euone: 0c9236cf — Delphi VCL installer, 202 KB RCData payload, fabricated 1992 timestamp

Executive Summary

Delphi 7-era PE32 GUI installer (setup_euone.bin). OpenCTI and MalwareBazaar tag it as both euone and gcleaner. Standard VCL form with obfuscated captions and a 202 KB custom-named RCData resource that dominates the binary and likely carries the compressed payload. No CAPE detonation was possible (no Windows guest); assessment is static-only.

What It Is

The binary is a native x86 Delphi application with no .NET runtime, no UPX packing, and no digital signature. Eight sections match the classic Borland/Delphi pattern: CODE, DATA, BSS, .idata, .tls, .rdata, .reloc, .rsrc ^[pefile.txt:80-235].

How It Works

1. GUI bootstrap — On launch the VCL runtime creates a single form of class Tke5rhiwr with caption 3rqefdas and a checkbox labelled CheckBox1 ^[strings.txt:6546-6564]. This is a minimal fake-options screen typical of adware bundlers.

2. Resource extraction — The binary carries a custom-named RCDATA resource under type RTIRTWERQQ and ID TJERTIER6, sized 202,244 bytes with entropy 7.37 ^[pefile.txt (resource dump via Python)]. The first DWORD of the resource is 0x31600 (202,240 decimal), suggesting a size-prepended compressed or encrypted blob. This resource constitutes ~18 % of the total file and is the probable payload container. The binary imports FindResourceA, LoadResource, LockResource, and SizeofResource, giving it everything needed to map this blob into memory at runtime ^[pefile.txt:414-425].

3. Registry queries — Reads SOFTWARE\Borland\Delphi\RTL and locale keys during VCL initialization. This is standard Delphi runtime behaviour, not malicious on its own ^[strings.txt:42,52,53].

4. SOAP / Web Services framework — The strings and PACKAGEINFO resource list heavy SOAP/XML units (SOAPHTTPTrans, HTTPUtil, WinInet, WSDLBind, WSDLNode, etc.) ^[strings.txt:6488-6505] ^[pefile.txt (PACKAGEINFO dump)]. These come from the statically-linked Delphi Web Services framework. No actual network C2 imports are present in the IAT; URLDownloadToCacheFileA appears in strings but URLMON.DLL is not in the import table, indicating a library artifact rather than an active downloader ^[strings.txt:3977-3978].

5. File / process capability — Imports CreateFileA, WriteFile, DeleteFileA, CreateThread, VirtualAlloc, LoadLibraryA, and GetProcAddress. This is sufficient to write a secondary file to disk and spawn it ^[pefile.txt:4531-4537]. No CreateRemoteThread, WriteProcessMemory, or process-injection APIs are imported.

Decompiled Behavior

Ghidra was queued for background analysis but had not completed at time of reporting. No pseudo-C is available. The entry point at 0xC5D00 lies in the CODE section; no obvious decryption loops or XOR stubs are visible in the first few kilobytes of raw bytes. Manual decompilation would be required to recover the exact resource-loader routine.

C2 Infrastructure

None observable from static analysis. No hardcoded IPs, domains, URLs, mutexes, or named pipes. The 202 KB RCData payload is opaque; any C2 would reside inside it and can only be recovered through detonation or manual unpacking.

Interesting Tidbits

• Fabricated timestamp — 1992-06-19 22:22:17 is the classic untouched Borland/Delphi PE timestamp. Age heuristics that rely on compile time will misclassify this as ancient warez rather than a modern PUP installer ^[pefile.txt:38].
• Obfuscated VCL identifiers — Class name Tke5rhiwr, resource type RTIRTWERQQ, and resource ID TJERTIER6 are random lowercase strings. Delphi adware bundlers frequently rename form classes to evade shallow string signatures ^[strings.txt:6546].
• FLOSS / CAPA failures — floss.txt records a CLI argument error (--no misparsed); capa.txt reports a missing signature database. Neither produced actionable output, so no decoded-string or capability overlays exist for this sample ^[floss.txt:1-6] ^[capa.txt:1-6].
• No anti-analysis — Zero debugger, VM, or sandbox indicators in the string table. Evasion relies on social-engineering (setup wizard masquerade) rather than technical countermeasures.

