{
	"id": "ed74ce74-9b0f-4f93-949f-4bfe09e454d7",
	"created_at": "2026-04-10T03:20:23.365996Z",
	"updated_at": "2026-04-10T13:12:35.374822Z",
	"deleted_at": null,
	"sha1_hash": "cef0a9a018e15b5cb9034e89238a3fa5d130ebd4",
	"title": "Zero2Auto – Malware Book Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80385,
	"plain_text": "Zero2Auto – Malware Book Reports\r\nBy muzi View all posts\r\nArchived: 2026-04-10 03:18:39 UTC\r\nTaking a break from my normal blog posts to complete the practical analysis from the Zero2Automated course\r\nfrom Vitali Kremez and Daniel Bunce.\r\nAssignment Background\r\nHi there,\r\nDuring an ongoing investigation, one of our IR team members managed to locate an unknown sample on an\r\ninfected machine belonging to one of our clients. We cannot pass that sample onto you currently as we are still\r\nanalyzing it to determine what data was exfiltrated. However, one of our backend analysts developed a YARA rule\r\nbased on the malware packer, and we were able to locate a similar binary that seemed to be an earlier version of\r\nthe sample we’re dealing with. Would you be able to take a look at it? We’re all hands on deck here, dealing with\r\nthis situation, and so we are unable to take a look at it ourselves.\r\nWe’re not too sure how much the binary has changed, though developing some automation tools might be a good\r\nidea, in case the threat actors behind it start utilizing something like Cutwail to push their samples.\r\nStage 1 Exe\r\nFilename: main_bin.exe\r\nMD5: a84e1256111e4e235250a8e3bb11f903\r\nSHA1: 1b76e5a645a0df61bb4569d54bd1183ab451c95e\r\nSHA256: a0ac02a1e6c908b90173e86c3e321f2bab082ed45236503a21eb7d984de10611\r\nStepping into the main function, several obfuscated strings are moved into registers and a function call is made\r\nimmediately afterwards. Next, LoadLibrary and GetProcAddress are called, indicating that these obfuscated\r\nstrings are almost certainly obfuscated libraries to import.\r\nFigure 1: Obfuscated Library Imports\r\nString Decryption/Decoding\r\nStepping into the function called right after moving the obfuscated strings, a few things stand out that indicate the\r\npurpose of it:\r\nThe long string of characters that appear to be an extended/custom alphabet\r\nThe add edx, D instruction (ROT-13 anyone?)\r\nhttps://malwarebookreports.com/cruloader-zero2auto/\r\nPage 1 of 6\n\nFigure 2: ROT-13 Decryption/Deobfuscation Routine\r\nAfter returning from the decryption function, kernel32.dll is decoded. Now that the decryption/decode\r\nfunction has been identified, a string decoder can be written.\r\nString Decrypter/Decoder (and unpacker) can be found on my GitHub.\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: I9egh1/n//b3 --\u003e Decrypted: VirtualAlloc\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: t5gG8e514pbag5kg --\u003e Decrypted: GetThread\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: yb3.E5fbhe35 --\u003e Decrypted: LockResource\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: pe51g5Ceb35ffn --\u003e Decrypted: CreateProce\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: F5gG8e514pbag5kg --\u003e Decrypted: SetThread\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: yb14E5fbhe35 --\u003e Decrypted: LoadResource\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: E514Ceb35ffz5=bel --\u003e Decrypted: ReadProc\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: s9a4E5fbhe35n --\u003e Decrypted: FindResource\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: Je9g5Ceb35ffz5=bel --\u003e Decrypted: WritePr\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: I9egh1/n//b3rk --\u003e Decrypted: VirtualAllo\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: F9m5b6E5fbhe35 --\u003e Decrypted: SizeofResou\r\n2022-05-30 22:06:05,423 - CruLoader Unpacker - CRITICAL [*] Encrypted: .5ea5/QPY4// --\u003e Decrypted: kernel32.dll\r\n2022-05-30 22:06:05,424 - CruLoader Unpacker - CRITICAL [*] Encrypted: E5fh=5G8e514 --\u003e Decrypted: ResumeThread\r\nNow that the strings are decrypted, some additional functionality becomes apparent: packed code located in a\r\nresource and process injection (process hollowing). The executable being analyzed looks to be a crypter that will\r\nunpack the code contained in the RCDATA resource.