{
	"id": "1d0db800-ad5d-4e6b-a7d0-f3d29519f329",
	"created_at": "2026-04-06T00:19:46.318497Z",
	"updated_at": "2026-04-10T13:11:21.359312Z",
	"deleted_at": null,
	"sha1_hash": "e206d38ab09e09cf9821d1d49045fa5f4ea2a50b",
	"title": "Salfram: Robbing the place without removing your name tag",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4168725,
	"plain_text": "Salfram: Robbing the place without removing your name tag\r\nBy Holger Unterbrink\r\nPublished: 2020-09-03 · Archived: 2026-04-05 23:36:18 UTC\r\nThursday, September 3, 2020 11:05\r\nThreat summary\r\nCisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted\r\non legitimate file-sharing platforms to spread malware.\r\nThe campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and\r\nAveMaria, among others.\r\nOngoing campaigns are distributing various malware families using the same crypter. While effective, this\r\ncrypting mechanism contains an easy-to-detect flaw: The presence of a specific string value \"Salfram\"\r\nmakes it easy to track over time.\r\nObfuscated binaries are completely different, from both a binary and execution flow graph perspective.\r\nThe techniques used by this crypter can confuse weak API behavior-based systems and static analysis\r\ntools.\r\nThis crypter appears to be undergoing active development and improvement over time.\r\nExecutive summary\r\nOver the past several months, Cisco Talos has seen attackers carrying out ongoing email-based malware\r\ndistribution campaigns to distribute various malware payloads. These email campaigns feature several notable\r\ncharacteristics that appear designed to evade detection and maximize the effectiveness of these campaigns. The\r\nuse of web-based contact forms, legitimate hosting platforms, and a specific crypter make analysis and detection\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 1 of 24\n\nmore difficult. All of the malware samples associated with these campaigns feature a modified DOS header\r\ncontaining the string \"Salfram,\" making them extremely easy to track over time. The crypter used in these\r\ncampaigns is undergoing active development and improvements to obfuscate the contents of malware payloads.\r\nAdditionally, the crypter uses several effective techniques to make the detection and analysis of the final malware\r\npayload more difficult. It obfuscates the original payload binaries in a way that results in payloads that appear\r\ncompletely different from each other after being packed using the same crypter. It even takes a great amount of\r\neffort to compare the packed binaries in a disassembler and determine if the same packer was used.\r\nDistribution campaigns\r\nThe email distribution campaigns associated with these malware payloads feature characteristics designed to\r\nevade detection and make analysis and tracking more difficult. In most cases, the threat actor was initiating email-based communications with potential victims using the contact forms present on the victim organization's website.\r\nThis results in email communications that appear to originate from legitimate sources which may allow the\r\nadversaries to evade some email security mechanisms.\r\nIn the messages, the attacker purports to be the copyright owner of images that the attacker claims they found\r\nhosted on the target organization's website without their permission. The email contents are somewhat customized,\r\nlisting the target organization's domain as the website containing the infringing content and prompting them to\r\naccess a hyperlink present in the email. Figure 1 is an example of one of the emails associated with one of these\r\ncampaigns.\r\nFigure 1\r\nFigure 2 is another example of these emails, demonstrating how the contents of individual messages may change\r\nbased on the contact form and website configuration for the organization being targeted.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 2 of 24\n\nFigure 2\r\nIn analyzing malicious contact form submissions associated with these campaigns, we obtained information about\r\nthe system used to submit the form contents. The contact form submissions were performed via proxy servers\r\nusing an automated mechanism, such as scripting, to generate and submit the data.\r\nThe majority of the emails contained links to a malicious file hosted on Google Drive. The directory structure and\r\nparameter values rotate frequently across various emails. Figure 3 lists some examples of these URLs.