{
	"id": "3602aded-400b-4ab6-9821-348bffae5484",
	"created_at": "2026-04-06T00:14:46.610662Z",
	"updated_at": "2026-04-10T03:31:00.962155Z",
	"deleted_at": null,
	"sha1_hash": "8e9023da49262ff49e22d03e09f545361eb1fffb",
	"title": "Malware analysis report: WinDealer (LuoYu Threat Group)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2865396,
	"plain_text": "Malware analysis report: WinDealer (LuoYu Threat Group)\r\nBy MSSP Research Lab\r\nPublished: 2023-05-08 · Archived: 2026-04-05 19:13:17 UTC\r\n7 minute read\r\nWinDealer is a type of malware that is used for financial fraud and theft. It is a banking Trojan that is designed to steal\r\nsensitive financial information, such as login credentials, credit card numbers, and other personal information from\r\nvictims’ computers.\r\nFollowing are the capabilities of the malware:\r\nManipulation of files and file systems: reading, writing, and deleting files, listing directories, and collecting disk\r\ninformation\r\nInformation collection: gathering device details, network settings, and/or keyboard layout, listing running\r\nprocesses, installed software, and configuration files of popular messaging services (Skype, QQ, WeChat, and\r\nWangwang);\r\nDownload and upload random file types; arbitrarily executed commands;\r\nSystem-wide text file and Microsoft Word document search;\r\nScreenshot taking;\r\nDiscovery of networks through ping scan;\r\nBackdoor maintenance: enabling or disabling persistence (through the RUN key in the registry) and configuration\r\nchanges\r\nThreat actorPermalink\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 1 of 23\n\nLuoYu is a threat group that is believed to be a Chinese state-sponsored hacking group. The group has been active since\r\nat least 2011 and is known to target a wide range of industries, including defense, government, telecommunications, and\r\ntechnology.\r\nTargetPermalink\r\nGeographies and sectors:\r\nChinese subsidiaries of Japanese companies\r\nUsers of a Chinese private bank\r\nIndustry:\r\nTechnology\r\nMedia\r\nFinancial\r\nMilitary\r\nTelecom\r\nMinistries of Foreign Affairs\r\nCyber Kill ChainPermalink\r\nWinDealer steals information of an infected PC and sends it to a C2 server as described in here:\r\nIdentificationPermalink\r\nTwo samples are being investigated:\r\nsample.exe:\r\nFile size: 372736 bytes\r\nMD5 sum: cc7207f09a6fe41c71626ad4d3f127ce\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 2 of 23\n\nSHA-1 sum: 84e749c37978f9387e16fab29c7b1b291be93a63\r\nSHA-256 sum: 28df5c75a2f78120ff96d4a72a3c23cee97c9b46c96410cf591af38cb4aed0fa\r\nFirst of all, check our sample via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/28df5c75a2f78120ff96d4a72a3c23cee97c9b46c96410cf591af38cb4aed0fa/details\r\nSo, 52 of 68 AV engines detect our sample as malicious.\r\nMore of them detect file as Backdoor.Win32.WINDEALER.ZYJA .\r\nStatic analysisPermalink\r\nThe specified sample is a PE file:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 3 of 23\n\nUse exiftool for looking metadata:\r\nAnd we see that file timestamp is 2021-01-25 13:32:26+03.00\r\nExecutable sample is not packed by upx :\r\nWhat about Shannon entropy of the sample:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 4 of 23\n\nAnalysze with DIE says that the compiler is Microsoft Visual Studio C++ (6.0) :\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 5 of 23\n\nMalware contains encrypted DLL:\r\nInteresting strings:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 6 of 23\n\nThe hardcoded version of WinDealer:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 7 of 23\n\n18.20.1225 - version: 18 , year: 