{ "id": "70a81cce-7064-425e-a480-03f146238662", "created_at": "2026-04-06T00:15:11.106554Z", "updated_at": "2026-04-10T03:36:13.715593Z", "deleted_at": null, "sha1_hash": "a878839e511fa435ab4ead7bdf61dfad356188cd", "title": "Let’s nuke Megumin Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 967650, "plain_text": "Let’s nuke Megumin Trojan\r\nPublished: 2019-05-03 · Archived: 2026-04-05 21:24:09 UTC\r\nWhen you are a big fan of the Konosuba franchise, you are a bit curious when you spot a malware called “Megumin Trojan”\r\n(Written in C++) on some selling forums and into some results of sandbox submissions. Before some speculation about\r\nwhen this malware has appeared, this one is not recent and there are some elements that prove it was present on the market\r\nsince the beginning of 2018.\r\nSince the last days, there is an increased activity related to a new version that was probably launched not so long ago (a v2),\r\nand community started to talk about it, but a lot of them has misinterpretation with Vidar due to the utilization of the same\r\nboundary beacon string. This analysis will help you to definitely clarify how to spot and understand how Megumin Trojan is\r\nworking and it definitely has a specific signature, that you can’t miss it with you dig on it (for both network activities \u0026\r\ncode).\r\nThis malware is a Trojan who has a bunch of features:\r\nDDoS\r\nMiner\r\nClipper\r\nLoader\r\nExecuting DOS commands on bots\r\nUploading specific files from bots to C\u0026C\r\nIt’s time to reverse a little all of that 🙂\r\nAnti-Analysis Techniques\r\nThe classy PEB\r\nThis malware is using one of the classiest tricks for detecting that the process is currently debugged, by checking a specific\r\nfield into the Process Environment Block (PEB). For those who are unfamiliar with this, it’s a structure that contains all\r\nprocess information.\r\ntypedef struct _PEB {\r\n BYTE Reserved1[2];\r\n BYTE BeingDebugged; // HERE\r\n ...\u003c Other fields \u003e...\r\n PVOID Reserved12[1];\r\n ULONG SessionId;\r\n} PEB, *PPEB;\r\nFor our case, the value “BeingDebugged” will be “obviously” checked. But how it looks like when reversing it? Here it’s\r\nlooking like this.\r\nfs:[18] is where is located the Thread Environment Process (TEB)\r\nds:[eax+30] is necessary to have access into the PEB, that is part of the TEB.\r\nds[eax+2] remains to retrieve the value TEB.PEB.BeingDebugged\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 1 of 21\n\nThis one has been used multiple times during the execution process of Megumin Trojan.\r\nWindow Title\r\nThis other trick used here is to get the title of the program and comparing it with a list of strings. For achieving it, the\r\nmalware is calling GetForegroundWindow at first for the Windows of the current process and then grabbing the title with the\r\nhelp of GetWindowTextA.\r\nThe comparison with the string is done step by step, by decrypting first the XOR string and comparing it with the Window\r\nTitle, and continuing the functions until every value is checked.\r\nThe completed string list :\r\nOllyDbg\r\nIDA\r\nImmunityDebugger\r\ninDb (Remain to WinDbg)\r\nLordP (Remains to LordPE)\r\nireshark  (Remains to Wireshark)\r\nHTTP Analyzer\r\nThis technique here is not able to work completely because it’s checking the Windows Title of the current process used and\r\nso, some strings won’t be able to work at all. When I was reversing it, I didn’t understand at all why it was done like this,\r\nmaybe something that was done fast or another unrelated explanation and we will never know.\r\nDynamic Process Blacklist\r\nWhen the malware is fully configured, it performs an HTTP POST request called /blacklist. The answer contains a list of\r\nprocesses that the attacker wants to kill whenever the payload is active, the content is encoded in base64 format.\r\nWhen processes are flagged as blacklisted, those are stored into variables as Process Handles, and they are checked and\r\nkilled by a simple comparison. For terminating them the ZwTerminateProcess (or NtTerminateProcess if you are looking on\r\na disassembler) API call is used and after the accomplishment of the task, the value on memory is initialized again to -1 for\r\ncontinuing, again and again, to maintain that these processes will never be able to be active whenever the malware is up.