exported function No.4 of one of the loaded modules, then unload it.\r\n6\r\nSend in response a packet consisting only of the data_packet_header header, in which the unk_2\r\nfield is 0xFFFFFFFF.\r\n7 Call the exported function No.2 of one of the loaded modules.\r\n8 Call the exported function No.3 of one of the loaded modules.\r\n5 2 Send information about the current connection parameters to the server.\r\n4 -\r\nPresumably, the exported function No.1 can return a table of pointers to functions, and the\r\nprogram calls one of these functions at this command.\r\nAfter processing each packet received from the server, the backdoor checks the difference between the two values\r\nof the GetTickCount result. If the value exceeds the specified reference value, it sends the 0x573F0A68 signature\r\nvalue to the server without any additional data and transformations.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 14 of 22\n\nNew server request thread\r\nBackDoor.Spyder.1 can request the address of the new C\u0026C server if the url_C2_req URL is provided in the\r\nconfiguration. To request this URL, the program can use both the system proxy and the HTTP proxy provided in\r\nthe configuration. The request is made using the InternetOpenUrlA WinHTTP API.\r\nThe response must be a Base64-encoded string between two markers: DZKS and DZJS. It should be noted that a\r\nsimilar algorithm and markers were used in the PlugX family (BackDoor.PlugX.28 and BackDoor.PlugX.38).\r\nThe decoded string is decompressed using the RtlDecompressBuffer function, resulting in the address of the new\r\nC\u0026C server and the port to connect to.\r\nEncrypted module execution thread\r\nIf the exec_mode configuration parameter is set to 2 and the command line contains -k netsvcs, the backdoor\r\ncreates a separate thread to execute the module stored in the file.\r\nTo do this, the backdoor searches for the C:\\Windows\\System32\\1.update file at first. If such a file exists, the\r\nprogram reads it and decrypts it.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 15 of 22\n\nThis file contains the path to an encrypted file containing a DLL module that the backdoor reads, decrypts, and\r\nloads.\r\nFeatures of the x86 version\r\nThe version of the backdoor designed to run on 32-bit Microsoft Windows operating systems is detected by\r\nDr.Web as a BackDoor.Spyder.3 (83e47dbe20882513dfd1453c4fcfd99d3bcecc3d). The main difference of this\r\nmodification is the presence of debug messages.