{ "id": "4f3623ec-b712-4f62-a6e6-d0d982ac005f", "created_at": "2026-04-06T00:12:32.218946Z", "updated_at": "2026-04-10T03:20:20.988882Z", "deleted_at": null, "sha1_hash": "c8d9ca4d46ecfbadcd5bf6533a29ae7cecc6d8ee", "title": "PseudoManuscrypt Being Distributed in the Same Method as Cryptbot - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 705628, "plain_text": "PseudoManuscrypt Being Distributed in the Same Method as\r\nCryptbot - ASEC\r\nBy ATCP\r\nPublished: 2022-02-08 · Archived: 2026-04-02 12:43:12 UTC\r\nThe ASEC analysis team has discovered that PseudoManuscrypt malware was being distributed in Korea since\r\nMay 2021. Introduced in the previous ASEC blog, PseudoManuscrypt is disguised as an installer that is similar to\r\na form of Cryptbot, and is being distributed. Not only is its file form similar to Cryptbot, but it is also distributed\r\nvia malicious sites exposed on the top search page when users search commercial software-related illegal\r\nprograms such as Crack and Keygen.\r\nThe team has confirmed the executable file path below in the logs collected by AhnLab’s ASD (AhnLab Smart\r\nDefense) infrastructure, and it appears that the user was trying to download a Windows validation program from a\r\nmalicious site.\r\nExecutable File Path\r\n…\\downloads\\60b63e_kmsauto-net-201\\kmsauto-net-2016-v154-windows-10-activator-portable\\60b63e21e82a660b63e21e_setup_v18.2.9\\main_setup_x86x64.exe\r\nLog Detection Graph\r\nSuch a distribution method targets random users, and it has been confirmed that numerous PCs in Korea were\r\ninfected. The figure above is a graph of the number of logs that were detected since the start of distribution (May\r\n2021) up till now. The green graph shows the number of infected PCs, and the red graph shows the number of\r\ndetected files. You can see that on average, around 30 PCs were consistently being infected every day.\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 1 of 8\n\nPseudoManuscrypt operation flow\r\nThe top-level file disguised as an illegal program is in the form of NSIS (Nullsoft Scriptable Install System)\r\nInstaller, and it creates the “setup_installer.exe” file to execute it. “Setup_installer.exe” is in the form of 7z SFX,\r\nand it creates a Loader file, various malware, and numerous dll files. The dll files are all normal files, and they are\r\nlibraries needed to execute the Loader file. Loader executes the various malware that was created together, and\r\nthis process is the same as the execution process of Cryptbot. Other than PseudoManuscrypt, malware executed by\r\nLoader includes SmokeLoader, Glupteba, etc., and PseudoManuscrypt is in the form of 7z SFX. Finally,\r\nPseudoManuscrypt creates install.dll (Loader that performs decoding) and install.dat (Encoded shellcode) in the\r\n%TEMP% path. It then creates and executes a shortcut file called “install.dll.lnk” to operate a certain function\r\ninside the install.dll file.\r\nProperty of install.dll.lnk\r\nC:\\Windows\\system32\\rUNdlL32.eXe “%TEMP%\\install.dll”,install\r\nPseudoManuscrypt execution flow (2)\r\nThe install.dll file decodes the install.dat file to execute it in the memory. The install.dat file contains a shellcode\r\nand pe data that is encoded and compressed, and the shellcode decodes the encoded and compressed pe data and\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 2 of 8\n\nexecutes it. The pe data then performs the actual malicious behavior and decodes additional data inside to create it\r\nwith the tmp extension, which is then registered to service. Details about pe data are explained below.\r\nCommand line scan\r\nThe called pe data first checks if the name of the currently running process is svchost.exe. In this case, the current\r\nprocess was run as rundll32.exe by the shortcut file.\r\nMachineGuid value\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 3 of 8\n\nWhen it is not a svchost.exe process, it creates a certain registry key and saves malicious data. For the name of the\r\ncreated registry, it uses the MachineGuid value that exists in the HKLM\\SOFTWARE\\Microsfot\\Cryptography\r\nregistry. MachineGuid is a HardwareID value, where each PC has a unique value. It uses this characteristic to\r\ncreate the registry key name.\r\nMachineGuid value is encoded via the “Global” string, and the encoded MachineGuid value is used to create a\r\nregistry key in the path below. The encoded “install.dat” data is then saved to the registry key.\r\n– HKLM\\SOFTWARE\\Classes\\CLSID\\MachineGuid(“Global”):1 – Encoded “install.dat”\r\nRunning service scan\r\nAfter it creates the registry key, it checks the process id of services that include “-k netsvcs” in their arguments,\r\nthen injects the decoded “install.dat” in the process. It then deletes the “install.dat” file that exists in the\r\n%TEMP% path, and the injected process references the encoded “install.dat” data that was saved to the registry\r\nkey.