{
	"id": "426d8e9c-a4a6-490d-bcaf-2c4df9fb9ff2",
	"created_at": "2026-04-06T01:32:38.408645Z",
	"updated_at": "2026-04-10T13:13:04.38896Z",
	"deleted_at": null,
	"sha1_hash": "de8b3f1aaf4b141d6e2145f746f6c74a6cadef00",
	"title": "Password stealer in Delphi? Meh… (2/2)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4707414,
	"plain_text": "Password stealer in Delphi? Meh… (2/2)\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-06 00:54:30 UTC\r\nAfter peeling away the MehCrypter’s layers in the first part of our blog series, we felt there was  no other choice\r\nthan to deep dive even further into the Meh password stealer payload and all its functionalities, which range from\r\nkeylogging, stealing clipboard contents, coinmining, and stealing cryptocurrency wallets, to a highly versatile\r\nremote access tool (RAT) that can perform tasks like advertisement fraud on websites or prepare the victim’s PC\r\nfor a potential ransomware hit.\r\nResearcher @51ddh4r7h4 performed an analysis of a VBE stager downloaded from Spanish torrent sites which\r\ncontained an old version 0.7.9e of Meh. In this blogpost, we will analyze version 1.0.0a of Meh, which is written\r\nin Delphi.\r\nCampaign overview\r\nMeh password stealer focuses mainly on Spanish users, counting more than 88,000 infection attempts in this\r\ncountry, since June 2020. The second most targeted country is Argentina with more than 2,000 attacked users.\r\nMap illustrating the countries Meh has targeted from June to November 2020\r\nAnalysis\r\nMeh password stealer – pe.bin\r\nAfter the MehCryptor is finished running its preparations, the Meh password stealer PE is loaded, an indirect jump\r\nis performed right into the decrypted Meh payload, written in Borland Delphi. This payload is a somewhat\r\npenultimate stage, because the malware actually uses a quite massive parallelization of its tasks via several\r\ninjections to Windows processes, e.g. notepad.exe or regasm.exe , along with massive multithreading. Thus,\r\nMeh always harms its victims via legitimate processes. If the Meh process detects that it’s not actually running\r\ninside a legitimate process, it tries to fix this by creating a new injection subthread and injecting the payload into a\r\nlegitimate process.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 1 of 22\n\nString encryption\r\nNearly all the strings in the binary are encrypted. The same cipher is used for string encryption as was described in\r\nthe subsections of the pe.bin decryption section in the previous part of the blog series. The only exception is\r\nthat the key string sequence is not modified before usage.\r\nAt first, a Base64-encoded string is decoded and then it is passed on to the xor_decrypt function, along with a\r\nXOR key string.\r\nCode of the string decryption function\r\nTo illustrate the decryption process even further and to ease the work of other researchers, and others who are\r\ninterested we added our IDAPython script that will decrypt all the strings to our Github page.\r\nFolder structure\r\nFirstly, let’s take a look at the folder structure from which the malware operates. To simplify the explanation, we\r\nwill show this process on an example from our test VirtualBox machine. In this machine, the complete folder path\r\nlooks like this:\r\nC:\\ProgramData\\Intel\\Wireless\\7ec8d64\\22b226e\\\r\nAs can be seen, the path has two parts. The first one is hardcoded and contains fictional Intel and Wireless\r\ndirectories. The second part, however, is created from the first seven characters of a (MD5) hash, created from the\r\nfolder “purpose” and an HWID hash, for every subfolder. We will get to that in a moment. This part is\r\ndynamically generated and will differ per computer.\r\nCreating a personal computer HWID hash\r\nTo be able to recreate the dynamic path shown above, Meh creates a unique identifier of the infected PC, which is\r\nfrequently used through several malware functionalities. To generate the HWID hash, the malware obtains several\r\nvalues from the local computer, concatenates them together, and hashes the string using MD5. These values are\r\nobtained, concatenated in this exact order, and hashed to create the HWID:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductId\r\nHARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\ProcessorNameString\r\nHARDWARE\\DESCRIPTION\\System\\SystemBiosVersion\r\nUsername (GetUserNameW)\r\nComputer name (GetComputerNameA)\r\nCreating the subfolders\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 2 of 22\n\nAfter the HWID is calculated, the malware appends this hash to two different string constants, one for each\r\nspecific subfolder:\r\nbotsfolder\r\nlogsfolder\r\nThese subfolders with the appended hash are hashed once again. Resulted hashes can be found below:\r\nbotsfolder – 7ec8d648ccf5fc2c28dfb98e1ef45101\r\nlogsfolder – 22b226ea2f14c1ed4806becf5d5c7fb8\r\nNote that only the first seven characters are taken from the hashes to form the directory name.