\r\nRC4 Decrypt Resource\r\nLoading the executable into PE Studio, the RCDATA resource stands out – it is large in size at 87068 bytes and the\r\n7.98 entropy indicates this is most likely encrypted data. In addition, the decrypted/deobfuscated strings above\r\nlend credibility to this theory, as the following libraries are used to access the resource:\r\nFindResourceA\r\nLoadResource\r\nSizeOfResource\r\nLockResource\r\nFigure 3: Resource (RCDATA)\r\nFollowing in the debugger, the RCDATA resource is loaded, then, starting at position 0x1C (28 decimal), the\r\nciphertext is copied into an allocated buffer.\r\nFigure 4: Resource Loaded and Copied into Allocated Memory\r\nNext, the ciphertext decrypted using RC4. The key starts at offset 0xC (12) of the resource and is 16 bytes long.\r\nhttps://malwarebookreports.com/cruloader-zero2auto/\r\nPage 2 of 6\n\nFigure 5: RC4 Decryption Routine Unveils Decrypted Executable\r\nAfter decrypting the executable, it is loaded and executed via process injection (process hollowing) with the\r\nfollowing calls:\r\nCreateProcessA\r\nVirtualAlloc\r\nGetThreadContext\r\nReadProcessMemory\r\nVirtualAllocEx\r\nWriteProcessMemory\r\nSetThreadContext\r\nResumeThread\r\nOnce ResumeThread is called, execution is transferred to the new, decrypted executable.\r\nStage 2 Exe\r\nFilename: cruloader\r\nMD5: f56a2fd3fd94be87f5c79e822734168d\r\nSHA1: 191050c7ae62c5665938f7666519bcd94f784fd5\r\nSHA256: a4997fbff9bf2ebfee03b9373655a45d4ec3b1bcee6a05784fe4e022e471e8e7\r\nJumping straight into main, the malware first computes the CRC32 of its filename, then checks it against the\r\nCRC32 hash 0xB925C42D , which corresponds to svchost.exe . The CRC32 algorithm can be easily identified\r\nby 0xedb88320 , which is the so-called “reversed” representation of the CRC32 generator polynomial. Luckily for\r\nus, 0xB925C42D aka “svchost.exe” is included in the following list of CRC32 API hashes. Lists of API hashes\r\nsuch as this are commonly found on GitHub and can be found simply by Googling for the specific API\r\nHash/constant.\r\nFigure 6: Compute CRC32 Hash of Filename\r\nDepending on if the filename is svchost.exe , the code will take one of two branches. Branch one, where the\r\nfilename is not svchost.exe will be examined first, followed by branch two.\r\nBranch One: Filename != svchost.exe\r\nIf the filename is not svchost.exe, Cruloader begins an anti analysis routine to identify if it is being analyzed. First,\r\nit resolves the API IsDebuggerPresent to detect an attached debugger. Next, it resolves\r\nCreateToolhelp32Snapshot , Process32FirstW , and Process32NextW in order to compute the CRC32\r\nchecksum of every running process to compare against the following analysis tools:\r\n7C6FFE70 (processhacker.exe)\r\nhttps://malwarebookreports.com/cruloader-zero2auto/\r\nPage 3 of 6\n\n47742A22 (wireshark.exe)\r\nD2F05B7D (x32dbg.exe)\r\n659B537E (x64dbg.exe)\r\nFigure 7: Pre-calculated Hashes to Check Running Processes Against\r\nFigure 8: Example Match for x32dbg.exe\r\nIf any of the tools listed above are discovered running, the malware exits immediately. After determining that it is\r\nnot being analyzed/debugged, the malware next resolves the same APIs used previously for process injection.\r\nFigure 9: Resolving APIs for Process Injection\r\nAfter resolving the APIs, the malware decrypts the string C:\\Windows\\System32\\svchost.exe , then creates a\r\nsuspended svchost.exe process.\r\nFigure 10: Decrypt String and Create Suspended Svchost Process\r\nNext, the malware calls VirtualAlloc to allocate memory inside the running process to copy itself into. It then calls\r\nVirtualAllocEx to allocate a RWX region inside the new suspended process and uses WriteProcessMemory to\r\nwrite the copy of itself into the new process. Finally, it calls CreateRemoteThread to execute the code injected into\r\nsvchost.exe .\r\nBranch One: Filename == Svchost.exe\r\nNow that CruLoader is running under svchost.exe (whether by changing the name or letting it inject into\r\nsvchost.exe ), the malware will take the other branch. This branch begins by resolving a few APIs for internet\r\nactivity.\r\nFigure 11: Resolve wininet APIs\r\nNext, the URL configuration is decrypted with a simple rol and xor .