\r\nThe injected svchost.exe goes through the same process and scans the command line. It checks if the name of the\r\ncurrent process is svchost.exe and if netsvcs is included in the argument, it executes two threads.\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 4 of 8\n\nThe threat that is first executed performs the feature of registering a certain file to service when the process is\r\nterminated. It first brings down the priority of process termination to the lowest and configures the control handler.\r\nControl handler function\r\nThe function that is added to the control handler is as shown above, and it checks the received control signals. The\r\nfunction scans for the following control signal values: 5 and 6. If the signal value is 5 (When the user logs off), it\r\nreconfigures the priority of process termination and the control handler, and if the signal value is 6 (When the\r\nsystem shuts down), it executes a function that creates a malicious service. The malicious service is created via the\r\nprocess below.\r\nAfter creating the SYSTEM\\\\CurrentControlSet\\\\Services\\\\AppService[a-z] registry, it configures this service\r\nregistry as shown below.\r\n– Start : 0x02 (Starts automatically when the system starts)\r\n– imagepath : %SystemRoot%\\System32\\svchostexe -k AppService\r\nThe name of the created service and the file that is executed via the service are configured as follows:\r\n– SYSTEM\\\\CurrentControlSet\\\\ServicesAppService[a-z]\\\\Parameters:servicedll = %System%\\Encoded\r\nstring.tmp\r\n– SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Svchost:AppService =AppService[a-z]\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 5 of 8\n\nCreated service\r\nThe file that is to be registered to the service decodes the data that exists in a certain location and creates it with\r\nthe tmp extension in the System path. The created tmp file acts as a Loader that decodes and executes the encoded\r\n“install.dat” data existing in a certain registry key. It appears that this process serves the purpose of performing\r\ncontinuous malicious behaviors even when the user PC is shut down and restarted.\r\nAdding an exclusion to Windows Defender\r\nAfter the service is created, the System folder is excluded from Windows Defender scans, and the first thread is\r\nterminated.\r\nCreating process\r\nThe second thread that is executed is the %System%\\svchost.exe -k SystemNetworkService command, which\r\nperforms the function of creating a process and injecting the decoded “install.dat” data.\r\nThe injected svchost.exe goes through the same process to scan the command line, and if it’s svchost.exe run by\r\nthe SystemNetworkService argument, it performs the actual malicious behavior. It steals various user credentials\r\nincluding the data below via this process and sends them to the attacker’s server.\r\nVPN connection information\r\nClipboard data\r\nAudio data\r\nList of shared network folders\r\nInformation of processes that accept TCP and UDP ports\r\nFile version information of the running process\r\nC2 : email.yg9[.]me\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 6 of 8\n\nIn addition to the malicious features above, it can also access the C2 server under the attacker’s command and\r\nperform various malicious behaviors such as file download, screen capture, and execution of keylogger and cmd\r\ncommands.\r\nAs this malware is disguised as an illegal software installer and is distributed to random individuals via malicious\r\nsites, users must be careful not to download relevant programs. As malicious files can also be registered to service\r\nand perform continuous malicious behaviors without the user knowing, periodic PC maintenance is necessary.\r\n[File Detection]\r\nTrojan/Win.Generic.R420870 (2021.05.16.01)\r\nMalware/Win.Generic.R421780 (2021.05.21.03)\r\nTrojan/Win.Generic.C4512227 (2021.06.04.01)\r\nTrojan/Win.Generic.C4512246 (2021.06.04.01)\r\nTrojan/Win.Generic.R421722 (2021.08.17.03)\r\nTrojan/Win.Generic.R436809 (2021.08.17.03)\r\nTrojan/Win.Generic.R436811 (2021.08.17.03)\r\nTrojan/Bin.Encoded (2022.01.28.02)\r\nMD5\r\n1fecb6eb98e8ee72bb5f006dd79c6f2f\r\n58efaf6fa04a8d7201ab19170785ce85\r\n5de2818ced29a1fedb9b24c1044ebd45\r\n5e6df381ce1c9102799350b7033e41df\r\n839e9e4d6289eba53e40916283f73ca6\r\nAdditional IOCs are available on AhnLab TIP.\r\nFQDN\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 7 of 8\n\nSource: https://asec.ahnlab.com/en/31683/\r\nhttps://asec.ahnlab.com/en/31683/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://asec.ahnlab.com/en/31683/" ], "report_names": [ "31683" ], "threat_actors": [], "ts_created_at": 1775434352, "ts_updated_at": 1775791220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8d9ca4d46ecfbadcd5bf6533a29ae7cecc6d8ee.pdf", "text": "https://archive.orkl.eu/c8d9ca4d46ecfbadcd5bf6533a29ae7cecc6d8ee.txt", "img": "https://archive.orkl.eu/c8d9ca4d46ecfbadcd5bf6533a29ae7cecc6d8ee.jpg" } }