> Analysis · 027aeb2eb483_

~/packetpursuit $ cat /intel/analyses/027aeb2eb483.../report.md

typeanalysisfamilyunclassified-pe32confidencelowcreated2026-06-04updated2026-06-04pe32malware-familyloaderevasiondelay-importborlandversion-info-masquerade
SHA-256: 027aeb2eb48324793e661258ae668502e2a6bbd97ec2858dd0d26b25455f78b7

unclassified-pe32: 027aeb2e — 9.6 MB PE32 with packed 9.5 MB .K"* code section, Borland/CodeGuard exports, masqueraded "Microsoft Edge" identity

Executive Summary

A 9.6 MB 32-bit Windows GUI executable with a near-maximum-entropy 9.5 MB packed code section named .K"*. Static analysis reveals Borland/CodeGuard debugging stubs, a deliberately throttled standard IAT of only 17 imports, and an extensive delay-import table spanning 14+ system DLLs. Version info claims "Microsoft Edge" from "Mcrosoft Corporaton" with PE compilation timestamp of March 2018, but the .rsrc icon resources carry an April 2019 timestamp — a one-year fabrication gap. No hardcoded C2 IOCs were recovered from strings. CAPE detonation was unavailable (no Windows guest). Family unattributed; treated as a probable packed loader or trojanized application.

What It Is

Field Value Provenance
SHA-256 027aeb2eb48324793e661258ae668502e2a6bbd97ec2858dd0d26b25455f78b7 ^[triage.json]
Type PE32 executable (GUI) Intel 80386, 14 sections ^[file.txt]
Size 9,619,456 bytes (~9.6 MB) ^[triage.json]
Original filename KYLYFOTORES.exe ^[triage.json]
Linker version 10.8 (Visual C++ 2010 toolset compatible) ^[exiftool.json], ^[rabin2-info.txt]
Compiler ID (Ghidra) borlandcpp — misidentification or actual Borland C++ build ^[ghidra:metadata]
Entry Point RVA 0x976138 (section .K"*) ^[pefile.txt]
Compilation timestamp (PE header) Wed Mar 28 16:59:26 2018 UTC ^[pefile.txt:64]
Resource timestamp Fri Apr 5 15:15:41 2019 UTC ^[pefile.txt:937]
Signed False / unsigned ^[rabin2-info.txt]
Version-info mascarade "Microsoft Edge", "Mcrosoft Corporaton", v1.0.3.43 ^[exiftool.json:36–41]
DllCharacteristics DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE ^[pefile.txt:104]
Anti-analysis signals Minimal IAT + heavy delay imports; possible packed code ^[pefile.txt:510–932]
Capa (Mandiant) Not executed — signature path missing on host ^[capa.txt]
FLOSS Failed (arg parsing error — /tmp/ path treated as --no value) ^[floss.txt]
CAPE Skipped: no Windows machine available ^[dynamic-analysis.md]

How It Works

Section Layout

Thirteen of fourteen PE sections have SizeOfRawData == 0 in the file on disk, yet carry non-zero VirtualSize values. This is consistent with a packer or self-extractor that maps raw data into uninitialized virtual pages at load time.

Section VirtualSize RawSize RawPtr Entropy Notes
.bss 0x3CC8C0 0 0 0.0 uninitialized code/data
.text 0x38DC 0 0 0.0 tiny stub (empty on disk)
.data 0x38F00 0 0 0.0 uninitialized
.pdata 0x7AAC 0 0 0.0 exception directory placeholder
.idata 0x3F70 0 0 0.0 import descriptor placeholder
.rdata 0x134C 0 0 0.0 read-only data placeholder
.edata 0x71 0 0 0.0 export directory placeholder
.tls 0x5C 0 0 0.0 TLS directory placeholder
.rodata 0x5D 0 0 0.0 read-only data placeholder
.lv# 0x5429E8 0 0 0.0 additional placeholder
.c_w 0x100 0x200 0x400 1.16 only section with raw data
.K"* 0x917290 0x917400 0x600 7.99 sole executable payload ^[pefile.txt:341]
.rsrc 0x14806 0x14A00 0x917A00 6.69 manifest, version info, 13 PNG icons
.reloc 0x3A8 0x400 0x92C400 4.02 base relocations

The .c_w section at file offset 0x400 contains a 512-byte table of values with no immediately obvious structure (possibly an import table reconstruction stub or decryption constants). The .K"* section contains 9.5 MB of near-random bytes (entropy 7.99 / 8.0), confirming heavy packing, encryption, or compressed payload storage.