\r\nBy default, all values are set to -1 (0xFFFFFFFF)\r\nNetwork interactions list\r\nMegumin is quite noisy, in term of interactions between bots and the C\u0026C, and the amount of API request is more than\r\nusual compared to the other malwares that I have  analyzed. So to make as much as possible simple and understandable, I\r\nclassified them into three categories.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 2 of 21\n\nGeneral commands\r\n/suicide Killing request\r\n/config Malware config\r\n/msgbox Fake message prompt window\r\n/isClipper is Clipper activated\r\n/isUSB Is set up to spread itself on removable drives\r\n/blacklist Process blacklist\r\n/wallets Wallet config for the clipper part\r\n/selfDel Removing the payload of the original PE\r\nBot commands\r\n/addbot?hwid= Add a new bot to the C\u0026C (*)\r\n/task?hwid= Ask for a task\r\n/completed?hwid= Tell the C\u0026C that task has been done\r\n/gate?hwid= Gate for uploading/stealing specific files from bot to C\u0026C\r\n/reconnecttime Amount of time for next request between bot and C\u0026C\r\n(*) Only when the User-Agent is strictly configured as “Megumin/2.0”\r\nMiner commands\r\n/cpu CPU Miner configuration\r\n/gpuAMD GPU AMD Miner Configuration\r\n/gpuNVIDIA GPU NVIDIA Miner Configuration\r\nAs a reminder, all response from the server are encoded in base64 with the only exception of the /config one, which is in\r\nclear.\r\nCuriosity: This malware is also using the same boundary beacon as Vidar and some other malware.\r\nThat “messy” setup\r\nThis trojan is quite curious about how it’s deploying itself and the first time I was trying to understand the mess, I was like,\r\nseriously what the heck is wrong with the logic of this malware. After that, I thought it was just the only thing weird with\r\nmegumin, but no. To complexify the setup, interactions with the C\u0026C are different between different stages.\r\nFor explaining everything, I decided to split it into multiple steps, to slowly understand the chronological order of it.\r\nStep 1\r\nIn the first request, the malware is downloading a payload named “reserv.exe”. if this file is not empty it means the\r\ncurrent payload is not the main build of the malware. reserv.exe is downloaded and saved into a specific folder\r\nhidden in %PROGRAMDATA% as “{MACHINE_GUID}” (for example {656a1cdc-0ae0-40d0-a8bb-fdbd603c3b13}),this file at the end is renamed as “update.exe”.\r\nThen two or three requests are performed\r\n/suicide\r\n/msgbox\r\n/selfDel (optional)\r\nA scheduled task is created with this specific pattern for the persistence, the name of the payload will be “update.exe”\r\nand another one on the registry.\r\n“Scheduled Updater – {*MACHINE_GUID*}”\r\nThen the payload is killed and removed\r\nReminder: If the malware was not fast enough to download reserv.exe for whatever reasons, it is named by a random\r\nwindows process name, and will continue the process over and over until it will grab reserv.exe\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 3 of 21\n\nCuriosity: The way this malware is creating a folder into PROGRAMDATA is strictly the same way as Arkei, Baldr, Rarog \u0026\r\nSupreme++ (Rarog fork).\r\nMegumin\r\nArkei\r\nRarog\r\nStep 2\r\nreserv.exe is again downloaded, and considering the file is empty, so at that time, the correct build for communicating\r\nwith the C\u0026C.\r\nThose requests are performed\r\n/suicide\r\n/msgBox\r\n/config\r\nThe config is the only request was the server is not encoding it in base64 format, there are 4 options possible.\r\nOption 1 USB task (Spreading the build on removable drives)\r\nOption 2 Clipper\r\nOption 3 ???\r\nOption 4 ???\r\nA scheduled task is created with this specific pattern for the persistence and the name of the payload is at that time a\r\nrandom known legitimate windows process (also same thing on the registry).\r\n“Scheduled Updater – {*MACHINE_GUID*}”\r\nThen the payload is killed and removed\r\nIf this file is empty, it’s considered that it reached its final destination and its final C\u0026C, so seeing two Megumin C\u0026C on\r\nthe same domain could be explainable by this (and It was the case on my side).\r\nStep 3\r\nreserv.exe is always checked for checking if there is a new build\r\nNow the behavior on the network flows is totally new. The bot is now way more talkative and is going to be fully set\r\nup and registered to the C\u0026C.\r\n/suicide\r\n/config\r\n/addbot?hwid=…\u0026….. # Registration\r\n/blacklist\r\n/wallets\r\n/task?hwid=… # Performs a task\r\n… a lot of possible tasks (explained below)\r\n/completed?hwid=… # Alerting that the task is done\r\n/reconnecttime\r\nFor the addbot part, the registration is requiring specific fields that will be all encoded in base64 format.\r\nMachine GUID\r\nPlatform\r\nWindows version\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 4 of 21\n\nCPU Name\r\nGPU Name\r\nAntivirus\r\nFilename (name of the megumin payload)\r\nUsername\r\nexample of request (Any.Run)\r\nhttp://90551.prohoster.biz/megumin/addbot?\r\nhwid=OTAwNTljMzctMTMyMC00MWE0LWI1OGQtMmI3NWE5ODUwZDJm\u0026bit=eDMy\u0026win=V2luZG93cyA3IFByb2Zlc3Npb25hbA==\u0026cpu=SW50Z\r\nStep 4\r\nreserv.exe is always checked for checking if there is a new build\r\nIf the bot is run after the registration, it will be possible to have this pattern of request\r\n/suicide\r\n/config\r\n/task?hwid=… # Performs task\r\n… a lot of possible tasks (explained below)\r\n/completed?hwid=… # Alerting that the task is done\r\n/reconnecttime\r\nFake messages\r\nAs shown above, the malware has also a feature to prompt a fake window and this could be used for making “some realistic\r\nscenario” of a typical fake software, crack or other crapware, lure the user during the execution that the software has been\r\ninstalled or there is an error during the false installation or execution. It’s really common to see nowadays fake prompt\r\nwindow for missing runtime DLL, or fake Fortnite hack or whatever Free Bitcoin trap generator, this kind of lure will\r\nalways work in some kind of people, even more with kids.\r\nFor configuring the feature, the bot is sending a specific HTTP POST Request named “/msgbox” and After decoding the\r\nbase64 response from the server the response is split into multiple variables :\r\nAn integer value that will represent the Icon of the Window\r\nA second int value that will represent the buttons that will be used\r\nThe caption (Title)\r\nThe text that will be printed on the prompt window\r\nCorresponding case input codes with the configuration of the prompt window are classified below:\r\nuType – Uint Code – Icons – cases\r\nCase Code Value Meaning\r\n1 0x00000020L Question-mark message box\r\n2 0x00000030L Information message box\r\n3 0x00000040L Warning message box\r\nuType – Uint Code – Buttons – cases\r\nCase Code Value Meaning\r\n0 0x00000002L Abort, Retry \u0026 Ignore buttons\r\n1 0x00000006L Cancer, Try Again, Continue buttons\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 5 of 21\n\n2 0x00004000L Help button\r\n3 0x00000000L OK button\r\n4 0x00000001L OK \u0026 Cancel buttons\r\n5 0x00000005L Retry \u0026 Cancel buttons\r\n6 0x00000004L Yes \u0026 No buttons\r\n7 0x00000003L Yes, No \u0026 Cancel buttons\r\nClipper\r\nBefore that the malware is executing the main module, all the regexes that will be used for catching the whished data are\r\nstored dynamically into memory.\r\nThen when the malware is fully installed if the clipping feature is activated by the config request, another one called\r\n“/wallet” is performed. This command gives to the bot the list of all wallet configured to be clipped. the content is base64\r\nencoded.\r\nAt this point,  the classy infinite loop like Qulab is performed and will remain the same until the program is killed or\r\ncrashed.\r\n1. The content of the clipboard is stored into a variable.\r\n2. Step by step, all regexes are checking if it matches with the clipboard.\r\n3. If one regex triggers something, the content on the clipboard is switched by the one that the attacker wants and some\r\ndata are sent to the C\u0026C.\r\n/newclip?hwid=XXX\u0026type=XXX\u0026copy=XXX\u0026paste=XXX\u0026date=XXX\r\nThe whole process of the clipper is representing like this.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 6 of 21\n\nFor some investigation, this is the complete list of wallets, softwares, and websites targeted by this malware.\r\nBitcoin BitcoinGold BtcCash Ethereum\r\nBlackCoin ByteCoin EmerCoin ReddCoin\r\nPeercoin Ripple Miota Cardano\r\nLisk Stratis Waves Qtum\r\nStellar ViaCoin Electroneum Dash\r\nDoge LiteCoin Monero Graft\r\nZCash Ya.money Ya.disc Steam\r\nvk.cc QIWI\r\nTasks\r\nWhen the bot is sending a request to the C\u0026C, there is a possibility to have nine different tasks to be performed and they are\r\nall presenting like this.\r\n\u003cname\u003e|\u003ccommand\u003e|...\r\nThere are currently 3 main fields for the tasks.\r\nDDoS\r\nExecuting files\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 7 of 21\n\nMiscellaneous\r\nWhenever a task is accomplished, the request “/completed?hwid=” is sent to the C\u0026C. The reason for this is simple, tasks\r\ncan be counted and when it reaches a specific amount, the task is simply deactivated.\r\nLet’s reviewing them!\r\nDDoS\r\nSocket HTTP\r\nTask format\r\nsocket|time|threads|link\r\nWhen there is a necessity to create threads for performing the DDoS tasks, it only grabs the specific fields and using it a\r\nlength for a thread loop creation as shown below, lpStartAddress will contain the reference of the specific DDoS function\r\nthat the bot has to do.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 8 of 21\n\nWhen inspecting it the function, we can see the layer 7 DDoS Attack by flooding the server by HTTP GET requests with the\r\nhelp of sockets.\r\nWhen everything is configured, the send function is called for starting the DDoS.\r\nHTTP\r\nTask format\r\nhttp|time|threads|link\r\nAs explained above, the technique will remain always the same for the thread setup, only the function addressed is different.\r\nFor the HTTP DDoS task, it’s another Layer 7 DDoS Attack by flooding the server with HTTP requests by using the\r\nmethods from the Wininet library :\r\nInternetOpenA\r\nInternetConnectA\r\nHttpOpenRequestA\r\nIt’s slower than the “socket” tasks, but it used for the case that the server is using 301 redirects.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 9 of 21\n\nTCP\r\nTask format\r\ntcp|time|threads|port|link\r\nThe TCP task is Layer 4 DDoS Attack, by performing spreading the server TCP sockets requests with a specified port.\r\nJS Bypass\r\nTask format\r\njsbypass|time|threads|link\r\nWhen the website is using Cloudflare protection, the malware is also configured to use a known trick to bypass it by creating\r\na clearance cookie for not being able to be challenged anymore.\r\nThe idea is when it’s reaching for the first time the Website, a 503 error page will redirecting the attacker into a waiting page\r\n(catchable by the string “Just a moment” as shown above), At this moment Cloudflare is, in fact, sending the challenging\r\nrequest,  so a __cfduid cookie is generated and the content of the source code on this page is fetched by the help of a parser\r\nimplemented in the malware. It needs 3 parameters at least, 2 of them are already available :\r\njschl_vc the challenge token\r\npass ???\r\nThe last field is the jschl_answer, as guessable this is the answer to the challenge asked by Cloudflare. To solve it, an\r\ninterpreter was also implemented to parse the js code, catching the challenge-form value and a.value field for interpreting\r\ncorrectly the native code with the right setup.\r\nThis process shown as below is the interpreter that will analyze block per block the challenge with the help of a loop, the\r\ndata is shelled and each block will be converted into an integer value, the sum of all of them will give us the jschl_answer\r\nvalue.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 10 of 21\n\nso at the end of the waiting page, this request is sent:\r\n/cdn-cgi/l/chk_jschl?jschl_vc=VALUE\u0026pass=VALUE\u0026jschl_answer=VALUE\r\nchk_jschl leads to the cf_clearance cookie creation if the answer to the challenge is correct and this cookie is proof that you\r\nare authentic and trusted by Cloudflare, so by keeping it bypasses for the next requests sent, the website will no longer\r\nchallenging the attacker temporarily.\r\nMiscellaneous curiosities\r\nthe default values for DDoS tasks are :\r\nTime 180 (in seconds)\r\nThreads 2500\r\nPort 42\r\nLoader\r\nLoad\r\nTask format\r\nload|link\r\nSeeing a loader feature is something that a quite common thing by the current trendings, customers that bought malware\r\nwants to maximize their investments at all cost. This trojan is also configured to pushed some payloads. There is nothing\r\nmuch to say about this. The only important element, in this case, it’s that the loaded payload is stored into the\r\n%PROGRAMDATA% folder with the name of {MACHINE_GUID}.exe.\r\nLoad PE\r\nTask format\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 11 of 21\n\nloadpe|link\r\nContrary to a simple loader feature, this one is typically a process hollowing alternative. It’s only working with 32 bits\r\npayload and using this classy process injection trick into a legitimate process.