\r\nMessages are recorded on the log file located in the %WINDIR%\\temp\\deskcpl.ttf directory. Depending on the\r\ninitialization parameters, they can be output using OutputDebufStringA or encrypted using a simple XOR\r\noperation with byte 0x62.\r\nMessages related to communication with the C\u0026C server and command processing are output using the\r\nOutputDebugStringA function. It is noteworthy that for such messages, the [Spyder] prefix is used.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 16 of 22\n\nNotes\r\nBelow is the information about the CA_cert certificate for establishing a connection with the C\u0026C server:\r\nSHA1 Fingerprint=BF:46:40:E4:AF:56:DB:E0:D0:86:6E:16:B0:3F:C7:23:77:26:14:31\r\nCertificate:\r\n Data:\r\n Version: 3 (0x2)\r\n Serial Number: 1 (0x1)\r\n Signature Algorithm: sha256WithRSAEncryption\r\n Issuer: CN = SecureTrust CA, O = SecureTrust Corporation, C = US\r\n Validity\r\n Not Before: Jan 1 00:00:00 2011 GMT\r\n Not After : Dec 31 23:59:59 2025 GMT\r\n Subject: CN = SecureTrust CA, O = SecureTrust Corporation, C = US\r\n Subject Public Key Info:\r\n Public Key Algorithm: rsaEncryption\r\n Public-Key: (4096 bit)\r\n Modulus:\r\n 00:bd:c3:26:8b:e1:37:7f:f0:fa:0a:0d:83:a7:dd:\r\n 22:31:14:83:08:d7:74:3b:31:08:84:ef:25:cf:2d:\r\n 44:fc:2d:54:77:0b:17:e2:70:4d:be:2f:c1:fc:ed:\r\n d9:6b:9e:db:60:28:27:c4:1e:6d:15:3d:dd:b9:43:\r\n 64:37:58:b4:bd:48:85:fa:d1:d6:f7:5a:33:eb:ec:\r\n b7:86:62:92:1f:89:d7:a4:bd:d3:1f:f3:18:9d:a4:\r\n 15:27:16:7b:26:9f:5c:53:87:bd:40:22:d2:5e:cd:\r\n ab:d5:6f:1d:ac:c3:0d:f1:d9:d5:f5:6a:d3:16:76:\r\n 58:df:f7:0b:20:0d:ed:7b:97:ae:66:0a:e6:cc:9f:\r\n 73:50:fb:ce:16:a6:dc:45:d0:2f:70:3e:c8:c8:59:\r\n 4d:c4:62:ec:b0:e9:01:9c:57:92:e4:78:83:4f:a6:\r\n ab:1b:94:45:ff:15:ed:dc:59:95:f3:71:22:9c:06:\r\n 38:bb:e6:0f:b3:ec:af:5b:bd:1a:2f:b1:7f:ce:c8:\r\n 4d:32:9f:8f:44:9b:ae:fc:e5:72:24:b4:3a:3b:f3:\r\n d0:79:30:79:a2:0e:bd:55:e9:cd:c0:4d:7e:07:fc:\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 17 of 22\n\n37:b5:7f:69:be:d6:e3:37:ce:9e:ff:d2:05:e4:3c:\r\n 59:7e:f0:d4:ab:01:e4:7b:07:f6:a4:f0:e3:c3:7e:\r\n 58:07:2d:e8:96:9c:ac:8b:e6:dc:49:6a:51:9a:b3:\r\n b0:62:cf:3c:b4:4a:f9:89:ae:2c:73:17:01:43:63:\r\n ec:e8:2b:7b:1c:3c:81:41:fa:db:93:45:3a:21:1f:\r\n 2a:3a:8f:30:d4:52:59:91:03:03:11:b8:18:ca:39:\r\n 4c:9a:e2:57:33:e6:bc:c5:4a:8e:76:79:50:fd:bd:\r\n 32:78:9c:79:58:4f:b9:d3:bb:05:eb:39:43:db:3e:\r\n b5:2d:51:18:ed:ee:9d:31:3a:2e:6b:37:37:34:28:\r\n 4a:89:cb:65:b4:7d:bf:be:a1:67:cb:5c:71:9c:be:\r\n c3:3b:f7:a7:df:37:4d:0f:c7:57:f5:5b:d2:db:54:\r\n 2c:91:5b:3b:7f:ec:1f:45:e4:7b:a5:0d:a1:c2:1f:\r\n 64:af:51:cd:32:3a:83:25:9c:90:ac:77:66:4d:12:\r\n 23:f5:5b:3c:90:b5:41:1b:54:55:a4:24:66:e6:e9:\r\n 