\r\nCompatibility with older versions of Meh\r\nWe found an interesting aspect in the folder creation process: what other folder structures are calculated and\r\nchecked. Generally, the check is done to get rid of the old version of Meh from the system and only keep the new\r\nversion running with the new folder structure.\r\nAs far as we could see, Meh changed the algorithm in terms of how it generates the filesystem location where it\r\nsaves itself onto a disk and the generating process of the HWID many times. Even though we realize that some\r\npeople are not very keen to take history lessons, we decided to just briefly describe one of the methods regarding\r\nan approach of postprocessing the HWID, here.\r\nTo generate the HWID, the malware used to take just three system information values (instead of five) from the\r\ninfected computer. The malware used a well known API function and read two registry keys:\r\nGetVolumeInformationA - obtaining the VolumeSerialNumber value\r\nHARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\\Identifier\r\nHARDWARE\\DESCRIPTION\\System\\SystemBiosVersion\r\nThese system values were then concatenated in this exact order. After the string with the system information was\r\ncreated, it was hashed by MD5:\r\n15a58f851468959538c67e43b78b7485\r\nHowever, after the hash was calculated, the output was modified using a simple shift-and-loop algorithm where\r\neach byte of the string was transformed into different bytes.\r\nThis was done by right-shifting the upper half of the byte by one and leaving the lower four bits intact. Thus, the\r\nhash result was:\r\n05554f450438454518663e23574b3445\r\nThis transformation loop can be found below. An observant reader can also notice a compiler misstep on the\r\naddress 0x004240FE .\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 3 of 22\n\nAssembly of the hash transformation loop\r\nWhy the author decided to omit this transformation in newer versions of Meh is a mystery to us, but it may have\r\nsomething to do with the uselessness of the algorithm from a security perspective.\r\nWhat actually is interesting about this is that the same shift-transformation is present in the recent versions, too!\r\nThere is, however, a change in the shift value to four, effectively doing nothing, leaving only the MD5 hashing\r\neffective. Meh…?\r\nSettings backup\r\nThe malware may save its settings to a dedicated file in the logsfolder. The name of this file is created by\r\nconcatenating the HWID to a “ settings ” string and hashing with MD5 (while taking only the first seven\r\ncharacters from the hash):\r\nC:\\ProgramData\\Intel\\Wireless\\7ec8d64\\22b226e\\055c0c3\r\nThe settings can be set in the following ways by the malware:\r\nDefault settings present in the malware\r\nLoaded settings from the settings file via a previous run and/or a previous version of the malware already\r\npresent on the disk\r\nReceived settings from the C\u0026C server (see RAT module for more details)\r\nThe settings have several values:\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 4 of 22\n\nAll the settings are concatenated together, delimited by commas.\r\nAES encryption\r\nFurthermore, the content of the settings file is encrypted using AES-192 in CFB8bit mode ( EncryptCFB8bit ).\r\nThe key phrase is a string “ keysettings ” hashed using SHA-1 and padded by zeros to 24 bytes:\r\n548aea3eb3e62ff420ae9f7e6d9f1de66559692600000000\r\nAfter the content is encrypted, it is also encoded using the base64.\r\nMultithreading, stealing and other functionalities\r\nAs was already mentioned, Meh uses several threads, each with its own dedicated functionality. An extensive list\r\nof these worker threads can be found below. Note that several of these threads use other means of parallelization\r\nas well, making the whole analysis even more aggravating.\r\nInjection thread\r\nInstallation and persistence thread\r\nAnti-AV check and anti- IObit Malware Fighter thread\r\nCoinmining thread\r\nTorrent download thread\r\nClipboard stealing and keylogging thread\r\nCrypto wallets stealing thread\r\nAdvertisement fraud thread\r\nInjection thread\r\nThe injection is always performed from a dedicated subthread and a new legitimate process is created as a target\r\nof the injection. For this purpose, one of these processes are used in the default settings for the injection:\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 5 of 22\n\nnotepad.exe\r\nWerFault.exe\r\nregasm.exe\r\nsysteminfo.exe\r\nvbc.exe\r\nThe target of the injection can be, however, any arbitrary process depending on the request from the C\u0026C server\r\nvia the RAT module.