\r\nFigure 3\r\nAgain, the use of a legitimate web platform for hosting the malicious content may provide another way for the\r\nattacker to evade various protections that may be deployed in environments that they are targeting. When the URL\r\nis accessed, the victim is delivered a malicious file, often a Microsoft Office document similar to the one in Figure\r\n4.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 3 of 24\n\nFigure 4\r\nThese documents contain malicious macros that initiate the infection process and are responsible for retrieving a\r\nmalicious payload and executing it to infect the system. The payloads delivered have varied over time. Over the\r\npast several months, we have observed campaigns being used to deliver various information stealers, banking\r\ntrojans and other malware loaders including but not limited to Gozi ISFB, ZLoader, SmokeLoader, Oski,\r\nAveMaria and Cobalt Strike payloads, among others.\r\nWe also discovered infection chains that deliver multiple payloads to a single victim as part of a multi-stage\r\ninfection process. While the payload delivery features several distinct malware families, in all of the campaigns\r\nobserved, the initial malware payloads used the same crypter, which obfuscates the malicious contents present in\r\nthe binary executable and make analysis more difficult. As shown in Figure 5 these samples can be quickly\r\nobserved as the packed samples feature a specific modification to the DOS stub:\r\nFigure 5\r\nThe next section describes how these techniques have been implemented and how to analyze samples that may\r\nhave been obfuscated using this crypter.\r\nTechnical overview\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 4 of 24\n\nThe obfuscation techniques used by this packer are not trivial, so it is surprising that all of the binaries observed\r\ncontained the easily-trackable string \"Salfram\" inside the DOS stub. Further investigation is required to determine\r\nif the packer is automatically modifying contents of the DOS stub or if this is being done by the actor behind the\r\ncampaigns.\r\nThe samples we analyzed have compiler or debug timestamps ranging from April 2019 to August 2020, but the\r\nmajority of samples are from January 2020 onward. The campaigns before are either quite small or just tests. The\r\nbinary structure of many of the samples is different, with differences ranging from minor changes all the way to\r\ncode execution flows that are completely different. Nevertheless, they share the same or at least a very similar\r\nlogic. It is hard to say if these changes are due to the use of different obfuscation features available within the\r\ncrypter, or the use of different versions of the crypter. Comparing the samples we analyzed, we believe it is a bit of\r\nboth — the crypter is frequently updated and actively maintained by the software author.\r\nThe following section describes a subset of the typical differences and similarities which we have observed when\r\nanalyzing samples leveraging this obfuscator.\r\nThe majority of the samples begin with a common initialization routine (security_init_cookie) and then jump to\r\nthe main unpacking function. This function may vary in different samples and even the start up looks different in\r\nthe newer samples. Figures 6 - 8 show the startup and unpacking functions in three different samples.\r\nFigure 6: Sample 4bfd547775ba5892e66d2ff6a0c1de4365ab11b3_exe.bin\r\n(946d4d332a06b9af10da38beb3e8195054840b59a870a2f9027e6471f4869dc6)\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 5 of 24\n\nFigure 7: Sample 9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n(9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63)\r\nFigure 8: Sample 64800a2f85e12090eea5109e05d969a08ae9850a_exe.bin\r\n(0c09ea2d5722a2484804bf8c4f051d66d8a95d23c19e5d1277a55cafd80b67be)\r\nWhat they all have in common is that they push many unpacking-related values to the stack and insert a large\r\nnumber of fake API calls in between. Figure 6 shows the nonsense arguments handed over to\r\nGetModuleFilenameA. Figure 9 shows another example of this:\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 6 of 24\n\nFigure 9\r\nThe other common feature is that the crypter breaks up the code into many basic blocks that are connected via\r\njumps and return instructions. Most are unconditional jumps, but there are also ones using conditions which are\r\nalways true or false — in other words, the code flow is always predefined. Further, especially at locations like\r\nnon-fake API calls, the code pushes the address of the next code block or API call to the stack and uses the return\r\ninstruction to jump to it. This results in spaghetti code that is difficult to decipher. Besides obfuscated disassembly\r\ncode, the fake API calls can also confuse weak behaviour-based detection systems and/or may be used to detect\r\ncertain emulation-based systems. Due to the amount of API calls, we haven't analyzed the latter in detail.