Dear blog readers,
Continuing the “When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Four” blog post series in this post I’ll continue analyzing the next malicious software binary which I obtained by data mining Conti Leaks with a lot of success.
The actual malicious software binary location URL:
hxxp://www.delwarren.com/backup/nowin.exe
MD5: 320dd151aed6a181d84e63f78cf801f0
SHA-1: 573e93bb5075ec74ec3c45eaf4190af8e315a429
SHA-256: c366c4e26ec3d2698a94dc04afb58dad429d6c28dff1820d53e277e108103f8f
Here’s the analysis.
High-confidence classification
nowin.exe is a Windows x86 network backdoor whose primary behaviors are:
- persistent/repairable multi-threaded C2 beacons (keeps up to 3 concurrent worker threads),
- a custom C2 application protocol (length-framed + lightweight obfuscation using a constant marker),
- remote command execution (via system() with captured output),
- interactive command shell (cmd.exe) over the network,
- a secondary, more complex relay-based shell channel negotiated using a SOCKS-like control exchange.
The overall design is typical of a small bespoke RAT/backdoor: connect to a hardcoded controller, identify/beacon, then loop receiving commands which dispatch into a few core capabilities.
Runtime / threading model
Process start and initialization
- entry_point (0x40383c) and runtime_init (0x40357c) implement standard CRT initialization and single-init locking.
- Initialization uses:
- InterlockedCompareExchange guarding a global init lock (g_init_lock at 0x407504),
- g_init_state (0x407500) to track initialization progress.
Worker thread redundancy (up to 3 concurrent)
- backdoor_worker_thread (0x4019a0) is the main C2 loop.
- It increments/decrements g_active_thread_count (0x4074c0) under g_thread_count_lock (0x40749c).
- On certain failures or after certain commands, it respawns itself via _beginthread(backdoor_worker_thread, 0, 0) until g_active_thread_count < 3 no longer holds.
This provides resilience: if a connection drops or a thread exits, the malware will try to maintain a small pool of active connections.
C2 infrastructure and basic socket operations
Hardcoded controller address
- C2 IP: 88
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from Security BoulevardRead the original article: