{ "id": "3816e42c-fbfc-4d8b-8ca5-4e2e548ef734", "created_at": "2026-04-06T00:19:29.034456Z", "updated_at": "2026-04-10T03:36:36.873435Z", "deleted_at": null, "sha1_hash": "affdd6e1902c3ff7e5e617287eadb88839f1190d", "title": "TA505 Get2 Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1095137, "plain_text": "TA505 Get2 Analysis\r\nBy Jacob Pimental\r\nPublished: 2019-11-24 · Archived: 2026-04-05 14:35:52 UTC\r\n24 November 2019\r\nBy Jacob Pimental\r\nThe TA505 group debuted Get2 and SDBot last month in a new phishing campaign. While there have been some\r\ngreat analyses on the SDBot RAT that is dropped, there have not been many on the Get2 downloader. I wanted to\r\ntake this opportunity to do my own analysis on it. I will not be going over the macro-enabled word document\r\nitself, just the DLL that is dropped. There are also two versions of the dll, x86 and x64. This analysis will focus on\r\nthe x86 version. If you want to follow along you can get the sample from Hybrid Analysis here.\r\nObfuscation\r\nThe Get2 DLL that comes from the malicious word document is pretty heavily obfuscated and packed using a\r\ncustom packing mechanism. The code contains multiple loops in unnecessary places in order to distract reverse\r\nengineers from the actual functionality. It also contains calls to multiple bogus functions that don’t return anything\r\nof importance. These bogus functions tend to contain multiple loops and calls to more bogus functions. It is very\r\neasy to go down a rabbit hole while analyzing this binary.\r\nOn top of having fake instructions, the DLL also contains self-modifying code. The DLL calls VirtualAlloc to\r\nallocate 3060 bytes of memory. It then dumps data into the newly created space using memcpy.\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 1 of 10\n\nIt will then decrypt this data by taking every dword, xoring it by 0x6949, rotating the bits left by 4 and adding\r\n0x77777778. I have created a small python script to emulate this functionality using r2pipe, radare2’s API. You\r\ncan find that here. After the decryption occurs, we can see new code formed in memory that is executed. This code\r\nappears to be importing functions such as VirtualAlloc, GetProcAddress, VirtualProtect, LoadLibraryA, and\r\nVirtualFree. Which leads us to believe that more unpacking is necessary.\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 2 of 10\n\nUnpacking\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 3 of 10\n\nWe can see that earlier there was data moved into the memory space at [ebp – 78] , [ebp – 74] , and [ebp –\r\n70] which is referenced in this new set of code based on the offset of the argument, [ebp + 8] . The data moved\r\ninto [ebp – 78] contains a list of bytes that will be decrypted. [ebp – 74] contains 0x3c870 which is the\r\nlength of the data to be decrypted, and [ebp – 70] contains 0x4178, the decryption key. This round of\r\ndecryption is slightly different from the first. The first thing that the malware does is loop through each index of\r\nthe encrypted data and if the index is divisible by two then it will skip two bytes and move the data at that index\r\ninto a buffer. For clarity, this follows the pattern [2, 3, 6, 7, 10, 11, 14…] and can be represented as the following\r\npython code:\r\ncompressed_data = b''\r\nx = 0\r\nwhile x \u003c len(data):\r\n if x % 2 == 0:\r\n x += 2\r\n compressed_data += bytes([data[x]])\r\n x += 1\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 4 of 10\n\nOnce the data is moved into the new buffer the malware will follow the normal decryption process we saw earlier\r\nby xoring each dword and rotating the bits left by 4, this time using the key 0x4178.\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 5 of 10\n\nThe resulting data looks a like a mangled PE header, which leads us to believe that there is more deobfuscation\r\nnecessary. The final stage of this process is quite complicated. It involves multiple ways of moving bytes from our\r\nnewly decrypted data to an empty buffer, but no actual decryption occurs. The paths that the deobfuscation\r\nalgorithm could take are:\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 6 of 10\n\nTo simply copy one byte from the current index of the decrypted data into the empty buffer\r\nTo copy previous data that was inserted into the empty buffer into the current index of the buffer\r\nTo move the byte 00 into the current index of the buffer x number of times\r\nThese paths were all dependent on a “check” function that would take into account the current index of the\r\nencrypted data, and two global variables. The check function works as follows:\r\nCheck if global_1 is 0\r\nIf So:\r\nMove the current byte of the encrypted data into global_2\r\nIncrement the current index of the encrypted data by 1\r\nMove 7 into global_1\r\nElse:\r\nglobal_1 = global_1 – 1\r\nMove the product of a bitwise shift right of global_2 by 7, anded by 1 ((gloabl_2 » 7) \u0026 1) into the return\r\nregister\r\nglobal_2 = global_2 shifted left by 1\r\nreturn\r\nI have made a python script that mimics the unpacking functionality and writes out the final payload to a file. You\r\ncan find that here.\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 7 of 10\n\nHere is a tinygraph view of the final deobfuscation function which shows just how complicated the algorithm is:\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 8 of 10\n\nThe extracted binary is UPX packed. We can simply unpack it using the command upx -d \u003cpacked_binary\u003e .\r\nLooking at the exports of the newly unpacked binary we can see the function getandgodll_Win32.dll_IKAJSL.\r\nThis is most likely where execution will continue.\r\nThis exported function seems to call one function then exit. It is safe to assume that the called function will be the\r\nmain function for this binary. This main function will grab the UserName of the user the malware is running as,\r\nthe name of the PC, the version of Windows the malware is running on, and a list of the currently running\r\nprocesses. It then concatenates this data into the string:\r\n“\u0026D=\u003cComputerName\u003e\u0026U=\u003cUserName\u003e\u0026OS=\u003cWindowsVersion\u003e\u0026PR=\u003cProcess list\u003e”\r\nIt will then send a POST request with these parameters to the C2 using the WinHttp library, with the useragent:\r\nMozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r\nThe response will send back a list of URLs that contain the final payload (normally SDBot). The Get2 downloader\r\nwill download these payloads and run them on the victim’s machine.\r\nConclusions\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 9 of 10\n\nOverall this was a very interesting and fun sample to analyze. The code was complicated and seemed\r\nsophisticated, which is what you would expect from this threat actor. I am hoping this article helps others with\r\nanalyzing this particular downloader. I am always open to feedback, so feel free to send me messages on my\r\nTwitter or LinkedIn letting me know what I can improve on in these articles.\r\nThanks for reading and happy reversing!\r\nRadare2, Malware Analysis, Malware Windows, Scripting, Automation, r2pipe, unpacking\r\nMore Content Like This:\r\nSource: https://www.goggleheadedhacker.com/blog/post/13\r\nhttps://www.goggleheadedhacker.com/blog/post/13\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.goggleheadedhacker.com/blog/post/13" ], "report_names": [ "13" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434769, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/affdd6e1902c3ff7e5e617287eadb88839f1190d.pdf", "text": "https://archive.orkl.eu/affdd6e1902c3ff7e5e617287eadb88839f1190d.txt", "img": "https://archive.orkl.eu/affdd6e1902c3ff7e5e617287eadb88839f1190d.jpg" } }