\r\nThe next layer of protection comes with a bunch of self-modification routines. After it sets the stage hidden inside\r\nthe spaghetti code, the vast majority of samples execute a self-modification routine via \"call eax\" (Figures 10 and\r\n11).\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 7 of 24\n\nFigure 10: Sample 4bfd547775ba5892e66d2ff6a0c1de4365ab11b3_exe.bin\r\n(946d4d332a06b9af10da38beb3e8195054840b59a870a2f9027e6471f4869dc6)\r\nFigure 11: Sample 9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n(9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63)\r\nAgain, as shown in Figures 12 and 13, the code around this call looks different across different samples and even\r\nthe instructions used to decode the bytes which are to be modified are different across different samples.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 8 of 24\n\nFigure 12: Sample 4bfd547775ba5892e66d2ff6a0c1de4365ab11b3_exe.bin\r\n(946d4d332a06b9af10da38beb3e8195054840b59a870a2f9027e6471f4869dc6) decoding\r\ninstructions\r\nFigure 13: Sample 9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n(9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63) decoding instructions\r\nTracing over the instructions in x64dbg (Figure 14) shows the differences (Figure 15) in the decoding algorithm\r\nper sample.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 9 of 24\n\nFigure 14 - X64dbg trace over settings\r\nFigure 15\r\nLooking into the decoded bytes, the first 24 bytes are just rubbish to hide the real start of the function. The\r\nfunction later called starts at offset 24 and looks like Figure 16.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 10 of 24\n\nFigure 16: ZWAllocateVirtualMemory\r\nIt resolves the address of the native API call ZWAllocateVirtualMemory at address 00415003 in Figure 11 and\r\nexecutes it via the return instruction at 0041503D. It calls this and similar  functions several times while\r\nunpacking the final payload. The number of times varies based on the sample being analyzed. It fills these\r\nallocated buffers with helper functions which are used for further self modifications or unpacking procedures of\r\nthe payload. The last allocated buffer is then finally filled with the unpacked malware payload. The code used for\r\nthese steps varies across samples.\r\nSample 9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n(9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63) is adapting and then injecting the\r\npayload into its own PE image in memory at the end (Figure 17).\r\nFigure 17: Overwriting own PE image in memory with payload\r\nOther samples simply unpack the payload to the aforementioned buffer and jump into it (Figure 18) e.g. sample\r\nb95fe75736d19887ae4e3516c5cd9c7fa7caf763a138794f9aaecdee8d37f0b0. At the end, no matter the sample\r\nversion, they all use a \"jmp edx\" to hand over execution control to the payload (Figure 18 - first line).\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 11 of 24\n\nFigure 18\r\nThe last technique to mention is primarily observed in older samples, but it is hard to say if this is an evolution of\r\nthe packer or just an additional feature enabled while building the packed binary.\r\nHaving a closer look to the PE image in Figures 17 and 18 also shows that the samples even have different\r\nsegments. In other words, as previously mentioned, the diversity of samples packed with this crypter is quite high.\r\nIf you want to get an idea of all the different layers and self modifications we are providing two unpacking scripts\r\nfor the samples 9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n(9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63) and\r\n2d46c394a5c4722e7fccfd3bc92636b5a0b6fbec_exe.bin\r\n(b95fe75736d19887ae4e3516c5cd9c7fa7caf763a138794f9aaecdee8d37f0b0) in the Appendix of this post.