{
	"id": "3e7b0a37-2629-494b-8a77-85681891814a",
	"created_at": "2026-04-06T00:18:23.575317Z",
	"updated_at": "2026-04-10T03:20:31.09709Z",
	"deleted_at": null,
	"sha1_hash": "b6007a925229dee1034a2e4ea66fde2fd7356062",
	"title": "Netwalker Ransomware: [API Call Obfuscation (using Structure) and Evading Memory Forensic]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1456079,
	"plain_text": "Netwalker Ransomware: [API Call Obfuscation (using Structure)\r\nand Evading Memory Forensic]\r\nPublished: 2020-05-14 · Archived: 2026-04-05 21:51:09 UTC\r\nToday I just want to share some interesting obfuscation and anti memory forensic techniques I've learned from\r\nNetwalker Ransomware that makes its code more time consuming and hard to analyze. This also include the first\r\npart which is a obfuscated powershell that will serve as the loader of the malware.\r\nStage 1: Obfuscated Powershell:\r\nThis netwalker ransomware variant start with 3 stages as follows:\r\n1st Layer : base 64 encoded powershell\r\n2nd Layer: (after decoding the base64) is an encrypted array of bytes using xor command with decryption key of\r\n0xc4, that will be run in scriptblock command.\r\n3rd Layer : (after the decrypted 2nd layer) is a 2 sets of hex bytes array which is the x86 and 64 version of\r\nNetwalker binary files that will be injected in a process by a C# code that will be loaded and compile using\r\npowershell.\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 1 of 9\n\nfigure 1: the 3 layered powershell script\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 2 of 9\n\nfigure 2: the C# loader written in powershell using Add-Type\r\nStage 2: No MZ Header Binaries\r\nas far as we saw in the last stage of the powershell, it will inject the ransomware (x86 or x64 binaries) to the\r\nexplorer.exe process. The interesting part is after I decode those hex byte array, I notice that there are no MZ\r\nheader to the binary file that are one technique to evade memory forensic tools or some quick check for injected\r\nexecutable to a process.\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 3 of 9\n\nfigure 3: NO MZ Header Files\r\nStage 3: Obfuscated API Call Using Structure\r\nThis Netwalker Ransomware has no import table. It will dynamically harvest its needed API using some hashing\r\nalgorithm search to all export table of all needed DLL modules to executes its malicious code then save it to a\r\nstructure object. Below is the screenshot how the raw Hexray view of the import harvesting before and after\r\nresolving the API hash and the structure Array using Idapython.\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 4 of 9\n\nfigure 4: API harvesting Function\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 5 of 9\n\nThe Hashing Algorithm is really looks complicated base on its graph but actually it is just a loop of xor and rotate\r\nbit operation with specific keys.\r\nfigure 5: Hashing algorithm\r\nBut the Obfuscation does not ends here. As we remember that it place the resolved API address into a structure\r\nobject. Then this structure was initialized to a another variable by a function then do the access the member of the\r\nstructure out of that which make the analysis more confusing.\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 6 of 9\n\nfigure 6: Declare multiple Structure as a obfuscation\r\nThanks for IDA Python for helping me in creating a structure out of harvested API it needs to make the static\r\nanalysis more easily.\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 7 of 9\n\nfigure 7: Add Structure\r\nLesson Learn:\r\nI learned that the there are so many way to obfuscate code from analysis and even the data structure can be used to\r\nmake the analysis little bit confusing during analysis like what I experience. :)\r\nIOC:\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 8 of 9\n\nhttps://app.any.run/tasks/6bb00be0-cd0a-4d9a-a1ea-72cd275ded0e/\r\nPowershell:\r\nfilename: powershell.ps1\r\nmd5: 5bec43ea21e95a68abafa8c7f99d1e6c\r\nsha1: 22df933f2b33f3f4ffee22b51b4f8fa0268bb327\r\nsha256: b7c7fa9b74aacf331871a9e5438678bce46002618fa106429225161d94e22e44\r\nx64  Netwalker Ransomware:\r\nfilename: x64.bin\r\nmd5: bc96c744bd66ddfaa79d467b757b8628\r\nsha1: a379f9e04708d773a2dec897166780b026f4c4ea\r\nsha256: 2c245db9fb9b2c6e84832662dda3dfff3c6b21128d9fec115f5b989fb090841d\r\nx86  Netwalker Ransomware:\r\nfilename: x86_raw.bin\r\nmd5: de61b852cadac6afe307652b187ca5df\r\nsha1: fa02c1d394bc150d8a62d3f991d0fdc042ee9724\r\nsha256: e8c5c0b70d45a5dc80d678ed7102abf9882efb9cbc2cff20f171d60d5205051d\r\nSource: https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nhttps://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html"
	],
	"report_names": [
		"netwalker-ransomware-api-call.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434703,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b6007a925229dee1034a2e4ea66fde2fd7356062.pdf",
		"text": "https://archive.orkl.eu/b6007a925229dee1034a2e4ea66fde2fd7356062.txt",
		"img": "https://archive.orkl.eu/b6007a925229dee1034a2e4ea66fde2fd7356062.jpg"
	}
}