{ "id": "df7c1a41-3874-4db8-b594-5e0c48ce1251", "created_at": "2026-04-06T00:22:34.724502Z", "updated_at": "2026-04-10T03:35:21.33234Z", "deleted_at": null, "sha1_hash": "8def5d461a92cce54e80cb7d8e0cadd364984752", "title": "Curious Korlia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 106639, "plain_text": "Curious Korlia\r\nPublished: 2014-11-25 · Archived: 2026-04-02 12:39:18 UTC\r\nIntroduction\r\nReverse engineers organize discrete of pieces of malware into families. While digging through my malware collection I\r\nstumbled across this hash (B8FDFEE08DEEE5CCC1794BAF9ED553CE).\r\nIt turns out that this is a sample of the backdoor family known as Korlia. After doing some more digging, it turns out that\r\nKorlia doesn’t seem to be that well documented or widely known. There is a little bit more written about it here.\r\nKorlia shares a lot of features with common remote access tools. Such as:\r\nDownloading and executing files\r\nListing and controlling processes\r\nCreating and deleting files\r\nCreating a remote shell\r\nGiven the little amount of public information on Korlia, this made it a good candidate for further research. There isn’t an\r\nobvious C2 address called out in strings, although there are some bizarre strings. Depending on luck, those might be actual\r\nstrings, or code that is being misinterpreted as a string.\r\nDiving in deeper on our first string:\r\nThere exists a cross reference to an address. For this case, that is a great sign! This particular piece of data is being\r\nreferenced somewhere in the code. Let’s follow.\r\nIn this case we can see that the data is being referenced as global data, and it’s mov’d into an EDI. Shortly after, the value\r\n0x1f is loaded into BL. As a general side note, when you see static values being pushed into the lower bytes of a general\r\npurpose register this usually means that some loop is going to follow and byte by byte modify a string or array.\r\nThis can be roughly written in Ruby with the following code.\r\n\"{ql{ql.1O~ll^l1jl\".each_byte {|x| print \"#{(x^0x1f).chr}\"}\r\nThis will return the following information:\r\nhttps://securitykitten.github.io/2014/11/25/curious-korlia.html\r\nPage 1 of 3\n\nAfter a little bit of hunting on VirusTotal, I was able to find the following samples. Which also have the following\r\nconfigurations.\r\nMD5\r\nConfig\r\nOffset\r\nC2 C2 URL\r\n172d68e10715b915ab3268db2174192b 11280 kfsinfo.ByInter.net 61.90.202.197 http://fund.cmc.or.kr/UploadFile/fa\r\n211c25cdf120f5da8a2258b5d65cc263 14364 0906.toh.info wew.myMom.info http://fund.cmc.or.kr/UploadFile/fa\r\n37513c17acfb0b122ffdc3e51501ecc3 11792 since.qpoe.com 69.197.149.98 http://fund.cmc.or.kr/UploadFile/fa\r\n3f7b8f90acc4a01b3377942c409031dc 11808 mycount.MrsLove.com mycount.MrsLove.com http://fund.cmc.or.kr/UploadFile/fa\r\n5217a2fc910479d36947d8fe6791d734 12816 mycount.MrsLove.com mycount.MrsLove.com http://fund.cmc.or.kr/UploadFile/fa\r\n7807036a74b811c28f1fbb167ef545e3 15900 kazama.myfw.us   http://fund.cmc.or.kr/UploadFile/fa\r\n7865b3c7e7f40ead123e97aae5dc0a57 17948 shinkhek.myfw.us   http://61.90.202.198/jp/log2.asp\r\n932875565fc6a1356800aa9d3af01670 11792 usababa.myfw.us indbaba.myfw.us http://indbabababa.dns94.com/o.as\r\nb57a30d94872e47186c7ef2e08e6e905 17440 mycount.MrsLove.com mycount.MrsLove.com http://fund.cmc.or.kr/UploadFile/fa\r\nb7981c7d028cbfd2f0fe2089de02b391 11792 jennifer998.lookin.at 