\r\nOnly use these scripts for the samples mentioned in the header of the script. Be careful using them for other\r\nsamples released before this blog post. Anyone looking to dissect this more should be extremely careful with new\r\nsamples released after this blog post — it is very likely the adversaries will modify the packer. Keep in mind that\r\nthese scripts do not work for every sample. It is recommended to single-step through the scripts (TAB) to verify\r\nthat the different steps are working for the sample being analyzed.\r\nThe video below shows the unpacking process for sample\r\n9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n(9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63) which is the latest sample we\r\nlooked at. The file's timestamp suggests that it was built on Monday, Aug. 24, 2020.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 12 of 24\n\nEtt fel inträffade.\r\nDet går inte att köra\r\nJavaScript.\r\nConclusion\r\nThe email distribution campaigns associated with samples built using this crypter feature several notable\r\ncharacteristics designed to evade detection and make tracking and analysis more difficult. The use of web-based\r\ncontact forms demonstrates how adversaries can take advantage of any communications pathway to internal\r\nemployees to attempt to infect organizational systems with malware. And the inclusion of legitimate hosting\r\nplatforms makes it more difficult to respond to these campaigns — some organizations may require access to the\r\nsame platform for legitimate business purposes. The crypter used to obfuscate various malware families features\r\nseveral interesting techniques which are used to make analysis more difficult. The diverse list of malware families\r\nbeing distributed by adversaries creates a variety of risks to organizations which should be considered by\r\ndefenders who are responsible for security corporate environments. These campaigns and the refinement of the\r\nTTPs being used will likely continue for the foreseeable future\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 13 of 24\n\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.The following SIDs have been released to detect this threat: 54920, 54921.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise (IOCs) have been observed as being associated with attacks leveraging\r\nthis malware loader.\r\nFile Hashes (SHA256)\r\nThe following hashes are malicious binaries observed as associated with malware attacks leveraging this malware\r\nloader.\r\n00272dd639402fa76db43207d074fe52d4849e5d46008f786b944a789b09afc2\r\n00a27bcfb0940ff100f8ae4dce0eb122014926bd0541799989303a48c9327934\r\n010c432222ef81d02edb03bfea7e866c740d4ec2f181d6ccdaa8426cf8b390c4\r\n01453cb1e75f9a3cc2fd490c028adfcdaf63fbb63216a79379a507697dbf325e\r\n049c5f625953b02a7aba1c904a14851cdd998ea21ee1e604016f8ba37c952ed1\r\n051c33755b7bb0beec230c1f2af5d7880203ad2d75804719429e8054e7fb2edb\r\n06aa2c01416bce49d24834eedd47c2dd9dc75ae39053c72168c7cc1efdd76fcd\r\n0a6df8d51b26c7bd3a7376f6118049f1c37a91ee0b2f1ada2b86c561d1170e1b\r\n0b61ae1202d964bea67cea9d663c8530b11c1268bcea9439b949e669b3b3be7c\r\n0c09ea2d5722a2484804bf8c4f051d66d8a95d23c19e5d1277a55cafd80b67be\r\n0c8569e4304f46352b041dcb692f85c9e195130db2013d4f2216130603478035\r\n0c8fb7da34371d8c87ac3d892ceee0ba6353f00ff72d87eeebb0066d32aede56\r\n0d261d63162d4087a82d1f67012c781cc0aaa05fbe801566f9bffa8d23981736\r\n0d6aad4b3fe886c7d24286d333094bed9eb2c6d5ee3f7afb7fabbd1538f440e2\r\n0dd44c11dd1b2599b8afe1121a08be81eb4230c5f1bff335b521a74bf6baadcd\r\n12eb2aebb455cda2819b9a1e3d18d4adcebe76ec0ee94e7676d6633965ea190f\r\n13b155af2f1503def5c0cba197902e0669faf324ec039c80a332f66f8fa4578c\r\n1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66\r\n161dabd778b2d24a7cae425bc2349e3db840acf49222c6067359ec7a01d3e05e\r\n16464a294fc276ea38e4f8aedd7fa6d1f426036d42b342bde27bdc63b5c6658c\r\n1670b07e9f5ff620a7eb773f4119023c67911655fb43bd2872021d11d05c1b0f\r\n1be04e51510b2aafb51598838b97124a73952c46b17d3d1c38254dd6d94e82a7\r\n1d7680d04b5d5403b34205336ad9b9c993e6e091708da775c766e2ad5e8d8547\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 14 of 