\r\nIn the default settings, the malware enumerates the present process path and checks whether a string “ windows ”\r\nis present (case insensitive). If it is not, the injection is performed. The Dynamic forking is used to hollow the\r\nprocess.\r\nSyscall usage and API resolving\r\nWe would like to further mention one of the methods used during the injection process – the way some API\r\nfunctions are actually called. Often, the malware resolves the needed functions by parsing the import table of the\r\nsystem DLLs. However, this is not how the authors of Meh decided to proceed.\r\nThe malware checks whether the C:\\Windows\\SysWOW64\\ntdll.dll file exists to check the OS bitness.\r\nDepending on whether it is x64 or x86, it uses a different method to perform the syscall.\r\nCode of the decision process which syscall should be used\r\nIf the OS is x64, the FS 0xC0 refers to the FastSysCall in Wow64 which switches the x86 processor to the x64\r\nmode and calls a native x64 syscall, as can be seen in the figure below:\r\nCode of the x64 syscall\r\nIf the OS is x86, the syscall is performed directly using the sysenter instruction.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 6 of 22\n\nInstallation and persistence thread\r\nIn this thread, three files are checked whether they exist in the\r\nC:\\ProgramData\\Intel\\Wireless\\7ec8d64\r\ndirectory (i.e. the botsfolder ):\r\nGenerated name of .au3 script\r\nGenerated name of .exe\r\npe.bin\r\nFirst of all, the constants testau3 and autoitexe are used for .au3 and .exe files, respectively. These\r\nconstants are then appended with the HWID and hashed using the MD5. So far, everything is the same.\r\nThe names of the .au3 script and the .exe file are generated using the same algorithm presented in Folder\r\nstructure, with one exception.\r\nThe .exe file name, however, is further modified in such a way that every numeric character of the hash ( \u003c 0xA )\r\nis translated to a character from the beginning of the English alphabet where the letter “ e ” is excluded. Thus, the\r\nsubstitution is done with numbers 0-9 and letters a-d and f-k . We suppose that the author actually meant to\r\ninclude the letter “ e ”, but forgot it is in the alphabet.\r\nThis effectively transforms the hash:\r\n9a5afe4 -\u003e kagafef\r\nOn our virtual machine, these filenames are generated and checked for presence:\r\nkagafef.exe\r\ne30db2f.au3\r\nIf any of these files are missing, the malware searches the current process folder for any occurrence of files with\r\n.exe , .au3 extensions and the pe.bin file. The first occurrence of such a file (via this extension) is copied\r\ninto the directory. If the file pe.bin is missing, the whole thread is terminated. Note that these files should\r\nrepresent the AutoIt interpreter and Meh password stealer payload, respectively.\r\nThe content of the pe.bin file is decrypted and re-encrypted with a new randomly generated key containing only\r\nletters from the English alphabet and 10 bytes long.\r\nFurthermore, the AutoIt script and pe.bin files are prepended and appended with randomly generated strings,\r\nreflecting the MehCrypter appearance. However, at this stage, we can finally learn how this obfuscation is\r\ngenerated. The length of these strings is chosen randomly, ranging from 1,000 to 10,000 bytes.\r\nFinally, if the files were copied from a different folder tree other than ProgramData\\Intel , the original folder is\r\ndeleted.\r\nPersistence antivirus check\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 7 of 22\n\nAfter all the installation and persistence steps above are performed, the malware checks for the presence of several\r\nAVs in the system via their processes:\r\nimf.exe (IObit Malware Fighter)\r\nmonitor.exe (IObit Malware Fighter)\r\ntotalav.exe (Total AV)\r\nqhsafetray.exe (360 Total Security)\r\navpui.exe (Kaspersky)\r\nHowever, the functionality differs depending on the used AV, as we will describe below.\r\nIObit Malware Fighter and Total AV\r\nIf the first two of the listed AVs are present, the malware will try to inject itself into the listed processes. This is\r\ndone by obtaining a handle of the process, allocating a proper space and permissions inside it and calling a\r\nCreateRemoteThread API function.\r\nIf the handle could not be obtained for some reason (e.g. insufficient malware privileges during the execution), the\r\nmalware tries to inject into any of the following processes:\r\nutorrent.exe\r\nbittorrent.exe\r\nlightshot.exe\r\nrazer central.exe\r\nskype.exe\r\ndiscord.exe\r\nsteam.exe\r\nspotify.exe\r\nvmware-tray.exe\r\nor into the first x86 process it can find.