\r\nFigure 12: Decrypt URL Config\r\nAfter decrypting the Pastebin URL, the malware makes a connection to the URL and receives a second URL back.\r\nIt then makes another request to download a PNG. (Note: User-Agent of CruLoader could be used for detection.\r\nThis kind of thing used to be more popular in the early 2010s, but Bumblebee Malware did this just last year.) The\r\nPNG is then written to the following path C:\\Users\\USER\\AppData\\Local\\Temp\\cruloader\\output.jpg .\r\nNext, CruLoader decrypts another string redaolurc . It then searches for this payload marker inside the PNG file.\r\nhttps://malwarebookreports.com/cruloader-zero2auto/\r\nPage 4 of 6\n\nFigure 13: Search for Payload Marker ‘redaolurc’ in PNG\r\nOnce the payload marker is found, it XOR decrypts with the key 0x61 ‘a’.\r\nFigure 14: Decrypted Payload\r\nAfter decrypting the payload, the malware decrypts the string C:\\Windows\\System32\\svchost.exe and resolves\r\nAPIs to once again inject the final payload into svchost.exe.\r\nFigure 15: Time to Inject into svchost.exe Again\r\nOpening up the newly decrypted payload in Ghidra shows us that we have completed the challenge.\r\nFigure 16: Challenge Complete\r\nAutomation\r\nEarlier I showcased the string decrypter and unpacker for stage one. Let’s finish automating the config extraction\r\nand string decryption for stage two, along with the decryption of the final payload embedded in the PNG. Code\r\navailable on GitHub. I got a bit lazy with my coding here at the end, but it does the job.\r\n❯ python3 unpack.py -d -f main_bin.exe -o output.bin\r\n2022-07-08 14:10:41,895 - CruLoader Unpacker - CRITICAL [*] Key is: b'6b6b64355964504d32345642586d69'\r\n2022-07-08 14:10:41,896 - CruLoader Unpacker - CRITICAL [*] Unpacking payload\r\n2022-07-08 14:10:41,896 - CruLoader Unpacker - CRITICAL [*] Payload written to output.bin\r\n2022-07-08 14:10:41,899 - CruLoader Unpacker - CRITICAL [*] Encrypted: pe51g5Ceb35ffn --\u003e Decrypted: CreateProce\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: F5gG8e514pbag5kg --\u003e Decrypted: SetThread\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: yb14E5fbhe35 --\u003e Decrypted: LoadResource\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: Je9g5Ceb35ffz5=bel --\u003e Decrypted: WritePr\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: .5ea5/QPY4// --\u003e Decrypted: kernel32.dll\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: I9egh1/n//b3rk --\u003e Decrypted: VirtualAllo\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: F9m5b6E5fbhe35 --\u003e Decrypted: SizeofResou\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: yb3.E5fbhe35 --\u003e Decrypted: LockResource\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: E514Ceb35ffz5=bel --\u003e Decrypted: ReadProc\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: I9egh1/n//b3 --\u003e Decrypted: VirtualAlloc\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: t5gG8e514pbag5kg --\u003e Decrypted: GetThread\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: s9a4E5fbhe35n --\u003e Decrypted: FindResource\r\n2022-07-08 14:10:41,900 - CruLoader Unpacker - CRITICAL [*] Encrypted: E5fh=5G8e514 --\u003e Decrypted: ResumeThread\r\n❯ python3 extract_config_decrypt_strings.py -f stage2_bin.exe\r\n[*] Config URL(s): ['hxxps://pastebin[.]com/raw/mLem9DGk']\r\n[*] Decrypted strings: ['\\\\output.jpg', 'redaolurc', 'C:\\\\Windows\\\\System32\\\\svchost.exe']\r\nhttps://malwarebookreports.com/cruloader-zero2auto/\r\nPage 5 of 6\n\n❯ python3 extract_payload_from_png.py -f cruloaderpng.png -o final_extracted.bin\r\n2022-07-08 14:04:57,794 - CruLoader Unpacker - CRITICAL [*] Payload written to final_extracted.bin\r\nSource: https://malwarebookreports.com/cruloader-zero2auto/\r\nhttps://malwarebookreports.com/cruloader-zero2auto/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malwarebookreports.com/cruloader-zero2auto/"
	],
	"report_names": [
		"cruloader-zero2auto"
	],
	"threat_actors": [],
	"ts_created_at": 1775791223,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cef0a9a018e15b5cb9034e89238a3fa5d130ebd4.pdf",
		"text": "https://archive.orkl.eu/cef0a9a018e15b5cb9034e89238a3fa5d130ebd4.txt",
		"img": "https://archive.orkl.eu/cef0a9a018e15b5cb9034e89238a3fa5d130ebd4.jpg"
	}
}