How To Mess With It (Homelab Replication)

• Toolchain: Borland Delphi 7 Professional (or Free Pascal / Lazarus with VCL compatibility). Target Win32, GUI application.
• Build steps: Create a new VCL Forms project. Drop a TCheckBox on the form. Set Caption to a random string (e.g., 3rqefdas). Change the form class name from TForm1 to a random string (e.g., Tke5rhiwr). Use Project → Options → Application to embed a custom RCDATA resource with a non-standard type name.
• Compiler flags: Default Delphi release build. The linker will stamp the default Borland timestamp unless explicitly overridden.
• Verification: The resulting PE should show 8 sections (CODE, DATA, BSS, .idata, .tls, .rdata, .reloc, .rsrc), no exports, no signature, and DVCLAL / PACKAGEINFO inside .rsrc.
• What you'll learn: How Delphi installers stage compressed payloads in custom RCDATA entries, and why the 1992 timestamp is a recurring false positive in compile-age heuristics.

Deployable Signatures

YARA

rule euone_delphi_installer_202605 {
    meta:
        description = "Delphi VCL installer with obfuscated RCDATA payload (EUOne/GCleaner family)"
        author = "PacketPursuit"
        date = "2026-05-30"
        sha256 = "0c9236cfdf676b4b62e409fbf08b7dd39905d641e54e4e66d3d705ec274be337"
    strings:
        $delphi_borland = "SOFTWARE\\Borland\\Delphi\\RTL" ascii
        $dfm_magic = "TPF0" ascii
        $dvclal = "DVCLAL" ascii
        $obfuscated_form1 = "Tke5rhiwr" ascii
        $obfuscated_res1 = "RTIRTWERQQ" ascii
        $obfuscated_res2 = "TJERTIER6" ascii
    condition:
        uint16(0) == 0x5a4d and
        pe.number_of_sections == 8 and
        pe.sections[0].name == "CODE" and
        pe.sections[1].name == "DATA" and
        pe.sections[7].name == ".rsrc" and
        any of ($delphi_borland, $dfm_magic, $dvclal) and
        any of ($obfuscated_form1, $obfuscated_res1, $obfuscated_res2)
}

Behavioral hunt query

hunt: pe.number_of_sections == 8
      and pe.sections[0].name == "CODE"
      and pe.sections[1].name == "DATA"
      and pe.sections[7].name == ".rsrc"
      and pe.exports == 0
      and for any i in (0..pe.number_of_resources-1):
          (pe.resources[i].type == 10 and pe.resources[i].entropy > 7.0)

IOC list

Behavioral fingerprint

This binary is a native x86 Delphi VCL GUI installer presenting a single checkbox form with an obfuscated caption. It contains an unusually large (>200 KB) custom-named RCDATA resource that exceeds the CODE section in size and exhibits high entropy consistent with compressed or encrypted content. No overt C2 APIs are imported; runtime behaviour likely consists of mapping the resource into memory, decompressing or decrypting it, and writing a secondary executable to disk before execution.

Detection Signatures

• CAPA: Unavailable — signature database missing at analysis time ^[capa.txt:1-6].
• ATT&CK mapping (static-only; largely unconfirmed):
  • T1105 — Ingress Tool Transfer: inferred from resource extraction and file-write API imports.
  • T1071 — Application Layer Protocol: not confirmed — no network imports observed.
  • T1547.001 — Registry Run Keys: not confirmed — only registry-read imports present.

References

• OpenCTI artifact ID: 17b1dfae-41bd-416c-a86a-6c3c689464d0 ^[metadata.json]
• Entity page: euone
• Related gcleaner cluster samples in corpus: 675d1742..., d65f14e5..., 90989061...

Provenance

• File type identification: file (builtin) ^[file.txt]
• PE parsing: pefile (Python library) ^[pefile.txt]
• Strings extraction: strings (GNU binutils) ^[strings.txt]
• Binary metadata: radare2 rabin2 ^[rabin2-info.txt]
• Resource extraction & entropy: custom Python/pefile script (one-shot, see terminal history)
• Dynamic analysis: None — CAPE skipped due to lack of Windows guest at detonation time ^[dynamic-analysis.md:3]