Static analysis of Goldenhelper Malware (Golden Tax malware)
By Adetomiwa
Published: 2022-03-04 · Archived: 2026-04-05 18:17:01 UTC
“GoldenHelper” was discovered on July 14, 2020 embedded in Golden Tax Invoicing Software, an invoice issuing
software used by Chinese banks. This malware variant seems to have been active between January 2018 and July
2019.
Press enter or click to view image in full size
Fig 1.0: First bytes of malware sample
Press enter or click to view image in full size
https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d
Page 1 of 2

Fig 1.1: File header in PE studio
The following details were obtained from initial static analysis:
File-type: dynamic-link-library (.dll)
CPU: 64-bit
Subsystem: GUI
Compiler-stamp: 0x5AB052C9 (Mon Mar 19 17:16:09 2018)
Debugger-stamp: 0x5AB052C9 (Mon Mar 19 17:16:09 2018)
File-size: 126464 (bytes)
Hashes:
md5: 490D17A5B016F3ABC14CC57F955B49B3
sha1: A1BB73F6581AB51457EB7160BE8EE4FB18916153
sha256:A1AA0684813CFE9D7ED5C491C8AB132E5583B4FD02187FDAE8AA4D934D933F29
File path: F:\DLL\dll-client-0309\x64\Release\SvcDll.pdb
Embedded Strings.
PE Studio identified ~1870 strings, the following have been highlighted:
The following appear to be files that will be loaded during runtime
http://%s/app/taxver[.]jpg
http://%s/app/tps32[.]gif
http://%s/data/msabs[.]dat
http://%s/data/msabb[.]rar
http://%s/data/tax32[.]zip…
Source: https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d
https://tomiwa-xy.medium.com/static-analysis-of-goldenhelper-malware-golden-tax-malware-d9f85a88e74d
Page 2 of 2