Import Surface

Standard IAT (17 imports) The binary exposes a deliberately small standard import table:

  • winmm.dll: timeGetTime
  • wininet.dll: InternetCloseHandle
  • comctl32.dll: FlatSB_SetScrollInfo
  • ws2_32.dll: htons
  • shell32.dll: SHGetFolderPathW
  • user32.dll: MoveWindow
  • version.dll: GetFileVersionInfoSizeW
  • oleaut32.dll: SafeArrayPutElement
  • WTSAPI32.DLL: WTSUnRegisterSessionNotification
  • advapi32.dll: RegSetValueExW
  • msvcrt.dll: isupper
  • winhttp.dll: WinHttpGetIEProxyConfigForCurrentUser
  • kernel32.dll: GetVersion, GetVersionExW
  • SHFolder.dll: SHGetFolderPathW
  • wsock32.dll: gethostbyaddr
  • ole32.dll: IsAccelerator
  • gdi32.dll: Pie

These 17 imports are sufficient to bootstrap: time measurement, HTTP session cleanup, special-folder resolution, proxy awareness, registry writes, and GUI element movement — but notably absent are file-creation, process-creation, or memory-allocation primitives via standard IAT.

Delay Imports (14+ descriptors) The delay-import table includes 100+ functions across 14 DLLs, among them:

  • kernel32: IsWow64Process, GetTickCount64, GetNativeSystemInfo, GetSystemTimes
  • user32: MessageBoxA, SetGestureConfig, SystemParametersInfoForDpi
  • msimg32: GradientFill, AlphaBlend
  • advapi32: RegDeleteKeyExW
  • Crypt32: CryptDecodeObject, PFXImportCertStore, CertOpenStore, CertFindCertificateInStore
  • gdiplus: 30+ image-rendering functions including GdipLoadImageFromStream, GdipCreateFromHDC
  • DWMAPI, uxtheme, imm32, Shcore, shell32, windowscodecs

This is a classic evasion technique: the delay import table is not resolved until first use, so static scanners examining the standard IAT see a harmless footprint, while the full hostile capability is loaded lazily at runtime. The heavy gdiplus and uxtheme usage also suggests a polished GUI shell, possibly to masquerade as a legitimate application.

Exports

Two named exports are present:

  • __dbk_fcall_wrapper (RVA 0x11618)
  • dbkFCallWrapperAddr (RVA 0x40E648)

These are Borland/CodeGuard runtime debugging wrappers. Presence of these exports does not guarantee a Borland-built binary (they can be linked into any MSVC project that uses legacy Borland-compiled libraries), but it is consistent with older C++ toolchain mixing or deliberate linker obfuscation. ^[pefile.txt:507–508]

Embedded Resources

The .rsrc section contains:

  • 13 RT_ICON entries (sizes from 0x2E8 to 0x74AE bytes)
  • 1 RT_GROUP_ICON named "MAINICON" (English / US)
  • 1 RT_VERSION entry with the masqueraded metadata
  • 1 RT_MANIFEST entry embedding the Common Controls v6 manifest with Windows 7–10 compatibility GUIDs ^[pefile.txt:933–1309]

Binwalk identifies a standalone 256×256 PNG at file offset 0x919E4C within .rsrc, followed by zlib-compressed data at 0x919E75. The PNG itself is a legitimate-looking icon (common for trojanized application masquerades). The zlib-compressed data has not been extracted for inspection but is also icon-compressed bitmap data typical of Windows icon bundles. ^[binwalk.txt]