24\n\n9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63\r\n1df55177a6326406d491cd9b6d4951392e565dd13e597836684468de6fec52f1\r\n1f5e08770d900bd0eb4f3377b05083d645e1ac9bb92f08146cd2a625363bc0c7\r\n20013032b298d4632abacefea5b8a6b376746c21642a8f8a38e039fd237d3c47\r\n201493f9e767eac36acc868f6903b574d5c9fcb78b30c5be4c1e3358e0f0026d\r\n2026e97bd58d8848dbd55664417790d5ee804bc2fe86ad054cb6a304d2d39a6b\r\n219594d5b634d5f95904376a1cbd8ecde93b8cdd6cfb785069e51e7eccc78baa\r\n243b7b37f5544bbbbaf533f819d90b6702131fd09139d2d9d86a5a305f9ae63e\r\n25b24d6e39aecc3bd23e8ad26b66f6aeb29777a6038e611263dac2c586726fe7\r\n2b448e88df42c70da86e6df1a1c1cfe587fe9b8d5f075d3f6ae2572a7936af8f\r\n30ed17e5c4c4891e495af85476f5928e4d4249ee1ce305de6735e56604af2922\r\n32ff75054df9b2b9cefec2dcc9e4cb6cfb231bc7ad9be5a41e2d3fc37f15563b\r\n34f383ad792bd93bc10079ee7f2a620402f35c25655eb7f2621f4b4a0a7c74b7\r\n3685ce874b1abef3448d4c50ea0371e31a78afbae09287d3ff5d25953091659c\r\n3733c5093677fb3d4d73c7850fe399cfbf5e327ef3e151e5e279c4a9622928c5\r\n3f70f5fc0ef938508398fbdcda54f45cada78165fdd40d6ab95d7c2a59cadc6c\r\n431a34f1ab6dec2c646b408b9b5ce091882244fde39498484fc0c73390d8f7f0\r\n431d9d2618fb3fa040f17f106617a943a43933bd19bf5cc5e4a964aabaee5674\r\n45763478ad7f43aa83ebaaea28bafaac6835bec45bf8c6948cf5dd454b6e30c7\r\n468b1785ef8bb53970a37e5399ccda3d12854587a95967081281ba857f8d2c54\r\n468eb27c31a7c90e3c6fc3a708dc5f78cfc5c0f8f3d76213919ca6d4e21950c1\r\n471325daa2bc75f50856e93e9de088386556fc3ead653894d5c2a67f2a8b4975\r\n47b6fae16a8c59bf1be620cb167e2673af2e0ffa92503fadf101b4bd47132ed5\r\n4b3ff2b99ed45563241abdf5079986e2e895ff7a011a2530e6ab9da20fa14954\r\n4eb476010c782e251800a7850be86b5b206ffbabe5f30bca76d20e68b13fafaa\r\n526abd604aacfa30338c708974493d272d8ab09df53cd1db657c3666113fbca1\r\n532e67f58bdc181f0df5428f72356c58a0bcfbd85b721564242983ac6e1e39bc\r\n549eb886be64ac9d6d2817575f5d0d0f46c0c5602fedd29aa561ab3f05e3349e\r\n5557fd15d615f360af1aefa6a7e2bed3382e26bdabb08d7e5a8f0f9387449f3a\r\n56f9b54e1e16887d66b8b9b7ea71d610951c18662a132cf7c9900d67b9745e81\r\n5757ebcb5b2227615a6d3a795beeff4745037313939426f9c7f8061568bbd55d\r\n57c7f0bc7a487df329eb3e8b19debde9ce1821e250123227cdc2dfbdd8b1b766\r\n5942b57d50e389ec7be01bd5b4007249e3755064fe156941dfbe310f7fa53a73\r\n59fc347dac3dd1c78d62393589818b5417ca041d697d155040988b14562bc797\r\n5b819852f844200d4d0b6ecc66451734c7421a98086d552e354709180d86d2d3\r\n5b831fb067dfb53992bb8a346e4fc038de6441a94ad5a3932dc8bd64f80e56fc\r\n5bc775300f1d06d0f92f53ec9bd8d6a919fb07101d91af05c5308063e832c34e\r\n5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112\r\n5f287d8b207645d9cfb47ff2aacb7ed2a6769fa14b1fe78c45a73efc73f0a84c\r\n614dc6fb2ee570cc9d1782534a64a3ea2c0be9d213e806141bb28d23542f6c47\r\n6297c5e9a01f95d14ab4928e69bbc0f7cc4113b08f782e5ea9f04b1d1814b74b\r\n630c098ef8211c05e0e68008bcbed6e4402e580e9538817b56084dc301954426\r\n64965473405235f37a721d9fecafb4ccb0ca038a3014538eba80cd9943beb1d7\r\n6627f0ea1f8ac35ea8567a1677ed4c67e7429344a56a80a094706fcd6d063221\r\n6b2e0ce03329ccb773cbc31f68ea9a74991cd0445f9e69df3c8e01ab6498d2d5\r\n6ce892674ac5a9607abafaf1011210cf9cb8bec2dc683b8dbf3c71c5e75a47fd\r\n6d3ff9a1f4745625b44f5361e4d8d78b38898d24eddaf328c2448a2bb377c99a\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 15 of 24\n\n6f21364272988368a75692e2e30970ce18e625bd7b2bcb154353415b31816d4e\r\n6fee95a3e283d9ad09a399e99b086ef70c3679eb8ad548161bdfababe3da68fb\r\n725e1b82b882d693028f13e3a082a8a9f278b79ad5ade994ccc9414b4e46d32c\r\n72a744dcfd609870d53a513083d89a75c41c87d178025821963a1353216d0090\r\n72f7451a21dcf26ebba525994d312a06483ef3fda0ffcd6500e36b94dcf78681\r\n7556a3160ba28ac50418bb9989de2f83a5dfc54376a43500d16db7c3c76c04d4\r\n76776877cf663f9b3d5647b0efdf3e062cf41d7d4757371ed9ad4fc0d85d7179\r\n77dd0d459a930c4e2692f935d775f9aa6560e26b19715ee61c20ce6bdbcc8200\r\n7da2c8166c73f7f5cf4f8f07b3ad161fe7cac6aa87c6a2701cb7fdc74242dfa6\r\n827fb4f521e8f22fb91ee61d921d3287bab18c9f01d333139e4124c989d34c76\r\n8281d87c1343eed7d48c8d98043864ace2f0dade93628cbda7ebc2eb07c77dd7\r\n87c04cc74ea6e8958bcbc6319f7c1f8293d63ce4a2e34a3c99ba296e55fd0ff4\r\n88c23ddbc21c130588f88500c753138e1b03a55f4658ff199c247fd8ceee5bd3\r\n890eacb1a49d606586eb585ee0738f55ac76fb3a175016ad627532425ee19dc8\r\n8a237182974d55a414f91a6d657403fafc8b79685ff1a73562758b333aeea590\r\n8be791cfaf6dbe2f1022406cbab97c3f53a084abd5b7e2ede043bd10de268352\r\n915f41dbb8a500f22f5aa346a0b6eff9db5fb6149b936968476ad585694688c5\r\n91f7787447cdaaec0f0feb10440bc2cb2c48ec8f3ce96a49719cbb9a20b3667d\r\n91f9f150e8a010ac25cdfd1a5489dd87f5e4af1d1daf8d12710748fb49396f67\r\n932b193e475a885c612b6610ad40177e65fc18eba76485e7da690cd4c9c5894a\r\n942331c18f6435087cc15c1012f4b4c9c7265d6ffaef0650aadb6ce4064c5c3c\r\n9444adaa9f6597a02f2e7f889b65db228c489658e0a81c28a3ac2d51f88b5e3c\r\n946d4d332a06b9af10da38beb3e8195054840b59a870a2f9027e6471f4869dc6\r\n98c59ba70665df6ff4bbabbad56b11ea24e1bb478fd0547a02dbfbacd6bbfdf4\r\n99fe4effb3bd5d31a6c9b740f693460042e9b327b6e6d78aaa04d40762784c8f\r\n9a6b7c1ebfe3ba98cbfc7d3cdd67fdb34dcf86b411eb7502c3e6d865084742b6\r\n9c2eb5790e7874950db0e51764ba68bb4a0fa5be68b659717c73363883da0db7\r\n9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed\r\na2387ef5d3af113c8c902