65:46:95:ff:ef:67:f5:a6:80:f6:d5:e6:3f:2f:c2:\r\n 7b:25:d8:b3:b4:4d:f4:b8:7c:38:cc:de:3e:4f:43:\r\n 9a:ca:be:c1:66:95:2d:2c:16:a9:56:9b:68:5d:8c:\r\n 78:90:84:d4:86:51:10:f1:9b:14:23:43:bb:91:1e:\r\n 02:01:ee:11:63:c4:f2:81:7f:83:68:5e:86:bd:8a:\r\n 88:7c:2d\r\n Exponent: 65537 (0x10001)\r\n X509v3 extensions:\r\n X509v3 Basic Constraints:\r\n CA:TRUE, pathlen:0\r\n X509v3 Subject Key Identifier:\r\n E0:63:19:89:FA:AD:19:5D:E3:B3:A5:E2:85:D2:2F:87:B1:55:76:1B\r\n X509v3 Authority Key Identifier:\r\n keyid:E0:63:19:89:FA:AD:19:5D:E3:B3:A5:E2:85:D2:2F:87:B1:55:76:1B\r\n X509v3 Key Usage: critical\r\n Digital Signature, Key Agreement, Certificate Sign, CRL Sign\r\n Netscape Cert Type:\r\n SSL Client, SSL Server, Object Signing, SSL CA, Object Signing CA\r\n Signature Algorithm: sha256WithRSAEncryption\r\n 08:33:53:e4:be:95:0a:1b:d7:6e:44:6b:2d:42:2a:45:7f:8b:\r\n 89:fd:fb:d0:cf:5f:8f:83:77:5d:3b:2c:11:46:9f:44:3b:69:\r\n f2:e2:e7:fe:4e:c9:43:5c:89:5f:e2:e2:5a:5e:4c:4d:39:ed:\r\n ce:2d:63:d4:a1:93:ff:ff:3f:b0:77:86:e8:f1:5e:a3:4d:d3:\r\n ba:eb:41:0f:85:0c:04:fb:6c:42:19:bc:2b:d1:db:c6:51:e3:\r\n 97:cd:5b:e5:d5:b4:1f:43:e7:7c:eb:86:08:16:86:0b:46:23:\r\n 9d:f4:e9:18:b6:ce:e5:f4:96:7b:ee:5f:f5:8d:ff:dd:65:29:\r\n b9:12:94:f7:da:d3:c0:64:53:e6:2b:36:ec:6f:d3:26:3c:c2:\r\n ab:ba:10:cd:d8:39:43:8b:21:fe:68:ab:48:25:34:07:a6:cc:\r\n cc:b5:70:60:c4:ae:91:73:19:ff:9d:ff:82:ca:4a:9c:8e:70:\r\n 94:96:5f:7c:b3:e8:f7:e4:3e:cc:af:41:7e:24:47:fe:ad:d5:\r\n a7:80:32:80:9c:7f:0c:00:3b:92:4c:ec:8e:ef:93:fb:8a:1f:\r\n ff:be:f0:ab:33:c7:4b:2b:5d:fc:31:e6:bf:f4:1d:c0:e3:d0:\r\n c5:94:a9:21:b1:8c:26:4b:c2:82:51:cf:1b:63:09:b1:ec:45:\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 18 of 22\n\n31:49:ba:51:42:22:7a:41:90:2f:28:0e:40:76:91:3c:33:34:\r\n 84:66:b9:7e:0e:68:5a:37:38:01:b1:92:64:a5:a8:9c:34:84:\r\n 6a:c6:01:d0:30:f8:d5:52:0f:6e:3e:40:06:a2:b8:4c:b1:69:\r\n 4d:16:8f:d0:c4:72:b6:0e:09:57:6c:5e:cd:bc:ab:e3:ce:80:\r\n ae:a7:6c:3d:3c:01:a5:a3:4f:4d:e0:52:36:12:cc:7a:e2:5e:\r\n f3:d7:22:a7:6c:7c:60:d4:fd:f4:37:94:70:dd:4c:9b:00:cd:\r\n 7d:9d:42:f7:e7:b2:25:f6:63:06:1e:4d:dc:4b:ef:5c:45:5d:\r\n a7:b9:b7:33:21:4e:91:40:ba:ca:ec:70:d0:a5:f7:0c:0a:ea:\r\n 97:11:fa:47:8b:dd:24:b0:c2:98:ff:94:4f:f6:c8:0f:e9:a5:\r\n 2d:bf:b6:7c:f4:45:f3:cb:5a:fd:a0:38:ce:ca:60:24:34:74:\r\n 77:ea:91:bc:dc:68:90:53:5f:0a:f4:40:13:69:68:2e:31:f9:\r\n df:7d:07:05:53:42:8a:8b:e0:49:75:ee:04:94:9e:87:1a:25:\r\n 9e:82:16:87:a2:69:dd:eb:44:21:4c:98:1d:72:8b:46:74:5c:\r\n 33:24:5c:c2:ab:7b:1f:c4:d4:d5:9a:40:77:15:73:d3:53:62:\r\n 60:da:5d:7c:2a:9e:12:25\r\n-----BEGIN