Interesting Tidbits

  • Timestamp contradiction: PE header claims March 2018 compilation; .rsrc timestamps are stamped April 2019 — a one-year fabrication gap. The linker version (10.8) predates the resource compilation date, suggesting either a delayed build pipeline or deliberate anti-forensic manipulation. ^[pefile.txt:64], ^[pefile.txt:937]
  • Misspelled vendor: Mcrosoft Corporaton (missing the i) in the VS_VERSIONINFO block. This is a low-skill opsec error observed in many masquerade trojans. ^[exiftool.json]
  • No C2 strings: Despite winhttp, wininet, and ws2_32 imports, not a single IP, domain, or URL was recovered from the 13,596-line strings output. Either C2 resolution is runtime-generated (DGA, pastebin pull, etc.) or the payload fetches a secondary stage from a well-known CDN or domain that does not appear in cleartext. ^[strings.txt]
  • FLOSS failure: The FireEye FLOSS decoder exited immediately due to an argument-parsing bug where the sample path was misread as a --no value. This prevented stack-string and tight-string decoding. A working reconstruction would require manual command construction or a newer FLOSS version. ^[floss.txt]
  • CAPE unavailable: No dynamic analysis was possible because the CAPE sandbox did not have a matching Windows guest for PE32 GUI binaries at the time of analysis. All behavioral claims in this report are inferred from static imports and section metadata. ^[dynamic-analysis.md]

C2 Infrastructure

No hardcoded indicators were recovered. Static inference only:

  • Proxy-awareness via WinHttpGetIEProxyConfigForCurrentUser suggests the binary adapts its network path to the victim's IE proxy settings. ^[pefile.txt:630]
  • winhttp + wininet + ws2_32 + wsock32 provide four distinct network transports (HTTP/WinHTTP, WinInet, raw TCP/UDP, and legacy Winsock). This redundancy suggests a resilient C2 that fails over across transport mechanisms.
  • gethostbyaddr (Winsock) and htons (ws2_32) in the standard IAT imply at least some DNS or IP resolution happens early — possibly before delay imports are resolved.

No attributional evidence: no code-signing certificate, no language-specific strings, no PDB paths, no build ID. Family remains unattributed.

How To Mess With It (Homelab Replication)

Not recommended for replication in its current form due to unknown payload behavior, but the packing pattern is reproducible for research:

  1. Build a Win32 GUI app in MSVC 2010 (or Borland C++ Builder) with a small legitimate import table.
  2. Link with /delayload for all heavy API imports (Crypt32, gdiplus, winhttp, uxtheme).
  3. Pack the .text and .data sections into a custom-named section (e.g. .K"*) using a self-written stub or a commercial packer that supports section renaming.
  4. Zero out SizeOfRawData for all pre-packed sections and set VirtualSize to the uncompressed size.
  5. Add version-info masquerade with a misspelled vendor string.
  6. Verify with pe-bear or CFF Explorer that the standard IAT is under 20 entries while delay-import count remains high.

Deployable Signatures

YARA Rule

rule unclassified_pe32_027aeb2e_masquerade {
    meta:
        description = "Detects PE32 samples with minimal IAT, heavy delay imports, and 'Mcrosoft' masquerade"
        author = "PacketPursuit"
        date = "2026-06-04"
        sha256 = "027aeb2eb48324793e661258ae668502e2a6bbd97ec2858dd0d26b25455f78b7"
    strings:
        $ms_typo = "Mcrosoft Corporaton" nocase ascii wide
        $ms_edge = "Microsoft Edge" nocase ascii wide
        $sec1 = ".K\"*"
        $sec2 = ".lv#"
        $sec3 = ".c_w"
    condition:
        uint16(0) == 0x5A4D
        and uint32(uint32(0x3C)) == 0x00004550
        and filesize > 9MB
        and ($ms_typo or ($sec1 and $sec2 and $sec3))
}

Sigma Rule

title: Suspicious PE32 with Minimal IAT and Excessive Delay Imports
logsource:
    product: windows
    category: image_load
detection:
    selection:
        ImageLoaded|endswith: '.exe'
        Signed: 'false'
    condition: selection
    # Post-processing enrichment (EDR / Sysmon):
    # - Verify import count < 25 AND delay-import DLL count > 10
    # - Cross-reference with process creation of unsigned GUI EXE > 9 MB
falsepositives:
    - Legitimate self-extracting installers (rarely have misspelled version info)
level: medium