\r\n360 Total Security\r\nIf the 360 Total Security is installed, the malware only tries to inject into the list of processes or any other x86\r\nprocess and this AV is not attacked at all.\r\nKaspersky\r\nIf Kaspersky is installed (determined by running avpui.exe ), the malware doesn’t inject anything at all. Instead\r\nit creates two files. The first file is a VBS file in a directory named after prepending tmpvbsstartdir and\r\ntmpvbsstart strings to the HWID and hashing with MD5, respectively:\r\nC:\\714edf2\\1665f18.vbs\r\nIts contents can be found below:\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 8 of 22\n\nContents of the 1665f18.vbs script\r\nThis means that the malware creates a VBS script which starts to interpret the AU3 malware payload.\r\nA string “ IGWcKodqHa ” is randomly generated in such a way that it always contains only letters from the English\r\nalphabet and is 10 bytes long.\r\nThe second file is named after hashing “ tmpau3 ” (with the append of HWID) and it is saved into the local Temp\r\ndirectory:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\2940974.au3\r\nThe contents of the script can be found below:\r\nContents of the 2940974.au3 script\r\nThis autohotkey script creates a link file to the VBS script above and places it into the user’s startup directory,\r\nusing the icon of a legitimate Mycomput.dll file, and removes itself afterwards. This effectively ensures\r\npersistence.\r\nNote that \u003cuser\u003e is the local username (filled appropriately by the malware). Furthermore, the string “ ydOGzq ”\r\nis randomly generated and it always is six bytes long.\r\nOne additional file is created as well: tmplnk.txt . This file is filled with the absolute path to the lnk file above.\r\nThis file will be read after a reboot which is going to follow almost immediately as we will describe below.\r\nAfter the persistence and preparation is done, the malware shows a fake dialog window about an update of a\r\nuTorrent program (doesn’t matter if the program is actually present on the PC or not).\r\nThe fake dialog of uTorrent program update\r\nThis dialog is automatically closed after 2.5 seconds. After that, the malware executes the 2940974.au3 file using\r\nthe kagafef.exe AutoIt interpreter and restarts the PC using:\r\ncmd.exe /C shutdown -f -r -t 0\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 9 of 22\n\nThus, after reboot, the malware executes the ydOGzq.lnk in the startup folder and the execution of\r\n1665f18.vbs , which executes the Meh password stealer payload once again, obfuscates its execution process\r\ntree.\r\nPersistence monitoring tools check\r\nIf there is no running AV from the previous subsection or a successful after-reboot execution of Meh under\r\nKaspersky is performed, the malware undergoes an exhaustive check of running monitoring tools:\r\nccleaner\r\nsystem config\r\nmalwarebytes\r\nfarbar recovery\r\nstartup scan\r\nanti rootkit\r\nanti-rootkit\r\nstartup manager\r\nautoruns\r\neditor de registro\r\neditor del registro\r\nregistry editor\r\ngerenciador de tarefas\r\nzhpcleaner\r\nprocess hacker\r\ntask manager\r\njunkware removal\r\nadministrador de tareas\r\nhijackthis\r\nprocess explorer\r\ntcpview\r\nprocess monitor\r\nwireshark\r\nThis check is periodically done by comparing the active window text with all of the strings in the list above.\r\nIf none of these windows are found on the user’s foreground, the malware creates a registry key in\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nThe name of the registry key is derived from the HWID, where eight letters from the second position of the HWID\r\nare taken.\r\nThe key contains a persistence execution of the AutoIt script using the AutoIt interpreter using this command:\r\nC:\\ProgramData\\Intel\\Wireless\\7ec8d64\\kagafef.exe C:\\ProgramData\\Intel\\Wireless\\7ec8d64\\e30db2f.au3\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 10 of 22\n\nIf any of the windows from the list above are active, the malware removes this registry key to hide its persistence.\r\nFurthermore, if the window carries the name “Malwarebytes”, the malware also wipes all the files from the\r\nWireless folder structure.\r\nLast but not least, this subthread periodically checks the whole Wireless folder structure and if any of the files are\r\nmissing and/or they are empty, the malware recovers the files from its process memory and writes the files onto\r\nthe disk once again.\r\nAnti-AV check and anti-IObit Malware Fighter thread\r\nMeh also contains an additional exhaustive check for AVs with a particular focus on IObit Malware Fighter. This\r\ncheck is separate from the Installation and persistence thread described above.