2020 , month and day: 12.25\r\nanother intersting strings is:\r\nSYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\%s\\Connection :\r\nDynamic analysisPermalink\r\nThe sample is GUI application:\r\nContacted IP addresses is:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 8 of 23\n\nMay sleep (evasive loops) to hinder dynamic analysis:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 9 of 23\n\nThe operator has the power to rename, move, and delete files on the target machine:\r\nAlso malware search through directories and enum filesystem:\r\nand collecting volume information:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 10 of 23\n\nAPI hookingPermalink\r\nUsing InterlockedExchange , probably the malware sample is hooking the winapi functions:\r\nAV/Sandbox evasionPermalink\r\nIn the malware sample above, the delay timeout is set using the GetTickCount() timer function. The Sleep() function\r\nis called in a loop until the timer timeout. In the sandbox, delays that are performed by the Sleep() function are\r\nskipped (replaced with a very short timeout) and the virtually elapsed time will be much higher than the requested\r\ntimeout. The concept behind these methods is to measure elapsed time while running several forms of delays in parallel:\r\nsample2.exe:\r\nFile size: 458752 bytes\r\nMD5 sum: 76ba5272a17fdab7521ea21a57d23591\r\nSHA-1 sum: 6b831413932a394bd9fb25e2bbdc06533821378c\r\nSHA-256 sum: ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261\r\nVirusTotal scan result:\r\nhttps://www.virustotal.com/gui/file/ecd001aeb6bcbafb3e2fda74d76eea3c0ddad4e6e7ff1f43cd7709d4b4580261/detection\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 11 of 23\n\nStatic analysisPermalink\r\nThe specified sample is a PE file:\r\nRun exiftool for extracting metadata:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 12 of 23\n\nThe sample is a Windows GUI file with timestamp: 2021:03:06 04:13:51+03:00\r\nDynamic analysisPermalink\r\nGenerating victim ID set in a registry key:\r\nThe format of the victim ID is md5(\"\u003cMAC address\u003e+\u003cPhysical_Drive_info\u003e+\u003cusername\u003e\") . The malware generates a\r\nunique registry entry to store the victim ID for subsequent execution. The victim ID is not saved as raw data; instead,\r\nthe malware changes the 4 bytes victim ID to an IP address format.\r\nThis sample collecting host information:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 13 of 23\n\nEncodingPermalink\r\nMalware sample use function call obfuscation:\r\nGetUserNameW :\r\nRegCreateKeyExA :\r\nRegDeleteKeyA and RegCloseKey :\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 14 of 23\n\nRegQueryValueExA :\r\nGetTokenInformation :\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 15 of 23\n\nOpenProcessToken :\r\nOpenThreadToken :\r\nAdjustTokenPrivileges :\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 16 of 23\n\n.etc.\r\nSo, malware sample use one of the interesting classic APT techniques: Token theft via turn on SeDebugPrivilege :\r\n//....\r\nHANDLE token;\r\nTOKEN_PRIVILEGES tp;\r\nLUID luid;\r\nBOOL res = TRUE;\r\ntp.PrivilegeCount = 1;\r\ntp.Privileges[0].Luid = luid;\r\ntp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\r\nif (!LookupPrivilegeValue(NULL, priv, \u0026luid)) res = FALSE;\r\nif (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, \u0026token)) res = FALSE;\r\nif (!AdjustTokenPrivileges(token, FALSE, \u0026tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) res =\r\n//...