{ "id": "07a0ff8d-3070-485f-a84a-7f762ccf7df4", "created_at": "2026-04-06T00:09:22.337069Z", "updated_at": "2026-04-10T03:36:08.326699Z", "deleted_at": null, "sha1_hash": "c0d27f1716f5a62e884a7876dcd6f94e9b61f6ae", "title": "A Relook at the TerraLoader Dropper DLL", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 736817, "plain_text": "A Relook at the TerraLoader Dropper DLL\r\nBy Jason Reaves\r\nPublished: 2021-04-09 · Archived: 2026-04-05 14:37:52 UTC\r\nPress enter or click to view image in full size\r\nThe malware author responsible for the TerraLoader, who is believed to be BadBullzVenom[4] after a\r\ndisagreement between the actor and customer took place on an underground forum market place, appears to have\r\nbeen happily updating their delivery system again referred to as TerraLoader. An excellent report was posted\r\nonline by Twitter user @Arkbird_SOLG [1,5] using a sample discovered by @malz_intel. The report was well\r\ndone so this is mostly an addendum of my reverse engineering notes after analyzing the aforementioned sample in\r\nthe report[2] where I primarily focus on the DLL that will build and deliver the javascript backdoor commonly\r\nreferred to as ‘more_eggs’.\r\nInitial Overview\r\nThis is just a quick overview getting to the DLL portion, as aforementioned it is already covered in previous\r\nresearch[1].\r\nScriptlet:\r\nMD5: f93fdcf5856feb254a26547dc8c2b671\r\nSHA1: 1c038a86b337cf72663da5b6780d34ba0fb1c0c9\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 1 of 8\n\nSHA256: 000a5e63109b3c653d63d84d03fe474242b987bfadda9aeaa200653fd2155a31\r\nScriptlet decodes out a DOC file and a DLL, the doc file appears to be a distraction from the loading of the DLL.\r\nDoc: 11e54f594949a4c7f13e85b4ac2cbd555200ac34e6d61b58a71fbcfccc0497cd\r\nDLL: fb55b26b8edee2431b35d0e28df5f223510a15344ede400a2f5c04a0d45e6b77\r\nString Encoding Updates\r\nThe string encoding is a bit different now, the dropper DLL portion has always utilized a simple XOR based\r\nroutine for bruting out its own string encoding key while also leveraging various secondary routines to use the key\r\nonce found(XOR, AES, RC4). The author has moved to using RC4 for bruting out the string encoding key which\r\nmakes the entire process take longer now but has the added benefit of acting as a sleep routine as well.\r\nThe sample takes three pieces of data, data that is encrypted, a starting RC4 key string and the data that will be\r\ndecrypted to check that the correct key has been found.\r\nEncrypted data:\r\nb8e0ce81bcd3023bf5e2b37d3e1c801d99bd3f7f408c87b7923673d7840797a024f78d62552de17aba3d10c4\r\nStarting RC4 key:\r\nSouXRE\r\nDecrypted data:\r\nb92fe2de81d94d05b0431c545221cfbc23ad2f47a9279a20498948b9d4b3ffdf4b22669a1eace7a3b14862d2\r\nThe bruting routine works by simple using an iterator starting at 0 and converting the integer value into a string,\r\nappending it to the starting key, decrypting the encrypted data and checking that the output matches the decrypted\r\ndata. If it doesn’t match the iterator is incremented and the process starts over again until the match is found.\r\nIf you understand how encryption algorithms work then you can see a flaw in this from a static reverse\r\nengineering perspective we can actually recover enough of the keystream data to decode out most of the strings on\r\nboard without needing to brute force the key.\r\nencoded_data ^ decoded_data = partial RC4 XOR Keystream\r\nUsing this knowledge we can recover part of the RC4 XOR keystream:\r\n01cf2c5f3d0a4f3e45a1af296c3d4fa1ba101038e9ab1d97dbbf3b6e50b4687f6fd5ebf84b8106d90b757216\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 2 of 8\n\nUsing that data we can decode out most of the strings from the sample which all line up with previously listed\r\nstrings, the malware is basically designed to build out the more_eggs backdoor for dropping to disk and\r\ndetonating.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nPartial strings for reference:\r\n%APPDATA%\r\n/B /e:jsCript\r\nmsxsl.exe\r\nCED1712A510453BEE1F83F8AE7\r\na2service.exe\r\nschtasks.exe\r\n /Create /TN\r\nUserInitMprLogonScript\r\nPROCESSOR_IDENTIFIER\r\n.ComputerName +\r\nCOMPUTERNAME\r\nFLAREVM\r\nUSERNAME\r\nNotepad\r\nData Encoding Updates\r\nAs mentioned by the earlier referenced blog post author this new backdoor is actually dropped by being encoded\r\nwith the addition of computer based information added to the key, this makes it more difficult to recover the\r\nbackdoor unless you know the computer name and processor information of the system it was dropped on.