\r\nThe check is done by monitoring the running processes (not the active window, as previously). The complete list \r\nof AVs and other security tools being checked can be found below, in alphabetical order:\r\navastui.exe (Avast)\r\navguard.exe (Avira)\r\navgui.exe (AVG)\r\navpui.exe (Kaspersky)\r\nbdagent (Bitdefender)\r\nbytefence.exe (ByteFence)\r\ncis.exe (Comodo)\r\negui (ESET Nod32)\r\nimf.exe (IObit Malware Fighter)\r\nmbam (Malwarebytes)\r\nmcshield.exe (McAfee)\r\nmcuicnt.exe (McAfee)\r\nmpcmdrun.exe (Windows Defender)\r\nmsascuil.exe (Windows Defender)\r\nnis.exe (Norton)\r\nnortonsecurity.exe (Norton)\r\nns.exe (Norton)\r\npsuaservice.exe (Panda Security)\r\nqhsafetray.exe (360 Total Security)\r\nsdscan.exe (Spybot – Search \u0026 Destroy)\r\nsmc.exe (Symantec)\r\nsuperantispyware.exe (SUPERAntiSpyware)\r\ntotalav.exe (Total AV)\r\nuiseagnt.exe (Trend Micro)\r\nvkise.exe (Comodo)\r\nAdditionally, these two locations are checked whether they exist:\r\nC:\\Program Files\\Bitdefender\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 11 of 22\n\nC:\\Program Files (x86)\\IObit\r\nThe information about the running AV affects different parts of the malware process and can be also reported to\r\nthe C\u0026C server via the RAT module.\r\nIObit Malware Fighter thread\r\nIf the IObit Malware Fighter folder is detected, Meh creates a subthread with an infinite loop with a single\r\npurpose – repeatedly terminating the monitor.exe and smBootTime.exe processes.\r\nCoinmining thread\r\nCoinmining is an additional functionality of Meh and it only occurs when there is no Norton, Nod32, or\r\nBitdefender present on the system. Since it’s design is not new, we’ve decided to describe it using a simple\r\ndiagram:\r\nDiagram of the coinmining thread\r\nThe URL from which the coinminer is downloaded is (depending whether the system is 64-bit or 32-bit):\r\nhttp[:]//124.red-79-152-243.dynamicip.fina-tdl.io/s/cpux[86|64].bin\r\nAfter the payload is decoded and decompressed, we immediately see that it is a common XMRig:\r\n722502b7302fd6bae93c57212fcafad2767c5f869e37bd00487b946f76251c8d\r\ne96403de3807ccb740f9ca6cade9ebd85696485590f51a4eb1c308de9875dfaa\r\nThe malware also generates a random AES key that is used to encrypt XMRig before writing it into the malware\r\ndirectory under a name generated from HWID and a string “ minercpu2 “, in the same way that was done many\r\ntimes before:\r\nC:\\ProgramData\\Intel\\Wireless\\7ec8d64\\22b226e\\ecef9c8\r\nThe coinminer thread can also be affected by the RAT module. If the RAT module receives a command to\r\nterminate the mining, it fills the coinimer file with a string nominear, disabling the coinmining.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 12 of 22\n\nTorrent download thread\r\nIn this part of the malware, Meh tries to use a locally installed torrent client to download additional files to the\r\ninfected machine. This is done by reading a file\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\test.txt\r\nwhich is (usually) created by the original AutoIt MehCrypter payload. In different versions of the Meh password\r\nstealers, we have seen this file called torrent.txt as well.\r\nIn the contents of this text file, a name of a VBE script file can be found. The malware appends the extension with\r\n.torrent reflecting a name for the BitTorrent protocol to be downloaded.\r\nThen, the malware contacts several torrent sites where the file is searched for via a POST request.\r\nhttp[:]//www.mejortorrentt.net/ips/download_torrent.php\r\nhttp[:]//mejortorrent1.net/downloads/download_torrent.php\r\nhttp[:]//grantorrent.eu/download/download_torrent.php\r\nhttp[:]//www.divxtotal.la/downloads/download_torrent.php\r\nThe malware uses a data parameter nombre= with the filename to request the specific file.\r\nThis functionality is approached differently across different versions of Meh. In other versions, it appends the\r\ntorrent filename to a set of URLs, with the option to structure the request into the sites’ subfolders (in Spanish):\r\npeliculas\r\nseries\r\ndocumentales\r\nmusica\r\njuegos\r\nvariados\r\nThen the URL is composed with the torrent name present in the subfolder:\r\nhttp[:]//www.mejortorrentt.org/uploads/torrents/%s/%s\r\nWhen the file is successfully downloaded and it contains a string udp://tracker which determines the UDP\r\ntracker protocol in the BitTorrent files, it is immediately executed.\r\nClipboard stealing and keylogging thread\r\nThe clipboard is stolen after specific keys are pressed (see the list below). After the clipboard is stolen, the\r\nmalware disables the clipboard stealing functionality for 30 seconds. Both the clipboard content and the pressed\r\nkey are stored, along with an active window text in a hexadecimal form.