\r\nFor some reasons, the User-Agent “Mozilla/5.0 (Windows NT 6.1) Megumin/2.0” is catchable when it’s downloading the\r\npayload on this specific load PE task.\r\nMore information about process injections techniques here\r\nUpdate\r\nTask format\r\nupdate|build_link\r\nWhen there is an update required with the malware, there is a possibility to push a new build to the bot by using this task.\r\nMiscellaneous tasks\r\ncmd\r\nTask format\r\ncmd|command\r\nOne of the miscellaneous tasks possible is the possibility to send some cmd commands on the bot. I don’t have a clue about\r\nthe necessity of this task, but if it’s implemented, there is a reason for that.\r\nComplete list available here\r\nupload\r\nTask format\r\nupload|fullpath\r\nIf the attacker knows exactly what he’s doing, he can steal some really specific files on the bot, by indicating the full path of\r\nthe required one. The crafted request at the end will be on that form, for pushing it on the C\u0026C.\r\n/gate?hwid=XXX\r\nMiner\r\nThe miner is one of the main features of the trojan. Most of the time, When analysts are reversing a miner, this is really easy\r\nto spot things and the main ideas are to understand the setup part and how it’s executing the miner software.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 12 of 21\n\nAt the end for future purposes, I am considering their check-up list as relevant when reversing one:\r\nIs it targeting CPU, GPU or both?\r\nIf it’s GPU, is Nvidia \u0026 AMD targeted?\r\nIs it generating a JSON config?\r\nWhat miner software is/are used\r\nAre there any Blacklist Country or Specific countries spotted to mine?\r\nWhat are the pools addresses?\r\nOn this malware, Both hardware type has been implemented, and for checking which miner software is required on the GPU\r\npart, it only checking the name of the GPU on the bot, if Nvidia or AMD is spotted on the text, request to the C\u0026C will give\r\nthe correct setup and miner software.\r\nThe base64 downloaded miner config contains two things:\r\nThe link of the miner software\r\nThe one-line config that will be executed with the downloaded payload by the help of ShellExecuteA\r\nFor some reasons, the User-Agent “Mozilla/5.0 (Windows NT 6.1) Megumin/2.0” is only catchable when it’s downloading\r\nthe miner software for the CPU part, not for the GPU.\r\nServer-side\r\nLogin Page\r\nThe login page is quite fancy, simplest. Even if I could be wrong of with this statement, it’s using the same core template as\r\nSupreme++ (Rarog Fork) with some tweaks.\r\nSomething interesting to notice with this C\u0026C, that there is no password but a 2FA Google authenticator on the\r\nauthentication part.\r\nDashboard\r\nThere is not too much to say about the dashboard, its a classy stats page with these elements:\r\nTop Countries\r\nNew bots infected (weekly)\r\nBots Windows Chart\r\nNumber of bots online (weekly)\r\nBots CPU chart\r\nBots GPU chart\r\nPlatform chart\r\nAV Stats\r\nCurrent cryptocurrencies values\r\nTop stolen wallet by the clipper\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 13 of 21\n\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 14 of 21\n\nBots\r\nBots – Current list of bots\r\nTasks – Task creation \u0026 current task list\r\nFiles – All files that have been uploaded to the C\u0026C with the help of the task “upload”\r\nTask setup\r\nTasks that I’ve detailed above are representing like this on the C\u0026C, as usual, it’s designed to be user-friendly for customers,\r\nthey just want to configure fast and easily their stuff to be able to steal \u0026 being profitable quickly as possible.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 15 of 21\n\nWhen selected, there is a usual configuration setup for the task, with classy fields like :\r\nTask Name\r\nMax Executions routine\r\nIf the Task must be designed for targeting only one bot\r\nAnd an interesting advanced setting tab\r\nIf we look at it, the advanced setting is where the C\u0026C could targeting bots by :\r\nSpecific hardware requirements\r\nPlatform\r\nCountries\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 16 of 21\n\nCountries can be easily catchable on the Victim machine by checking the Locale of the Keyboard (I have already explained\r\nthis tick on Vidar) and the IP.