f478df1c2d7f7a7acf729873b13508c1f1915bf5000\r\na27f8297924f2318e1e4d2da534be65806198a6e9d53c905a79ed3f93f5c52a9\r\na2e7f64c3d584a25a35bdedec0d394033a2ebb54d3457e09ceea3a623c208491\r\na654dbed7f65e6e6b8830e42b137fd85ddce872dc29ca006e8f7653f0aadcac7\r\na66f6d5fe714527cc94af30695cbabc44dd2fc355bc8e917e77350f35b0c6852\r\na770fcb1791d4a1c1037921403f936fb699b4e86df500abc41cb7fa1d762e302\r\na7b83a87772511641557b1ace41c478ecf6f1be0e1585cf6ce170cbaab16d6bb\r\na8231bdd44d469fd1a30464e238d0efa7c257566f301dae2fd80bdc43893b5d2\r\naa33731aa48e2ea6d1eaab7c425f9001182c0e73e0226eb01145d6b78d7cb9eb\r\naaa7efb4c15a71baff014071a71aa08f17e71c433016b2a0f05caac5f35adbe5\r\nab24760ec387919fc8d177510f39f36ac0ee011f8349faf63456e83aa0e50944\r\nad2b0478c0c3c717f6dabb96a6e957ea000462a8f8792f1c73868f9e894e037a\r\nadce8f29cb6cbbc44f5566031370753da43ea431ad3aeb11a6fc2186d571c957\r\nb1c6c7afedd5fdf67d7e9bbec952945e31c136785de3bc33313aede44f1696cf\r\nb240ff47de5859d0428c980a30a36a787e141761e8d7c8b2db8ab2364d226a94\r\nb29c4a567b439ef6072e41c38091c0f8d4d2bc0955d60062169f35e4a1cf9de4\r\nb3cb381f114ec9c163335509a217bbe1c6baa8d2cf5655b5ff84fd8d0a28dc9a\r\nb6a02bdf54b97688fda5137215e5237bd9df650bb052094dbc37947b59a93122\r\nb71a38ed297eff72a77fbbefa8f326a0c752f0f4fb5d80d1bf8e393824e99223\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 16 of 24\n\nb8e75cbb6e4c360fec71e12b85f3c5e4933e66a64928ff4d337ebe6a6cc9150f\r\nb95349e88b1c800c3cb84bd3875aa556c7107900567b9cffb54047bafa364dc1\r\nb95fe75736d19887ae4e3516c5cd9c7fa7caf763a138794f9aaecdee8d37f0b0\r\nba5fa7cc1a918b866354f4a5d9d92ceb3965ff81eb96e1608f190bccf12d38e6\r\nbb33e0b91b1b38802b2bfd5654d3888dee17959c6f07d3ce67dbac278712a402\r\nbc275cd76478e4d3387740dd955d9b9b5b36f064656ecb1e1cea9b8649eec57d\r\nbc2c5e2692df4493a1bbc9364689f1b7c532964497512065d3693cae50214860\r\nbcf19173facde547cd07eb8495bd48e8eea67c4f2441d4239e883f264744de7e\r\nc12c749cbb465484968bf99c46a51ce717620ddee2a5cd9b0168b104b604ba42\r\nc1665f6717238ba405059e44533e1fb7ad35798bb3d8b6ebb29cf0428241d721\r\nc50b34da0b0d1cc4728e4af9ae2c921df26ef71869bba0d5f9a24caa229529c9\r\nc679503d8fe5e6b127af12142f8a3ae32e94ef0751337de67c9dcb4dea180987\r\nc772f069931f2c0429bea0919fd7238de92618e6bea9e6581129656f6d86170c\r\nca4214e15181e52923f713771455f5709e4baa13626cad85b735734cf66d36db\r\nca9d4a7488644ce5fa20248e388291d60ca4a3bfe783acae4f02821618d1563f\r\nccb8e17d3df37549a3dbdb31f3b5e03b8fbb3ddf9462cf962518c8e0312cdb56\r\ncda685d0e85b2f28c00d145da358edc3748357786455965af86a3b0b292051fd\r\nce30c658a17cdced008ca04ea67f5ddb4c3c8d9042fe700ea89731c3d631628b\r\nd175b76aae5c16a5870df88cadc1d147c78a4977cc8dd4b213224e031cbcb7fb\r\nd3255ed380e290f4992701d1c10a3f65580b5e0aff384ab4308a8202d71f38a8\r\nd3639a02c300ab5f1063c7000fc8fa9eda8b69ac98840e5e49e26ea578274c4d\r\nd4d3cb3f7ffed9e1847a3b47a41d1da3c649374cd1d4772baaa95e62735ac3ca\r\nd7bcc39c42e66f4d7ce42d49aadbd63ac541e39889dc72ee41d140c919a92d85\r\nda5d88c3090b95ab3bca96669880af7a39b7d8ce9a206ec1bb558086ccacff41\r\nde5947af1ec1e205ed4c953359a8ca9b6a72dc4ffc81ce1048969553d440c265\r\ndeb8e521c4509a83b61d96291efe3cdaf2379c953f0590433d98a0bbd6bc82ab\r\ndf638bde1ffafcfb7a25fe30b631d549299f9502f23efc47fc5efaa118e96b97\r\ne0b15c5b68a21db7a86f92689c5df63d343a52e3e7b09d19f3ffbf941b32c4d1\r\ne0f5471baf3e0e4b3eb3711f89479a910fe68b75ad53070c58302821ddb84220\r\ne38c9a5d62aec8a807336ef40668f82a9bf764a8102fe464ee7f82041e007bee\r\ne5a6108aa4f8be08c8192590ab2b3231e9a33277ead76a0420557258220383be\r\ne655f1afb49be062cded5683df9292ff4cd602ad5d6f648dddd8778af13c44e2\r\ne6b30d246362081d7cb76a4d21584f6dbcff535812aed8e9675c17ca518c0242\r\neafbd21a0f9f082fa2e94e010569d7fa8512d978087c2633d652b865b922465a\r\nec1efcb050ec701c4a5895215e8a5ff9a89faf5b56976975de4e3846577841f0\r\nee42a34b83f4c27c57ebfa79f78d4702cdf5c845443b929b9e9d3246409aacca\r\nf1d43050a57365d41f2ec6ac3f73f1ddf9fa454c8b96aa5aa30749490b5a5fd4\r\nf29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99\r\nf38a38d97bd96a42e8c3f985f1e65daca97dce229b36c8c80c9229666826f325\r\nf431b5b6dc04208fe9ffc89eafd94c92d1383857d17702240f14aa19f538b3aa\r\nf6c96250359377ca85340b8c2c7253dd4f8fb5b1b8bf87d9fbce45ae40fe5417\r\nf6ebd6f0fe20fe561d1cf5d6aea5201712a0eabf4624c863a5ab6d44b1f57755\r\nfc856c48ddb5be64f343a482faaece641542c06e9a52556c16a8a80f973347ad\r\nfd03a9145d89c102799e5719608a28da681c1289352eb1d40b557cc667ba2ad0\r\nfd95fc2bc6b3362454dc6a0f0aa03f8c481ece2442e544b4ea0d9b0f81cd8b8c\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 17 of 24\n\nfe0d4a9ac1d0e3a626b44357e4469f402b9dad3f020776ecf771da693a782d61\r\nff5fc5c5318fa051992c7c3408d203f306c13b5fcd9400f860f734ce47a3b676\r\nDomains\r\nThe following domains have been observed during various portions of the malware infection process.