CERTIFICATE-----\r\nMIIFgTCCA2mgAwIBAgIBATANBgkqhkiG9w0BAQsFADBIMRcwFQYDVQQDEw5TZWN1\r\ncmVUcnVzdCBDQTEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xCzAJ\r\nBgNVBAYTAlVTMB4XDTExMDEwMTAwMDAwMFoXDTI1MTIzMTIzNTk1OVowSDEXMBUG\r\nA1UEAxMOU2VjdXJlVHJ1c3QgQ0ExIDAeBgNVBAoTF1NlY3VyZVRydXN0IENvcnBv\r\ncmF0aW9uMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\r\nggIBAL3DJovhN3/w+goNg6fdIjEUgwjXdDsxCITvJc8tRPwtVHcLF+JwTb4vwfzt\r\n2Wue22AoJ8QebRU93blDZDdYtL1IhfrR1vdaM+vst4Zikh+J16S90x/zGJ2kFScW\r\neyafXFOHvUAi0l7Nq9VvHazDDfHZ1fVq0xZ2WN/3CyAN7XuXrmYK5syfc1D7zham\r\n3EXQL3A+yMhZTcRi7LDpAZxXkuR4g0+mqxuURf8V7dxZlfNxIpwGOLvmD7Psr1u9\r\nGi+xf87ITTKfj0SbrvzlciS0Ojvz0HkweaIOvVXpzcBNfgf8N7V/ab7W4zfOnv/S\r\nBeQ8WX7w1KsB5HsH9qTw48N+WAct6JacrIvm3ElqUZqzsGLPPLRK+YmuLHMXAUNj\r\n7Ogrexw8gUH625NFOiEfKjqPMNRSWZEDAxG4GMo5TJriVzPmvMVKjnZ5UP29Mnic\r\neVhPudO7Bes5Q9s+tS1RGO3unTE6Lms3NzQoSonLZbR9v76hZ8tccZy+wzv3p983\r\nTQ/HV/Vb0ttULJFbO3/sH0Xke6UNocIfZK9RzTI6gyWckKx3Zk0SI/VbPJC1QRtU\r\nVaQkZubpZUaV/+9n9aaA9tXmPy/CeyXYs7RN9Lh8OMzePk9Dmsq+wWaVLSwWqVab\r\naF2MeJCE1IZREPGbFCNDu5EeAgHuEWPE8oF/g2hehr2KiHwtAgMBAAGjdjB0MA8G\r\nA1UdEwQIMAYBAf8CAQAwHQYDVR0OBBYEFOBjGYn6rRld47Ol4oXSL4exVXYbMB8G\r\nA1UdIwQYMBaAFOBjGYn6rRld47Ol4oXSL4exVXYbMA4GA1UdDwEB/wQEAwIBjjAR\r\nBglghkgBhvhCAQEEBAMCANUwDQYJKoZIhvcNAQELBQADggIBAAgzU+S+lQob125E\r\nay1CKkV/i4n9+9DPX4+Dd107LBFGn0Q7afLi5/5OyUNciV/i4lpeTE057c4tY9Sh\r\nk///P7B3hujxXqNN07rrQQ+FDAT7bEIZvCvR28ZR45fNW+XVtB9D53zrhggWhgtG\r\nI5306Ri2zuX0lnvuX/WN/91lKbkSlPfa08BkU+YrNuxv0yY8wqu6EM3YOUOLIf5o\r\nq0glNAemzMy1cGDErpFzGf+d/4LKSpyOcJSWX3yz6PfkPsyvQX4kR/6t1aeAMoCc\r\nfwwAO5JM7I7vk/uKH/++8Kszx0srXfwx5r/0HcDj0MWUqSGxjCZLwoJRzxtjCbHs\r\nRTFJulFCInpBkC8oDkB2kTwzNIRmuX4OaFo3OAGxkmSlqJw0hGrGAdAw+NVSD24+\r\nQAaiuEyxaU0Wj9DEcrYOCVdsXs28q+POgK6nbD08AaWjT03gUjYSzHriXvPXIqds\r\nfGDU/fQ3lHDdTJsAzX2dQvfnsiX2YwYeTdxL71xFXae5tzMhTpFAusrscNCl9wwK\r\n6pcR+keL3SSwwpj/lE/2yA/ppS2/tnz0RfPLWv2gOM7KYCQ0dHfqkbzcaJBTXwr0\r\nQBNpaC4x+d99BwVTQoqL4El17gSUnocaJZ6CFoeiad3rRCFMmB1yi0Z0XDMkXMKr\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 19 of 22\n\nex/E1NWaQHcVc9NTYmDaXXwqnhIl\r\n-----END CERTIFICATE-----\r\nList of 32-bit modification debug messages:\r\n[work]cmdline:%s\r\n[work]dwDataLen=%d buf_temp=%d\r\n[work]%s no exist\r\n[work]get work err5\r\n[aut]begin tid=%d.\r\n[update_thread]begin tid=%d.\r\n[update_thread]work=%s\r\n[update_thread]get_work ret=%d\r\n[update_thread]wait for work thread exit...\r\n[update_thread]work thread exit ok\r\n[update_thread]load work failed\r\n[pt]proxy_thread begin tid=%d.