hippamsascom: 341165a4 — Harvey-Abernathy masquerade, 221-export semantic flood, PEB-walker self-loader

Sixth confirmed sibling in the hippamsascom self-loading dropper cluster. MSVC 14.50 x64, zero IAT, 221 ML-themed exports resolving to 19 unique RVAs. Masquerades as "quantifying invoice Business Manager" by Harvey - Abernathy. Fabricated Authenticode with a Harvey - Abernathy Intermediate CA cross-signed to DigiCert. Decrypts a 0x27800-byte embedded PE from .data via custom stream cipher into RWX memory and manually maps it. No CAPE detonation available; all behaviour inferred from static.

Build / RE

Toolchain: MSVC 14.50 (Visual Studio 2022), pure C, x64 Release ^[exiftool.json], ^[rabin2-info.txt]. PE32+ GUI, 7 sections, ImageBase 0x140000000 ^[file.txt], ^[pefile.txt].

Import Table: Zero IAT. IMAGE_DIRECTORY_ENTRY_IMPORT VA=0, Size=0 ^[pefile.txt:223–224]. Every API is resolved at runtime via PEB-walking export hash lookup (DJB2-like) ^[ghidra:FUN_14002d650].

Exports: 221 named exports mapping to 19 unique RVAs (~11.6:1 collision ratio), same pattern as prior siblings ^[pefile.txt:339+]. Names are pure ML/DevOps jargon (ActivationOrchestration, CheckpointNodeRotate, RagdollAttentionOrchestration, SafeAreaPacketLossDiscover, StreamerEmitterNDCG) ^[strings.txt:59–273]. This is the semantic-jargon-export-obfuscation technique.

Anti-Analysis / Evasion:

Parent-process / sandbox gate at entry → FUN_14002d9c0. Resolves NtQueryInformationProcess (hash 0xd011d5fc) and GetSystemInformation (hash 0x97f7a6ce) via the PEB-walker. Queries ProcessDebugPort (class 0x5a) and ProcessBreakOnTermination (class 0x59), comparing buffer hash against constants 0xbd98a9e5, 0x42b21a5a, 0x262b0ca7, 0x73baf0f5. Also checks raw values 0x419 and 0x423 (likely parent-process hash or CPUID) ^[ghidra:FUN_14002d9c0].
Payload is a custom stream-cipher encrypted PE embedded in .data. FUN_14002dac0 allocates RWX memory (VirtualAlloc, hash 0x7efcf23b), copies ciphertext from rip-relative DAT_140031100, decrypts via FUN_14002c440 with 128-byte key material at DAT_140031000, then manually maps the decrypted image (FUN_14002db80 verifies MZ magic 0x5a4d) and resolves further APIs by hash (VirtualProtect hash 0x663724d9, plus 0xffe2b74, 0x7170f028, etc.) ^[ghidra:FUN_14002dac0], ^[ghidra:FUN_14002db80].

Signing: Authenticode PKCS#7 in the security directory (offset 0x91008, length 9974) ^[binwalk.txt], ^[strings.txt:774+]. Leaf CN Harvey - Abernathy, issuer Harvey - Abernathy Intermediate CA 1. SANs include harveyabernathy.com, *.harveyabernathy.com, www.harveyabernathy.com, harveyabernathy-davon.tech, *.harveyabernathy-davon.tech, www.harveyabernathy-davon.tech, ca.harveyabernathy.com, intermediate.harveyabernathy.com, https://www.harveyabernathy.global ^[strings.txt:788–858]. Cross-signed to DigiCert Assured ID Root CA and DigiCert Trusted Root G4 ^[strings.txt:774–850], ^[binwalk.txt].

Version-Info Masquerade: VS_VERSIONINFO claims CompanyName: Harvey - Abernathy, FileDescription: quantifying invoice Business Manager, FileVersion: 2.8.3351, InternalName: quantifyinginvoice.exe, OriginalFilename: quantifyinginvoice_client.exe, ProductName: quantifying invoice, Comments: Based on .NET architecture ^[exiftool.json], ^[pefile.txt:301+]. The .NET claim is misdirection — the binary is native C with no CLR runtime.

Embedded Resources: PNG icon 256×256 in .rsrc at offset 0x60120 ^[binwalk.txt]. Dialog resources IDD_DIALOG422 through IDD_DIALOG433 ^[pefile.txt:561+].

Code Quality: No stack canary (canary: false) ^[rabin2-info.txt]. No CFG, no PDB path stripped, no SafeSEH (x64, irrelevant). Debug directory absent. This is a release-build malware binary.

Deploy / ATT&CK

All ATT&CK mappings are static inference. CAPE detonation was skipped — no Windows guest available ^[dynamic-analysis.md].

Technique	ID	Evidence
Masquerading	T1036.002	"quantifying invoice Business Manager" by Harvey - Abernathy ^[exiftool.json]
Obfuscated Files or Information	T1027	Semantic export name flooding (221 names → 19 RVAs) ^[pefile.txt]
Software Packing	T1027.002	Custom stream-cipher + in-memory PE mapping ^[ghidra:FUN_14002dac0]
Native API	T1106	PEB-walking hash resolver ^[ghidra:FUN_14002d650]
Code Signing	T1553.002	Fabricated Harvey - Abernathy intermediate CA ^[strings.txt], ^[binwalk.txt]
Evade Detection	T1497	Anti-debug gate (ProcessDebugPort / ProcessBreakOnTermination) ^[ghidra:FUN_14002d9c0]
Process Injection (inferred)	T1055	Self-loader maps decrypted PE into RWX memory ^[ghidra:FUN_14002dac0]

C2 Infrastructure: No hardcoded IPs, domains, or URLs in static strings. C2 resolution is runtime-decoded inside the encrypted payload. The presence of ShellExecuteA/W and SHCreateDirectoryExW resolution in sibling samples suggests the mapped payload may be a downloader or dropper.