\r\n123pcloud[.]com\r\n92g938uextmgvb7rllv8wcad[.]biz\r\n98iudjsandsas[.]info\r\ndf1[.]kamalak[.]at\r\naes[.]one\r\namfibiyapolyakova[.]com\r\napi3[.]lamanak[.]at\r\naskyourspace[.]com\r\nbanisdor[.]top\r\nbanudarog[.]com\r\nbanusle[.]top\r\nbasa[.]nutarborg[.]com\r\nbnxhbc25hwcv8b8afawhevzw[.]biz\r\ncalmstill[.]xyz\r\ncheneer[.]org\r\nchoksaiiwkokskkall[.]info\r\ncmck4vve6e24wdktsc9n8l1izi7eb9[.]biz\r\ncrocopexpire[.]ug\r\ncromecho[.]com\r\ncupersip[.]com\r\ndailystepstowardsuccess[.]com\r\ndasifosafjasfhasf[.]com\r\ndeliverynice[.]club\r\ndksadjsahnfaskmsa[.]com\r\ndksdjasi92iejdnfsa[.]info\r\ndksjdsajdiei28uj2[.]info\r\ndodontrami[.]com\r\ndrysetfirst[.]com\r\ndsdjfhd9ddksaas[.]pro\r\ndsdjfhdsufudhjas[.]com\r\ndsdjfhdsufudhjas[.]pro\r\ndsjdjsjdsadhasdas[.]com\r\ndskdsajdsadasda[.]info\r\ndskdsajdsahda[.]info\r\ndskjdsadhsahjsas[.]info\r\ndwajfjaiakdnsandks[.]com\r\ndweandro[.]com\r\nesplody[.]org\r\nfastandstrongwolf[.]com\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 18 of 24\n\nfdsjfjdsfjdsdsjajjs[.]com\r\nfdsjfjdsfjdsjfdjsfh[.]com\r\nfedex-tracking[.]press\r\nfindulz[.]com\r\nfredoam[.]com\r\nfslakdasjdnsasjsj[.]com\r\ngiridly[.]com\r\ngstat[.]rayzacastillo[.]com\r\nhaponebitold[.]com\r\nheclinggotof[.]com\r\nidisaudhasdhasdj[.]com\r\nidsakjfsanfaskj[.]com\r\niloveyoubaby1[.]pro\r\ninfinitydeveloperspes[.]info\r\ninformatioshopname[.]ru\r\nipnfbqg2raz3asn4j631ha453bbr4h[.]biz\r\nislacangrejo[.]fun\r\nj2888hennene[.]site\r\njdafiasfjsafahhfs[.]com\r\nkasfajfsafhasfhaf[.]com\r\nkdsidsiadsakfsas[.]com\r\nline[.]largefamiliesonpurpose[.]com\r\nline[.]lawnteam[.]org\r\nline[.]monalisapizzeriasi[.]com\r\nline[.]rllconsulting[.]com\r\nline[.]zepcnc[.]com\r\nlink[.]paichecafe[.]com\r\nlink[.]philippeschellekens[.]com\r\nmanutobis[.]top\r\nmenosita[.]top\r\nmesoplano[.]com\r\nmorenodorf[.]com\r\nmifastubiv[.]ru\r\nmorentok[.]top\r\noajdasnndkdahm[.]com\r\nodoncrol[.]com\r\noi2jidsdjsdd[.]info\r\nopetileon[.]ru\r\norderrys[.]com\r\npaiancil[.]com\r\npetronasconn[.]ru\r\nphanleb[.]com\r\npics[.]crystalridgedesigns[.]com\r\npleclep[.]com\r\nprocinul[.]com\r\nredsobabtert[.]com\r\nretordownty[.]com\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 19 of 24\n\nrolhorabdidn[.]ru\r\nrygotunren[.]ru\r\nservice[.]pandtelectric[.]com\r\nshoolman[.]ca\r\nsiciliyaopartion[.]ru\r\nsl9xa73g7u3eo07wt42n7f4vin5fzh[.]biz\r\nsmarteyecare[.]in\r\nsoletrobuse[.]ru\r\nstaycalm[.]club\r\nstoutorder[.]xyz\r\nsweleger[.]com\r\nsyndicationtwimg[.]site\r\ntelete[.]in\r\nteoresp[.]com\r\ntoptopcoorp[.]info\r\ntoptopcop[.]info\r\ntwiitter[.]website\r\nukronet[.]ru\r\nunverifiedintigoosjai[.]info\r\nweksrubaz[.]ru\r\nwp[.]quercus[.]palustris[.]dk\r\nwunchilm[.]com\r\nyamaha[.]ug\r\nzonculet[.]com\r\nIP Addresses\r\nThe following IP addresses have been observed as being infrastructure used for delivery and post-compromise\r\nnetwork communications as part of these malware campaigns.\r\n109[.]248[.]11[.]134\r\n109[.]94[.]209[.]7\r\n139[.]60[.]161[.]58\r\n141[.]255[.]166[.]149\r\n142[.]93[.]110[.]250\r\n166[.]62[.]30[.]148\r\n179[.]43[.]147[.]73\r\n185[.]153[.]196[.]209\r\n185[.]158[.]249[.]63\r\n185[.]252[.]144[.]191\r\n188[.]127[.]230[.]211\r\n192[.]155[.]111[.]215\r\n193[.]38[.]55[.]23\r\n193[.]38[.]55[.]92\r\n194[.]67[.]78[.]65\r\n195[.]123[.]209[.]4\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 20 of 24\n\n195[.]123[.]214[.]163\r\n195[.]140[.]164[.]58\r\n195[.]201[.]225[.]248\r\n31[.]148[.]99[.]73\r\n31[.]184[.]253[.]171\r\n31[.]184[.]253[.]248\r\n31[.]44[.]184[.]125\r\n31[.]44[.]184[.]50\r\n34[.]240[.]96[.]52\r\n40[.]81[.]188[.]85\r\n45[.]84[.]227[.]231\r\n46[.]20[.]33[.]219\r\n47[.]241[.]8[.]147\r\n47[.]57[.]89[.]207\r\n5[.]101[.]51[.]172\r\n5[.]188[.]62[.]165\r\n5[.]63[.]159[.]168\r\n62[.]108[.]35[.]53\r\n78[.]46[.]233[.]14\r\n80[.]249[.]144[.]38\r\n80[.]78[.]254[.]167\r\n84[.]38[.]181[.]209\r\n84[.]38[.]183[.]147\r\n84[.]38[.]183[.]162\r\n84[.]38[.]183[.]181\r\n85[.]143[.]222[.]85\r\n88[.]80[.]186[.]83\r\nAppendix\r\nX64dbg Unpacking scripts:\r\nScript 1:\r\n// Unpacker script for sample 2d46c394a5c4722e7fccfd3bc92636b5a0b6fbec_exe.bin\r\n// (b95fe75736d19887ae4e3516c5cd9c7fa7caf763a138794f9aaecdee8d37f0b0)\r\n//\r\n// Author: Holger Unterbrink (twitter: hunterbr72)\r\n//\r\n// This script should show the logic of the packer, it is not an optimized unpacking script\r\n//\r\n// Load sample and go to entry