\r\nSo it means that malware could be designed to target highly specific areas.\r\nWhen the task is completed, its represented like this.\r\nClips\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 17 of 21\n\nSettings\r\nBots\r\n“USB Spreading” remains to /isUSB API request\r\n“Del exe after start” remains to /selfDel API request\r\nClipper\r\nClipper is quite simple, it’s just the configuration of all wallet that will be clipped.\r\nMiner\r\nThe miner tab is quite classy also, just a basic configuration of the config and where it will download the payload.\r\nAs usual, the process blacklist will remain the same as we saw in other miner malware. Some google search will be\r\nsufficient to know which processes are the most targeted.\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 18 of 21\n\nMessageBox\r\nA fancy message box configuration part with multiple possibilities.\r\nCountries\r\nIt’s also possible to ban bots from specific countries, on the side bot side, the malware will check if the country is valid or\r\nnot with the help of the IP and the Keyboard Language configuration.\r\nOn the code, it’s easily traceable by these checks, for more explanation about how it works for the keyboard part, this is\r\nalready detailed on the Vidar paper.\r\nPanel\r\nFor some reasons, there is also a possibility to change the username for the panel authentication, by doing this the 2FA\r\nGoogle Authenticator is required for confirming this.\r\nScript\r\nFor further investigation about this v2, I developed a small script called “ohana”, like the Vidar one to extract the\r\nconfiguration of each sample and it’s already available on my GitHub repository.\r\nIoCs\r\nHashes\r\nd15e1bc9096810fb4c954e5487d5a54f8c743cfd36ed0639a0b4cb044e04339f\r\ne6c447c826ae810dec6059c797aa04474dd27f84e37e61b650158449b5229469\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 19 of 21\n\nc70120ee9dd25640049fa2d08a76165948491e4cf236ec5ff204e927a0b14918\r\nd431e6f0d3851bbc5a956c5ca98ae43c3a99109b5832b5ac458b8def984357b8\r\ned65610f2685f2b8c765ee2968c37dfce286ddcc31029ee6091c89505f341b97\r\n89813ebf2da34d52c1b924b408d0b46d1188b38f035d22fab26b852ad6a6fc19\r\n8777749af37a2fd290aad42eb87110d1ab7ccff4baa88bd130442f25578f3fe1\r\nDomains\r\n90551.prohoster.biz\r\nbaldorclip.icu\r\nsantaluisa.top\r\nmegumin.top\r\nmegumin.world\r\nPDB\r\nC:\\Users\\Ddani\\source\\repos\\MeguminV2\\Release\\MeguminV2.pdb\r\nC:\\Users\\Administrator\\Desktop\\MeguminV2\\Release\\MeguminV2.pdb\r\nThreat Actors\r\nDanij (Main)\r\nMoongod\r\nMITRE ATT\u0026CK\r\nExecution – Command-Line Interface\r\nExecution – Schedule Task\r\nPersistence – Schedule Task\r\nPersistence – Registry Run Keys / Startup Folder\r\nDefense – File Deletion\r\nDefense – Hidden Files \u0026 Directories\r\nDefense – Process Hollowing\r\nPrivilege Escalation – Schedule Task\r\nCredential Access – Credentials in File\r\nCollection – Clipboard Data\r\nYara\r\nrule Megumin : Megumin {\r\n meta:\r\n description = \"Detecting Megumin v2\"\r\n author = \"Fumik0_\"\r\n date = \"2019-05-02\"\r\n strings:\r\n $mz = {4D 5A}\r\n $s1 = \"Megumin/2.0\" wide ascii\r\n $s2 = \"/cpu\" wide ascii\r\n $s3 = \"/task?hwid=\" wide ascii\r\n $s4 = \"/gate?hwid=\" wide ascii\r\n $s5 = \"/suicide\" wide ascii\r\n condition:\r\n $mz at 0 and (all of ($s*))\r\n}\r\nConclusion\r\nMegumin Trojan is not a complicated malware but about all the one that I have reversed, this is the most talkative one that\r\nI’ve analyzed and possesses a quite some amount of tasks. Let’s see with the time how this one will evolve, but it’s\r\nconfirmed at that time, there is currently a lot of interesting stuff to do with this one :\r\nin term of analysis\r\nin term of cybercrime investigation\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 20 of 21\n\n#HappyHunting\r\n#WeebMalware\r\nSpecial Thanks: S!Ri\r\nPhoto by Jens Johnsson on Unsplash\r\nSource: https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nhttps://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/" ], "report_names": [ "lets-nuke-megumin-trojan" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434511, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a878839e511fa435ab4ead7bdf61dfad356188cd.pdf", "text": "https://archive.orkl.eu/a878839e511fa435ab4ead7bdf61dfad356188cd.txt", "img": "https://archive.orkl.eu/a878839e511fa435ab4ead7bdf61dfad356188cd.jpg" } }