\r\n[]dwMajorVersion=%d dwMinorVersion=%d\r\n[]rtlVer.dwMinorVersion=%d\r\n[work]DllMain\r\n[work] DLL\r\n[work] VBR/SRV\r\n[wk]RtlGetCurrentUserToken ok\r\n[wk]ImpersonateLoggedOnUser ok\r\n[wk]OpenURL %s Ret=%d\r\n[wk]Err1\r\n[wk]Err4\r\n[wk]GetConfigStrFromURL err\r\n[wk]DecodeStrBuffer err\r\n[wk]DecodeLen err\r\n[wk]RevertToSelf\r\n[]IsProxyEnable Ret=%d\r\n[aut]GetConfigStrFromURL PROXY_NO Ret=%d\r\n[aut]GetConfigStrFromURL PROXY_USER Ret=%d\r\n[aut]JmpAddClientConfig %s with address: %s.\r\n[aut]GetRandom=%d\r\n[aut]szWebURL Not Set\r\n[aut]address_update_thread Exit.\r\n[update_thread]get_work_path ret=%d\r\n[pt]Using IE proxy setting.\r\n[pt]IE proxy NOT setup.\r\n[pt]SmpGetRegProxy Counts=%d\r\n[pt]IE proxy type = %u NOT support, address: %s.\r\n[pt]IE proxy type = %u, address: %s found.\r\n[pt]Add proxy config %s, address=%s.\r\n[work_thread]begin tid=%d\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 20 of 22\n\n[wt]JmpAddClientConfig %s with address: %s.\r\n[wt]JmpAddProxyConfig %s.\r\n[wt]Proxy:%s\r\n[wt]start Jumper error = %u.\r\n[wt]Jumper start success!\r\n[wt]JmpShutdown\r\n[wt]JmpShutdown=%d\r\n[wt]JmpTeardown=%d\r\n[wt]tid=%d Exit\r\n[Spyder] client module init error = %d.\r\n[Spyder] register mod %d error = %u.\r\n[spyder] alloc mem for ca cert failed.\r\n[spyder] server address already exists in conf list.\r\n[Spyder] alloc client error = %d.\r\n[Spyder] ALLOC client uid = %u.\r\n[Spyder] set ca for client id=%u error=%d\r\n[Spyder] proxy setting exists, srv=%s\r\n[spyder] use proxy [%s] to connect [%s] res = %u.\r\n[Spyder] direct connect to %s error = %u.\r\n[Spyder] connect to %s result = %u, protcol=%u.\r\n[jmp] big packet: recv new big pkt while previous one not handled, old=%u, new=%u.\r\n[jmp] packet size exceed limit = %#X, id=%u.\r\n[jmp] failed to realloc packet buffer, error = %u, pkt id=%u.\r\n[jmp] big packet recv completed, id=%u, size=%u, ext id=%u.\r\n[Spyder] PAUSE ext = %u Before.\r\n[Spyder] PAUSE ext = %u After.\r\n[Spyder] UNINIT ext = %u Before.\r\n[Spyder] UNINIT ext = %u After.\r\nduplicate session id for ext type id = %u.\r\n[Spyder] can't find recv item for type id = %u.\r\n[Spyder] ext type id = %u recved = %u, new recv = %u, but total size = %u\r\n[Spyder] ext type id = %u recv completed, total size = %u.\r\n[Spyder] find ext with same type id = %u while updating, free old ext.\r\n[Spyder] alloc mem for completed ext error = %u.\r\n[Spyder] ext recv %s, free tem buffer, type id = %u.\r\n[Spyder] ext type = %u already loaded, unlaod now for updating.\r\n[Spyder] failed to unload ext from memory.\r\n[Spyder] load ext id = %u into memory error.\r\n[Spyder] MOD LOAD AT %p, size=%u.\r\n[Spyder] alloc mem for loaded item failed, unload ext type id = %u.