196.44.49.154 http://fund.cmc.or.kr/UploadFile/fa\r\nb8fdfee08deee5ccc1794baf9ed553ce 11280 dnsdns1.PassAs.us dnsdns1.PassAs.us http://fund.cmc.or.kr/UploadFile/fa\r\nc96a92565553c7dc67267c78bc2809bb 14352 since.qpoe.com applejp.myfw.us http://fund.cmc.or.kr/UploadFile/fa\r\ncb0e358b534bdce8e2587ef3745b1723 11808 v3net.rr.nu faceto.UglyAs.com http://fund.cmc.or.kr/UploadFile/fa\r\ne47f4ca37db57a9f22d85e021dc891a6 12816 mycount.MrsLove.com mycount.MrsLove.com http://fund.cmc.or.kr/UploadFile/fa\r\nefe7598c675c1c71f0ad44cc686de587 17948 61.90.202.198 10.0.0.102 http://61.90.202.198/jp/log.asp\r\nThe next step in this process is to write a Yara rule looking for this sort of behavior. Writing Yara rules based on strings\r\nalone is often problematic as strings are very easy to change and modify. In this case, since we understand how the decoder\r\nworks, writing a Yara rule for the loop is probably a better bet. While hunting I did find slight variations of the loop\r\n(highlighted in the Yara rule below). Those are accounted for in the final rule. The following rules will catch several variants\r\nof Korlia.\r\nrule korlia\r\n{\r\nmeta:\r\nauthor = \"Nick Hoffman \"\r\ncompany = \"CBTS - ACS\"\r\ninformation = \"korlia malware found in apt dump\"\r\n//case a\r\n//b2 1f mov dl, 0x1f ; mov key (wildcard)\r\n// -----------------\r\n//8A 86 98 40 00 71 mov al, byte ptr url[esi]\r\n//BF 98 40 00 71 mov edi, offset url\r\n//32 C2 xor al, dl\r\n//83 C9 FF or ecx, 0FFFFFFFFh\r\n//88 86 98 40 00 71 mov byte ptr url[esi], al\r\n//33 C0 xor eax, eax\r\n//46 inc esi\r\n//F2 AE repne scasb\r\n//F7 D1 not ecx\r\n//49 dec ecx\r\n//3B F1 cmp esi, ecx\r\n//72 DE jb short loc_71001DE0\r\n//case b (variant of loop a)\r\n//8A 8A 28 50 40 00 mov cl, byte_405028[edx]\r\nhttps://securitykitten.github.io/2014/11/25/curious-korlia.html\r\nPage 2 of 3\n\n//BF 28 50 40 00 mov edi, offset byte_405028\r\n//32 CB xor cl, bl\r\n//33 C0 xor eax, eax\r\n//88 8A 28 50 40 00 mov byte_405028[edx], cl\r\n//83 C9 FF or ecx, 0FFFFFFFFh\r\n//42 inc edx\r\n//F2 AE repne scasb\r\n//F7 D1 not ecx\r\n//49 dec ecx\r\n//3B D1 cmp edx, ecx\r\n//72 DE jb short loc_4047F2\r\n//case c (not a variant of the above loop)\r\n//8A 0C 28 mov cl, [eax+ebp]\r\n//80 F1 28 xor cl, 28h\r\n//88 0C 28 mov [eax+ebp], cl\r\n//8B 4C 24 14 mov ecx, [esp+0D78h+var_D64]\r\n//40 inc eax\r\n//3B C1 cmp eax, ecx\r\n//7C EE jl short loc_404F1C\r\nstrings:\r\n$a = {b2 ?? 8A 86 98 40 00 71 BF 98 40 00 71 32 c2 83 C9 FF 88 86 98 40 00 71 33 C0 46 F2 AE F7 D1 49 3B F1}\r\n$b = {B3 ?? ?? ?? 8A 8A 28 50 40 00 BF 28 50 40 00 32 CB 33 C0 88 8A 28 50 40 00 83 C9 FF 42 F2 AE F7 D1 49 3B D1}\r\n$c = {8A 0C 28 80 F1 ?? 88 0C 28 8B 4C 24 14 40 3B C1}\r\n$d = {00 62 69 73 6F 6E 61 6C 00} //config marker \"\\x00bisonal\\x00\"\r\ncondition:\r\nany of them\r\n}\r\nSource: https://securitykitten.github.io/2014/11/25/curious-korlia.html\r\nhttps://securitykitten.github.io/2014/11/25/curious-korlia.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://securitykitten.github.io/2014/11/25/curious-korlia.html" ], "report_names": [ "curious-korlia.html" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434954, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8def5d461a92cce54e80cb7d8e0cadd364984752.pdf", "text": "https://archive.orkl.eu/8def5d461a92cce54e80cb7d8e0cadd364984752.txt", "img": "https://archive.orkl.eu/8def5d461a92cce54e80cb7d8e0cadd364984752.jpg" } }