\r\nWe can see evidence of this in the partial strings above showing the ‘PROCESSOR_IDENTIFIER’ and\r\n‘COMPUTERNAME’ along with ‘.ComputerName +’ which will be used by parts of the wrapper on the backdoor\r\nto decode out the backdoor. If the Dropper DLL is responsible for this piece then the backdoor must exist\r\nsomewhere in the DLL:\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 3 of 8\n\nIn the screenshot above we can see a large block of data has the size calculated, memory allocated, copied into the\r\nnew memory and then the string ‘CED1712A510453BEE1F83F8AE7’ is decrypted. Right after this a call to the\r\nRC4 routine takes place:\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 4 of 8\n\nAfter calling RC4, labeled ‘RC4_maybe’ because this picture was taken while I was still mapping out the sample,\r\na call to an onboard DEFLATE routine takes place. Let’s check what is decoded:\r\n\u003e\u003e\u003e key = 'CED1712A510453BEE1F83F8AE7'\r\n\u003e\u003e\u003e from Crypto.Cipher import ARC4\r\n\u003e\u003e\u003e rc4 = ARC4.new(key)\r\n\u003e\u003e\u003e t = rc4.decrypt(data)\r\n\u003e\u003e\u003e import zlib\r\n\u003e\u003e\u003e t[:50]\r\n'\\xed}kw#7\\xae\\xe0g\\xe7\\x9c\\xfc\\x87\\x8a\\xee\\x9d\\xb44\\xed\\x96\\xeb\\xa1g\\x94\\xce\\xac^N\\xf7\\xa6\\x1f\\xbe\\x\r\n\u003e\u003e\u003e t2 = zlib.decompress(t,-15)\r\n\u003e\u003e\u003e t2[:100]\r\n'var BV = \"6.6b\";\\r\\nvar Gate = \"https://d27qdop2sa027t.cloudfront.net/spmar/d9264\";\\r\\nvar hit_each\r\nLater in the sample we can also recover the decoding of MSXSL EXE file as well:\r\n\u003e\u003e\u003e key = 'CED1712A510453BEE1F83F8AE7'\r\n\u003e\u003e\u003e from Crypto.Cipher import ARC4\r\n\u003e\u003e\u003e rc4 = ARC4.new(key)\r\n\u003e\u003e\u003e t = rc4.decrypt(data1)\r\n\u003e\u003e\u003e import zlib\r\n\u003e\u003e\u003e t2 = zlib.decompress(t,-15)\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 5 of 8\n\n\u003e\u003e\u003e t2[:100]\r\n'MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00@\\x00\\x00\\\r\nAlso a part of the XML for task scheduling:\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cAuthor\u003eSYSTEM\u003c/Author\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cBootTrigger\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c/BootTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003cPrincipal id=\"Author\"\u003e\r\n \u003cUserId\u003eS-1-5-18\u003c/UserId\u003e\r\n \u003cRunLevel\u003eHighestAvailable\u003c/RunLevel\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003cStopIfGoingOnBatteries\u003efalse\u003c/StopIfGoingOnBatteries\u003e\r\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003cIdleSettings\u003e\r\n \u003cStopOnIdleEnd\u003efalse\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003cWakeToRun\u003etrue\u003c/WakeToRun\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003ecscripT\u003c/Command\u003e\r\n \u003cArguments\u003e\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 6 of 8\n\nOne of the strings also stands out as I don’t remember seeing it in these samples before ‘FLAREVM’. FlareVM is\r\na malware analysis creation system that FireEye released which allows for the quick creation of a virtual machine\r\nfor malware analysis[3] and the dropper appears to be checking if the computer name is FLAREVM:\r\nI haven’t verified if the sample will fail to infect as I am still in the process of statically mapping out the updated\r\nsample but this check function does happen before the backdoor is decoded:\r\nReferences\r\n1. https://twitter.com/Arkbird_SOLG/status/1375945806474317831\r\n2. https://app.any.run/tasks/b1d3a533-912b-4fe9-86cc-69d4bda40453/\r\n3. https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 7 of 8\n\n4. https://malpedia.caad.fkie.fraunhofer.de/actor/venom_spider\r\n5. https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-\r\n03-25/Analysis.md\r\nSource: https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nhttps://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244" ], "report_names": [ "a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244" ], "threat_actors": [ { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434162, "ts_updated_at": 1775792168, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0d27f1716f5a62e884a7876dcd6f94e9b61f6ae.pdf", "text": "https://archive.orkl.eu/c0d27f1716f5a62e884a7876dcd6f94e9b61f6ae.txt", "img": "https://archive.orkl.eu/c0d27f1716f5a62e884a7876dcd6f94e9b61f6ae.jpg" } }