- SHA256: dedb8516befa4a5088000b8c7f699dae7f33761403dd355a14684ac89ff56a9a
- Filename: Unknown
- Filetype: DLL
- File size: 39KB
From here on, the above DLL will be referred to as “downloader.dll”. The file is capable of:
- Downloading files
- Interacting with a C2 server
This is an older file that was first identified around October 2021.
Downloader.dll is a downloader capable of downloading a file from a hardcoded command and control (C2) server. A follow-on stage was not identified.
The file disguises itself as an extension for Foxit Reader software. Foxit is a software that develops document formatting tools and is based in the U.S. and China.
Upon running the DLL, a request is made to online-manual.c1[.]biz, and a file is downloaded to %TEMP%. Looking at the strings output of the file, there is a large base64 encoded string that when decoded, appears to be a batch file as seen below.
@echo off cd /d %TEMP% :WAITING timeout /t 1 if not exist "a.log" (goto WAITING) del /f /q "a.log" install.bat del /f /q "%~dpnx0"
Again analyzing just the strings, we see a call to run the batch file via the following command:
cmd /c cd /d "%TEMP%" && temp.bat
One can only assume that the downloaded file is run with another command run via the DLL file:
cmd /c expand "%s" -F:* "%s" && del /f /q "%s" && echo OK > a.log
The encoded strings represented by “%s” are likely the downloaded file. We can see from the above output that the file is deleted upon the above command completing.
The above infrastructure was tied to a possible Konni campaign by Black Lotus Labs in late November 2021.
- cmd /c expand “%s” -F:* “%s” && del /f /q “%s” && echo OK > a.log
- cmd / c cd /d “%TEMP%” && temp.bat
Basic Snort/Suricata Rule
alert tcp $HOME_NET any -> any any (msg: “Probaly shouldnt run in production. Possible Konni DLL download URL,”; content: “index.php/user_id=”; content:”&type=”; threshold:type limit, track by_src, count 1, seconds m; sid:999999
Unfortunately, the C2 is likely no longer active, and this sample crashes when run in a sandbox. Still, this is an interesting sample that is likely tied to Konni, and learning occurred, so that is always a win!
Thank you for reading.