\r\nRegistry Modifications and PersistencePermalink\r\nWith a high degree of probability, it can be argued that WinDealer has the functionality of interacting with the registry,\r\nprobably for persistence mechanism:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 17 of 23\n\nEncryptionPermalink\r\nGenerate 16 bytes AES key to encrypt C2 communication:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 18 of 23\n\nC2 anti-tracking mechanismPermalink\r\nThis malware sample employs an IP Generation Algorithm to generate a random C2 IP address when the backdoor lacks\r\nC2 configuration. The IP produced at random will exist inside particular IP address ranges:\r\n113.62.0.0 - 113.63.255.255 or\r\n111.120.0.0 - 111.123.255.255\r\nThis mechanism will prevent researchers from tracking down the real C2 IP.\r\nBackdoor.Win32.WINDEALER.ZYJA is a variant of the WinDealer malware family. It is a type of backdoor malware that\r\nis designed to allow remote attackers to gain unauthorized access to an infected computer system. Once installed, the\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 19 of 23\n\nmalware creates a backdoor on the infected system, which allows the attacker to control the system and steal sensitive\r\ndata.\r\nThe Backdoor.Win32.WINDEALER.ZYJA variant is known to be spread through spear-phishing emails that contain\r\nmalicious attachments. Once the attachment is opened, the malware is installed and begins to communicate with a remote\r\ncommand-and-control server, allowing the attacker to send commands to the infected system and exfiltrate data.\r\nThe malware is capable of performing a range of malicious activities, including stealing credentials and sensitive data,\r\ntaking screenshots, recording keystrokes, and executing arbitrary commands on the infected system. The malware is also\r\ncapable of bypassing antivirus and other security software, making it difficult to detect and remove.\r\nIOCsPermalink\r\nversionsPermalink\r\nMalware version md5 sha1\r\nWinDealer 18.20.1225 76ba5272a17fdab7521ea21a57d23591 6b831413932a394bd9fb25e2bbdc06533821378c\r\nWinDealer 18.20.1225 cc7207f09a6fe41c71626ad4d3f127ce 84e749c37978f9387e16fab29c7b1b291be93a63\r\ndomain IPsPermalink\r\n113.62.0.0/15 111.120.0.0/14\r\nport 55556/TCP , 6999/UDP\r\n221.195.68.71/32\r\n122.112.245.55/32\r\nYara rules (from Malpedia)Permalink\r\nrule win_windealer_auto {\r\n meta:\r\n author = \"Felix Bilstein - yara-signator at cocacoding dot com\"\r\n date = \"2023-01-25\"\r\n version = \"1\"\r\n description = \"Detects win.windealer.\"\r\n info = \"autogenerated rule brought to you by yara-signator\"\r\n tool = \"yara-signator v0.6.0\"\r\n signator_config = \"callsandjumps;datarefs;binvalue\"\r\n malpedia_reference = \"https://malpedia.caad.fkie.fraunhofer.de/details/win.windealer\"\r\n malpedia_rule_date = \"20230124\"\r\n malpedia_hash = \"2ee0eebba83dce3d019a90519f2f972c0fcf9686\"\r\n malpedia_version = \"20230125\"\r\n malpedia_license = \"CC BY-SA 4.0\"\r\n malpedia_sharing = \"TLP:WHITE\"\r\n /* DISCLAIMER\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 20 of 23\n\n* The strings used in this rule have been automatically selected from the\r\n * disassembly of memory dumps and unpacked files, using YARA-Signator.\r\n * The code and documentation is published here:\r\n * https://github.com/fxb-cocacoding/yara-signator\r\n * As Malpedia is used as data source, please note that for a given\r\n * number of families, only single samples are documented.\r\n * This likely impacts the degree of generalization these rules will offer.\r\n * Take the described generation method also into consideration when you\r\n * apply the rules in your use cases and assign them confidence levels.