\r\nList of key presses which are monitored and trigger the keylogging and clipboard stealing:\r\nBackspace key\r\nDEL key\r\nHome key\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 13 of 22\n\nStart key\r\nEnd key\r\nSpacebar\r\nEnter key\r\nNumpad number keys\r\nAdd key\r\nSubtract key\r\nDecimal key\r\nEvery one-letter key\r\nThe output of the stolen information is saved into log files in a file:\r\nC:\\ProgramData\\Intel\\Wireless\\7ec8d64\\22b226e\\DD-MM-YYYY.log\r\nnamed after the date the file is created on. The stolen information is formatted and encrypted. To better illustrate\r\nthe format of the stolen contents, an example of the plaintext form can be found below:\r\nExample of the stolen contents\r\nThe content of the log file is encrypted using AES with a key “ masteroflog ” and encodes the output using the\r\nbase64.\r\nCrypto wallets stealing thread\r\nMeh is also capable of stealing cryptocurrency wallets located on the infected PC. This thread checks common\r\ncrypto wallet locations and if one is found, it is sent to the C\u0026C server immediately, along with a message\r\ncontaining the victim’s username and computer name (delimited by “ @ ”) and a debug message of the specific\r\ncryptocurrency.\r\nCode of the detected cryptowallet debug message\r\nAll the paths that are checked are in the table below. However, note that not all of these wallets are stolen. The last\r\ncolumn shows markings which the malware author used to distinguish the cryptocurrencies during the\r\ncryptowallet theft.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 14 of 22\n\nThe contents of the cryptowallets are concatenated together. As a delimiter between them, a string is used:\r\n____padoru____XXX____padoru____\r\nwhere XXX represents the mark from the table above.\r\nThis string is then compressed using zlib, encoded by Base64, and sent to these C\u0026C servers:\r\nhttp[:]//193-22-92-35.intesre.com\r\nhttp[:]//0.le4net00.net\r\nhttp[:]//83.171.237.231\r\nhttp[:]//deploy.static.blazingtechnologies.io\r\nhttp[:]//0.weathdata.nu\r\nAdvertisement fraud thread\r\nIn this subthread, the malware is focused on using the victim’s PC for  advertisement fraud, by making it click on\r\nads on arbitrary websites. This is done by passing three types of information to the infected PC (we briefly\r\ntouched upon these in the Settings backup section) and we will describe their functionality in a moment:\r\ngoogleclickdate – A timestamp influencing when the fraud should happen\r\ngoogleclickdatas – A site that should be googled\r\ngoogleclickdelimitador – Content (advertisement) on which the malware should click\r\nFirst of all, only the Google Chrome web browser is supported in the analysed version of Meh (1.0.0a).\r\nSecondly, the malware needs to actively receive information about the “google” parameters above. By default, this\r\ninformation is not present in the malware. It can be retrieved from a previous version of Meh, or by the RAT\r\nmodule. Unfortunately, due to the inoperable C\u0026C servers during our analysis, we were not able to obtain\r\ninformation about which sites and advertising companies were actually attacked using Meh. By the generic design\r\nimplemented in the malware, we suppose it could be any of them.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 15 of 22\n\nAfter the googleclickdate meets the condition for execution (the date has to be lower than the current time), the\r\nmalware also checks if the user is active by obtaining the number of seconds from the user’s last interaction with\r\nthe PC. If the user is inactive, it double checks that the Chrome browser was not used for a while. If the inactivity\r\nis sufficient, the evil operation happens.\r\nThe malware disables twelve browser extensions (see below) by renaming their folders (by appending them with\r\nan underscore “ _ ”). These extension folders can be usually found in the Local AppData location:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\\r\nThe extensions which are disabled (if installed), can be found in the table below:\r\nAfter all the extensions are disabled, googleclickdate is set to the next day, suggesting the fraud happens once a\r\nday by default.\r\nFurthermore, the malware creates a subthread which periodically turns off the user’s monitor.