Behavioral Fingerprint

An unsigned 32-bit Windows GUI binary larger than 9 MB with fewer than 20 standard IAT imports but more than 14 delay-import descriptors. The standard IAT includes RegSetValueExW, SHGetFolderPathW, and WinHttpGetIEProxyConfigForCurrentUser. Version info claims "Microsoft Edge" from a misspelled "Mcrosoft Corporaton". The .rsrc section contains 13+ PNG-format icons with a resource timestamp one year newer than the PE header compilation timestamp. On launch, the binary resolves delay imports lazily; no C2 strings are present in the static file.

Detection Signatures

Capability ATT&CK Technique Evidence
Registry modification for persistence or configuration T1547.001 (Registry Run Keys) / T1112 (Modify Registry) advapi32.RegSetValueExW in standard IAT ^[pefile.txt:610]
Proxy configuration discovery T1016 (System Network Configuration Discovery) WinHttpGetIEProxyConfigForCurrentUser in standard IAT ^[pefile.txt:630]
Special-folder resolution (AppData, Desktop, Startup, etc.) T1083 (File and Directory Discovery) SHGetFolderPathW imported from both shell32.dll and SHFolder.dll ^[pefile.txt:560], ^[pefile.txt:651]
Multi-transport network capability T1071 (Application Layer Protocol) + T1071.001 (Web Protocols) winhttp, wininet, ws2_32, wsock32 all present ^[pefile.txt:520–662]
Certificate store access T1553 (Subvert Trust Controls) / T1649 (Steal Crypto Wallet) CertOpenSystemStoreW, CryptDecodeObject, PFXImportCertStore in delay imports ^[pefile.txt:882–932]
GUI masquerade / version-info forgery T1036.005 (Match Legitimate Name or Location) "Microsoft Edge" / "Mcrosoft Corporaton" version block ^[exiftool.json]
Delay-import evasion T1027.002 (Obfuscated Files or Information: Software Packing) 14+ delay-import descriptors for heavy API surface ^[pefile.txt:683–932]

References

  • SHA-256: 027aeb2eb48324793e661258ae668502e2a6bbd97ec2858dd0d26b25455f78b7
  • Artifact ID: 78126340-d8bd-4f41-b4be-b73a80ee51f3
  • Family page: unclassified-pe32
  • Related concepts: version-info-masquerade
  • Related techniques: delay-import-evasion (no dedicated page yet)

Provenance

  • file.txt: file(1) output identifying PE32 GUI 14-sections. ^[file.txt]
  • exiftool.json: Version-info resource parsing by ExifTool 12.76 showing typo masquerade. ^[exiftool.json]
  • pefile.txt: Full PE header, section, import, delay-import, export, resource, and relocation dumps via pefile Python library. ^[pefile.txt]
  • rabin2-info.txt: radare2 rabin2 -I summary. ^[rabin2-info.txt]
  • binwalk.txt: Binwalk signature scan showing PNG icon and zlib data inside .rsrc. ^[binwalk.txt]
  • strings.txt: All printable strings extracted by strings -a -n 4. 13,596 unique strings, none matching known C2, IoT, or cryptocurrency wallet patterns. ^[strings.txt]
  • floss.txt: FLOSS (flare-floss) execution log showing arg-parsing failure. ^[floss.txt]
  • capa.txt: Capa execution log showing missing signature path. ^[capa.txt]
  • dynamic-analysis.md: CAPE sandbox status output (skipped — no Windows guest). ^[dynamic-analysis.md]
  • Ghidra: Import result showing borlandcpp compiler ID, x86 LE 32-bit, 15 memory blocks, 0 instructions / 0 functions resolved at import time (analysis not run due to timeout). ^[ghidra:metadata]
  • radare2: Opened with baddr 0x400000, entry0 at 0x00d76138, 26,145 total functions identified by afl (not all named). ^[r2:entry0]