\r\n */\r\n strings:\r\n $sequence_0 = { 668b91d2070000 8a89d0070000 52 51 }\r\n // n = 4, score = 800\r\n // 668b91d2070000 | mov dx, word ptr [ecx + 0x7d2]\r\n // 8a89d0070000 | mov cl, byte ptr [ecx + 0x7d0]\r\n // 52 | push edx\r\n // 51 | push ecx\r\n $sequence_1 = { ff15???????? 85c0 7407 50 ff15???????? 6a01 }\r\n // n = 6, score = 800\r\n // ff15???????? |\r\n // 85c0 | test eax, eax\r\n // 7407 | je 9\r\n // 50 | push eax\r\n // ff15???????? |\r\n // 6a01 | push 1\r\n $sequence_2 = { 6a01 50 56 e8???????? 83c410 8bc7 }\r\n // n = 6, score = 800\r\n // 6a01 | push 1\r\n // 50 | push eax\r\n // 56 | push esi\r\n // e8???????? |\r\n // 83c410 | add esp, 0x10\r\n // 8bc7 | mov eax, edi\r\n $sequence_3 = { 6a00 ff15???????? 85c0 7407 50 ff15???????? 6a01 }\r\n // n = 7, score = 800\r\n // 6a00 | push 0\r\n // ff15???????? |\r\n // 85c0 | test eax, eax\r\n // 7407 | je 9\r\n // 50 | push eax\r\n // ff15???????? |\r\n // 6a01 | push 1\r\n $sequence_4 = { 6a04 50 6a04 68???????? 68???????? }\r\n // n = 5, score = 800\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 21 of 23\n\n// 6a04 | push 4\r\n // 50 | push eax\r\n // 6a04 | push 4\r\n // 68???????? |\r\n // 68???????? |\r\n $sequence_5 = { 56 57 68da070000 e8???????? }\r\n // n = 4, score = 800\r\n // 56 | push esi\r\n // 57 | push edi\r\n // 68da070000 | push 0x7da\r\n // e8???????? |\r\n $sequence_6 = { 50 56 e8???????? 83c410 8b4618 }\r\n // n = 5, score = 800\r\n // 50 | push eax\r\n // 56 | push esi\r\n // e8???????? |\r\n // 83c410 | add esp, 0x10\r\n // 8b4618 | mov eax, dword ptr [esi + 0x18]\r\n $sequence_7 = { 8b4d08 668b91d2070000 8a89d0070000 52 51 }\r\n // n = 5, score = 800\r\n // 8b4d08 | mov ecx, dword ptr [ebp + 8]\r\n // 668b91d2070000 | mov dx, word ptr [ecx + 0x7d2]\r\n // 8a89d0070000 | mov cl, byte ptr [ecx + 0x7d0]\r\n // 52 | push edx\r\n // 51 | push ecx\r\n $sequence_8 = { 53 56 57 68da070000 }\r\n // n = 4, score = 800\r\n // 53 | push ebx\r\n // 56 | push esi\r\n // 57 | push edi\r\n // 68da070000 | push 0x7da\r\n $sequence_9 = { 8b4d08 668b91d2070000 8a89d0070000 52 }\r\n // n = 4, score = 800\r\n // 8b4d08 | mov ecx, dword ptr [ebp + 8]\r\n // 668b91d2070000 | mov dx, word ptr [ecx + 0x7d2]\r\n // 8a89d0070000 | mov cl, byte ptr [ecx + 0x7d0]\r\n // 52 | push edx\r\n condition:\r\n 7 of them and filesize \u003c 770048\r\n}\r\nBy Cyber Threat Hunters from MSSPLab:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 22 of 23\n\n@cocomelonc\r\n@wqkasper\r\nThanks for your time happy hacking and good bye!\r\nAll drawings and screenshots are MSSPLab’s\r\nSource: https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nhttps://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html\r\nPage 23 of 23\n\n  https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html   \nAnalysze with DIE says that the compiler is Microsoft Visual Studio C++ (6.0) :\n    Page 5 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mssplab.github.io/threat-hunting/2023/05/08/malware-analysis-windealer.html"
	],
	"report_names": [
		"malware-analysis-windealer.html"
	],
	"threat_actors": [
		{
			"id": "b72c2616-cc7c-4c47-a83d-6b7866b94746",
			"created_at": "2023-01-06T13:46:39.425297Z",
			"updated_at": "2026-04-10T02:00:03.323082Z",
			"deleted_at": null,
			"main_name": "Red Nue",
			"aliases": [
				"LuoYu"
			],
			"source_name": "MISPGALAXY:Red Nue",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434486,
	"ts_updated_at": 1775791860,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e9023da49262ff49e22d03e09f545361eb1fffb.pdf",
		"text": "https://archive.orkl.eu/8e9023da49262ff49e22d03e09f545361eb1fffb.txt",
		"img": "https://archive.orkl.eu/8e9023da49262ff49e22d03e09f545361eb1fffb.jpg"
	}
}