\r\nThe next mechanism implemented in the malware is used for remote control of the PC to perform the clicks. This\r\nis done by simulating keystrokes and mouse clicks on the victim’s PC in similarly to how the user would click the\r\nad:\r\n1. Open the Google Chrome browser on the page https://google.es\r\n2. Type the content of the googleclickdatas parameter in the search box and hit enter\r\n3. Press CTRL+F to show the search box of the browser and fill the contents of the googleclickdatas and\r\nhit enter\r\n4. Use the mouse cursor to click the found link in the Google results\r\n5. Press CTRL+F to show the search box once again and fill the contents of the googleclickdelimitador\r\nparameter. Hit enter to search it\r\n6. Use the mouse to click on the element – the ad\r\nNote that in the first step, the malware also tries to minimize the window by pressing the Win+Arrow Down keys.\r\nIt also resizes the browser window so the mouse clicks could work properly via hardcoded pixel gaps.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 16 of 22\n\nAfter the click on the advertisement is done, the malware returns everything in the previous state – it quits the\r\nbrowser (tab) by pressing CTRL+W, turns on the monitor and renames all the extension folders back to their\r\noriginal name, effectively enabling them.\r\nRAT module\r\nAlong with the standalone functionality of Meh which we described above, the malware also contains a\r\nfunctionality that brings the evil to a next level. That is a remote access tool incorporated to the capabilities from\r\nprevious functionalities.\r\nUnfortunately, at the time of writing this blogpost, the C\u0026C servers were shut down and/or have been made less\r\nresponsive or responsive only in specific timeframes. Because of this, we couldn’t properly analyse the exact form\r\nof the responses from the malware servers. However, we could still obtain information like what the messages\r\nmost likely looked like and what the structure of the commands looked like.\r\nRetrieving the message\r\nTo get the command from the C\u0026C, Meh connects to the server and waits for the response. In the default settings,\r\nthis ping is performed every 20 seconds. The list of C\u0026Cs is the same as with the previous functionalities:\r\nhttp[:]//193-22-92-35.intesre.com\r\nhttp[:]//0.le4net00.net\r\nhttp[:]//83.171.237.231\r\nhttp[:]//deploy.static.blazingtechnologies.io\r\nhttp[:]//0.weathdata.nu\r\nThe POST request carries three files with it:\r\nID – the personal computer HWID\r\nData – a wide hexadecimal text containing a title of an opened active window on the victim’s PC\r\nACK – an identifier of the part of the malware that sends the message. In the RAT mode, this value is 1000\r\nby default. This value is different for every C\u0026C response and matches the message type from the table\r\nbelow.\r\nEvery response consists of two parts. The first part is a message type – a number which determines a command\r\nwith what the malware should do. The second part contains a buffer which represents content passed on to the\r\nmalware. This content can,for example, be an additional malware drop, installation command for further\r\npersistence (injection to arbitrary process), coinmining parameters change, browser stealing commands and many\r\nmore. The second part can also be compressed and encoded, and it can also be empty where no additional input is\r\nneeded.\r\nRAT functionalities\r\nLet’s deep dive into the functionalities of the remote access features of Meh.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 17 of 22\n\nWe will first  name the specific message types to get a brief idea of all the functionalities. We will then describe\r\nthe more interesting and/or unclear ones, separately. A list of all 54 commands can be found in the table below.\r\nIt is also important to note two things here. Firstly, across all sorts of Meh functionalities already described in this\r\nanalysis, where Meh was sending information to the C\u0026C server as well, the malware sends a message type as\r\nwell. However, we suppose these only serve as debugging information for the attacker – to e.g. automate post\r\nprocessing on the malware server. In the list below, we only mention the RAT module message types, because\r\nthey directly influence the control flow of the malware.\r\nSecondly, there can be more message types with the same functionality. This is due to the fact that Meh actually\r\nhas two RAT modules implemented (perhaps because of historical reasons, although we are not sure). The second\r\nRAT module, which runs in its own separated subthread, only has a few unique commands and they always carry\r\nnumbers greater than 3000. This second module also has different RAT request periods, scaling up to four hours.