\r\n[Spyder] inint module type = %u begin.\r\n[Spyder] inint module type = %u end.\r\n[Spyder] alloc mem for mod_pfn error = %u.\r\n[Spyder] unlaod ext id = %u error.\r\n[Spyder] unload_and_free_all_exts.\r\n[Spyder] UNLOAD ext = %u BEFORE.\r\n[Spyder] UNLOAD ext = %u AFTER.\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 21 of 22\n\n[Spyder] FREE ext = %u AFTER.\r\n[Spyder] free ext cache = %u .\r\n[Spyder] free ext mem = %u .\r\n[Spyder] link setup Result=%d, local = %#X:%u, remote = %#X:%u, uid=%u.\r\n[Spyder] connected callback at %02u:%02u:%02u, id = %u.\r\n[Spyder] Link disconnected at %02u:%02u:%02u, id = %u.\r\n[Spyder] recv data size = %u invalid, from uid=%u.\r\n[Spyder] receive challenge = %I64X.\r\n[Spyder] failed to get host info.\r\n[Spyder] send host info error = %u.\r\n[jmp] LOGIN SUCCESS, link id = %u.\r\n[jmp] internal data process error.\r\n[jmp] unknown state = %u.\r\n[jmp] core process data error, close link = %u.\r\n[Spyder] ext summary size error = %u.\r\n[Spyder] ext recv prepare failed.\r\n[Spyder] EXTENSION recv BEGIN, type = %u.\r\n[Spyder] dll payload recv error.\r\n[Spyder] ext active begin.\r\n[Spyder] ext active result = %s.\r\n[Spyder] ext free cmd not handled.\r\n[Spyder] unhandled ext sub cmd = %u.\r\n[Spyder] call ext failed = %d, sub=%u.\r\n[spyder] unhandled subcmd=%u in tunnel cmd.\r\n[Spyder] unhandled main cmd = %u, sub cmd = %u.\r\n[Spyder] Can't get link id for ext data delevery.\r\n[Spyder] SEND_DATA via link id=%u error = %d.\r\n[Spyder] client link disconnect id = %u.\r\n[Spyder] client send data error = %#X, id = %u.\r\n[Spyder] enum session error = %u.\r\n[Spyder] get Host info error.\r\n[Spyder] save sn value error = %u.\r\n[Spyder] gszUniqueSN=%s\r\n[Spyder] create guid error = %d.\r\n[jmp] Get adapter info error = %u.\r\n[jmp] adapters info buf size=%u, count=%u.\r\n Alloc buf for adapter info error = %u.\r\nget adapter info with buf error = %u.\r\n[jmp] IP=%s not match preset mac address, desc=%s.\r\n[jmp] master adapter FOUND! IP = [%s], desc=%s.\r\n[jmp] master adapter has more than one ip: %s.\r\nSource: https://vms.drweb.com/virus/?i=23648386\r\nhttps://vms.drweb.com/virus/?i=23648386\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://vms.drweb.com/virus/?i=23648386"
	],
	"report_names": [
		"?i=23648386"
	],
	"threat_actors": [],
	"ts_created_at": 1775434597,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7edc67f7b3780a18dddfc85f0c8968cd105aa851.pdf",
		"text": "https://archive.orkl.eu/7edc67f7b3780a18dddfc85f0c8968cd105aa851.txt",
		"img": "https://archive.orkl.eu/7edc67f7b3780a18dddfc85f0c8968cd105aa851.jpg"
	}
}