point, then execute script:\r\n// (there are some race conditions, single step (TAB) through the script)\r\n//\r\n//\r\n// find first call eax\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 21 of 24\n\nTraceOverConditional ReadByte(cip)==FF\u0026\u0026ReadByte(cip+1)==D0\r\n// unpacked code stored in [csp], offset 24 begin of code, first 24 bytes are only used for obfuscation\r\nmov $code, [csp] + 24\r\nlog \"Selfmodded code at: {0}\", $code\r\nStepOver\r\nbp $code\r\nrun\r\n// run until return\r\nTraceOverConditional dis.isret(cip)\r\n//pause\r\nbc\r\nStepInto\r\nmov $codeptr, [csp+8]\r\nbp cip\r\nrun\r\n// from here some samples are different, some allocate more buffers, some less\r\nrun\r\nrun\r\nrun\r\nmov $codeptr, [csp+8]\r\nStepOver\r\nStepOver\r\nStepOver\r\nStepInto\r\nmov $code, [$codeptr]\r\nbc\r\nSetHardwareBreakpoint $code,r,1\r\nlog \"Final payload at: {0}\", $code\r\nrun\r\nbphc\r\n// run until jmp edx - OEP unpacked payload\r\nTraceOverConditional ReadByte(cip)==FF\u0026\u0026ReadByte(cip+1)==E2\r\nlog \"Dump payload malware at: {0}\", $code\r\nret\r\nScript 2:\r\n// Unpacking script for sample 9679f2690d31cee38e57f080656b8618ca474c65_exe.bin\r\n// (9b28aa737bbfec90341c6a42e2d44f3308659e4fb9dd42d98a0b46cde7aaed63)\r\n//\r\n// Author: Holger Unterbrink (twitter: hunterbr72)\r\n//\r\n// This script should show the logic of the packer, it is not an optimized unpacking script\r\n//\r\n// Load sample and go to entry point, then execute script:\r\n// (there are some race conditions, single step (TAB) through the script)\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 22 of 24\n\n//\r\n//\r\n// find first call eax\r\nTraceOverConditional ReadByte(cip)==FF\u0026\u0026ReadByte(cip+1)==D0\r\n// unpacked code stored in [csp], offset 24 begin of code, first 24 bytes are only used for obfuscation\r\nmov $code, [csp] + 24\r\nlog \"Selfmodded code at: {0}\", $code\r\nStepOver\r\nbp $code\r\nrun\r\nTraceOverConditional dis.isret(cip)\r\n//pause\r\nbc\r\nStepInto\r\n// set breakpoint at \u003cntdll.ZwAllocateVirtualMemory\u003e\r\nbp cip\r\n// save ptr to allocated memory\r\nmov $bufferptr, [csp+8]\r\nStepOver\r\nStepOver\r\nStepOver\r\nStepOver\r\nmov $code1, [$bufferptr]\r\n// change to Dump 1\r\ndump $code1\r\nSetHardwareBreakpoint $code1,r,1\r\n// this takes a while, only hit tab once, be patient\r\nrun\r\nbphc\r\n// Dump1 get filled\r\nStepOver\r\nStepOver\r\n// unpacked and jmp to memory alloc (ZwAllocateVirtualMemory) function\r\nrun\r\n// break at ZwAllocateVirtualMemory, set bp to allocate buffer\r\nmov $bufferptr, [csp+8]\r\nStepOver\r\nStepOver\r\nStepOver\r\nStepOver\r\nmov $code2, [$bufferptr]\r\n// change to dump2\r\ndump $code2\r\nSetHardwareBreakpoint $code2,r,1\r\nrun\r\n// break at ZwAllocateVirtualMemory, set bp to allocated buffer\r\nmov $bufferptr, [csp+8]\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 23 of 24\n\nStepOver\r\nStepOver\r\nStepOver\r\nStepOver\r\nmov $code3, [$bufferptr]\r\n// change to dump3\r\ndump $code3\r\nSetHardwareBreakpoint $code3,r,1\r\nrun\r\n// Dump2 get filled\r\nStepOver\r\n// you can keep the code2 bp if you want to see the decoding of the buffer\r\nbphc\r\n// re-enable code3 bp\r\nSetHardwareBreakpoint $code3,r,1\r\nrun\r\nbphc\r\n// code buffer3 is filled (1st part of decoded payload)\r\nTraceOverConditional dis.isret(cip)\r\nTraceOverConditional dis.isret(cip)\r\nTraceOverConditional dis.isret(cip)\r\n// first part of payload PE unpacked, further fixing PE\r\nStepOver\r\n// ZwProtectVirtualMemory changing 0019FF3C to ERW\r\nTraceOverConditional dis.isret(cip)\r\n// overwrite org PE image in memory at 0x400000 Len 0x2B00\r\nTraceOverConditional ReadByte(cip)==F3\u0026\u0026ReadByte(cip+1)==AA\r\n// fix org. PE header (first 200Byte)\r\nTraceOverConditional ReadByte(cip)==F3\u0026\u0026ReadByte(cip+1)==A4\r\nbc\r\nStepOver\r\nTraceOverConditional ReadByte(cip)==FF\u0026\u0026ReadByte(cip+1)==E2\r\n// hand over control flow to payload malware\r\nlog \"Payload OEP: {edx}\"\r\nSource: https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nhttps://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html"
	],
	"report_names": [
		"salfram-robbing-place-without-removing.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434786,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e206d38ab09e09cf9821d1d49045fa5f4ea2a50b.pdf",
		"text": "https://archive.orkl.eu/e206d38ab09e09cf9821d1d49045fa5f4ea2a50b.txt",
		"img": "https://archive.orkl.eu/e206d38ab09e09cf9821d1d49045fa5f4ea2a50b.jpg"
	}
}