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 18 of 22\n\n1001, 3001 – Send victim information\r\nThe malware collects a lot of information about the victim, concatenates the collected values to a single string and\r\ncompresses the output using zlib and encodes the result using base64. The result is sent to the C\u0026C server. The\r\nmessage contains following values:\r\nLCID\r\nUsername in wide hexadecimal format\r\nComputer name\r\nParent process in wide hexadecimal format\r\nNumber of seconds from the user’s last interaction with the PC\r\nProcessor information\r\nGraphics information\r\nTotal Physical Memory space in MB\r\nOS version from registry ( CurrentVersion\\\\ProductName )\r\nAdmin privileges\r\nMalware start time from epoch\r\nRunning AV name\r\nMeh malware version\r\nPort number\r\n1011, 1012 – Extracting and stealing further information\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 19 of 22\n\nThe difference between these two commands is what parameter is passed into a so-called lol.exe binary. These\r\ncan be /stext or /shtml which influence the output format of the extraction. The output is extracted into the\r\n%TEMP%\\\\skype.txt file and sent to the C\u0026C server afterwards.\r\nThe thing is, because of the lack of communication with the C\u0026C servers during our analysis, we cannot precisely\r\nsay what kind of file is lol.exe . We have, however, a strong feeling from the context of the other commands\r\nthat it is an arbitrary NirSoft binary that supports these commands. In the reflection of the “ skype.txt ” name,\r\nwe would suppose that SkypeLogView is used here to steal Skype conversations. However, we cannot eliminate\r\nthe possibility that e.g. a BrowsingHistoryView is used instead.\r\n1021, 1022 – Exploring the filesystem\r\nA format of the output of the explored folder is:\r\nName|1 or 0 if folder or file|Created time|Last access|Size in bytes when it is a file|\r\nThe times are given in the format of DD/MM/YYYY HH:MM .\r\nNote that the command 1021 also iterates through all disks and obtains information revealing whether it is a fixed\r\ndrive or a removable drive. This information is also appended to the response and sent to the C\u0026C server.\r\n1028 – Browser wipe\r\nThis functionality wipes all the personal data from users’ browsers by renaming or deleting the browser files and\r\nfolders. These three browsers are terminated before the wipe is performed on  them:\r\nFirefox\r\nGoogle Chrome\r\nOpera\r\nThe malware generates a random six byte string (upper and lowercase letters only) which is appended to the\r\nappropriate browser folder. This results in personal data loss in the eyes of the user, because upon startup the\r\nbrowsers recreate the browser folders and they look as they would after a clean installation.\r\nThese commands are executed by the malware to achieve the wipe (if the particular browser is present):\r\ncmd.exe /c cd /d \"C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Mozilla\\\" \u0026\u0026 move firefox firefoxXXXXXX\r\ncmd.exe /c cd /d \"C:\\Users\\\u003cuser\u003e\\AppData\\Local\\\" \u0026\u0026 move Google googleXXXXXX\r\ncmd.exe /c cd /d \"C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\\" \u0026\u0026 move Google googleXXXXXX\r\nwhere XXXXXX is the randomly generated string. Note that Google Chrome typically saves the data into the\r\nAppData\\Local folder.\r\nA different approach is chosen for the Opera browser. Instead of renaming the whole directory, the malware\r\nsearches for every file in the C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Opera Software\\ directory which contains a\r\nstring cookie in its name and is removed if found.\r\nConclusion\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 20 of 22\n\nIn this last part of the blog series, we described the Meh password stealer payload previously unveiled from the\r\nMehCrypter, in detail. We looked at a wide range of functionalities this malware performs on its victims, including\r\nkeylogging, cryptowallet stealing, advertisement fraud, coinmining, and a highly versatile RAT module which\r\nextends the functionality of Meh far beyond standard password stealers.\r\nIndicators of Compromise (IoC)\r\nThreat Research Team\r\nThreat Research Team\r\nA group of elite researchers who like to stay under the radar.\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 21 of 22\n\nSource: https://decoded.avast.io/janrubin/meh-2-2/\r\nhttps://decoded.avast.io/janrubin/meh-2-2/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/janrubin/meh-2-2/"
	],
	"report_names": [
		"meh-2-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775439158,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de8b3f1aaf4b141d6e2145f746f6c74a6cadef00.pdf",
		"text": "https://archive.orkl.eu/de8b3f1aaf4b141d6e2145f746f6c74a6cadef00.txt",
		"img": "https://archive.orkl.eu/de8b3f1aaf4b141d6e2145f746f6c74a6cadef00.jpg"
	}
}