Persistence: Unknown without dynamic execution. Typical siblings place payloads in %APPDATA% or Startup via ShellExecute/SHCreateDirectoryExW, but this is speculation.

Attribution / Clustering:

Confirmed sixth sibling of the hippamsascom cluster (after Emard LLC, Hane Group, Littel LLC, Olson Group, and stripped variant 630202e6). Same build pipeline: MSVC 14.50, zero IAT, PEB-walking, semantic export obfuscation, fabricated Authenticode with campaign-specific intermediate CA, self-loading encrypted payload ^[entities/hippamsascom.md].
New masquerade identity: Harvey - Abernathy / "quantifying invoice". Co-labeled sunwukong by OpenCTI/MalwareBazaar. Confidence high that hippamsascom and sunwukong are the same family under rotating campaign brands.

Interesting Tidbits

Export names are purely ML/networking jargon (VacuumDeadlineOrchestration, ResidualBurstConstraint, TTLROC). No legitimate software uses them; they exist solely to confuse analysts and signature engines.
The Comments field says "Based on .NET architecture", yet the binary has zero CLR imports and no .NET metadata. Pure social-engineering misdirection.
Certificate alternate names include a .global TLD (harveyabernathy.global), unusual for these masquerades which usually stick to .com and .tech.
Stripped sibling 630202e6 diverges significantly (standard IAT, no masquerade, no Authenticode, clipboard+screenshot imports), suggesting either a separate payload stage or a stealer fork. This sample returns to the full self-loader pattern.

Deployable Signatures

YARA rule

rule hippamsascom_selfloader_wabi {
meta:
    description = "hippamsascom / sunwukong self-loading dropper — WaBi / Harvey-Abernathy campaign"
    author = "titus"
    hash = "341165a42115d7aec4fbff23f6ada1273fd55902721a005ac4b88575baa97a4a"
strings:
    $mz = "MZ"
    $pebwalk = { 65 48 8B 04 25 60 00 00 00 }                    // mov rax, gs:[0x60]
    $hash_ntqip = { FC D5 11 D0 }                               // 0xd011d5fc NtQueryInformationProcess
    $hash_gsi   = { CE A6 F7 97 }                               // 0x97f7a6ce GetSystemInformation
    $hash_va    = { 3B F2 FC 7E }                               // 0x7efcf23b VirtualAlloc
    $company    = "Harvey - Abernathy" ascii wide
    $product    = "quantifying invoice" ascii wide
    $origfile   = "quantifyinginvoice_client.exe" ascii wide
condition:
    uint16(0) == 0x5A4D and
    filesize < 700KB and
    pe.number_of_exports > 200 and
    pe.number_of_imports == 0 and
    (2 of ($company, $product, $origfile)) and
    (2 of ($hash_ntqip, $hash_gsi, $hash_va, $pebwalk))
}

Behavioral hunt

Sigma (process creation) — look for the masquerade filename spawning child processes or injecting memory:

title: Hippamsascom WaBi Dropper Execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: "quantifyinginvoice_client.exe"
        - CommandLine|contains: "WaBi.exe"
        - Image|contains: "quantifyinginvoice"
    selection_hashes:
        - sha256: "341165a42115d7aec4fbff23f6ada1273fd55902721a005ac4b88575baa97a4a"
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical

IOCs

SHA256: 341165a42115d7aec4fbff23f6ada1273fd55902721a005ac4b88575baa97a4a
Filename on disk: WaBi.exe
OriginalFilename: quantifyinginvoice_client.exe
InternalName: quantifyinginvoice.exe
ProductName: quantifying invoice
CompanyName: Harvey - Abernathy
Certificate CN: Harvey - Abernathy
Intermediate CA: Harvey - Abernathy Intermediate CA 1
Domains in cert SANs: harveyabernathy.com, *.harveyabernathy.com, www.harveyabernathy.com, harveyabernathy-davon.tech, *.harveyabernathy-davon.tech, www.harveyabernathy-davon.tech, ca.harveyabernathy.com, intermediate.harveyabernathy.com, www.harveyabernathy.global

Behavioral fingerprint

A ~600 KB PE32+ x64 GUI executable with an empty import table and 200+ ML-themed exports resolving to fewer than 20 unique addresses. Carries a fabricated Authenticode certificate. On launch it walks the PEB to resolve NtQueryInformationProcess and GetSystemInformation, checks for debuggers via ProcessDebugPort and ProcessBreakOnTermination, decrypts a ~160 KB embedded PE from .data into RWX memory via a custom stream cipher, manually maps the decrypted image (fixing relocations and resolving imports by hash), and transfers execution. No hardcoded network indicators are visible statically; C2 is likely runtime-resolved inside the mapped payload.

References

hippamsascom — cluster entity page with full sibling list and capabilities
sunwukong — co-labeled sibling cluster
semantic-jargon-export-obfuscation — export-obfuscation technique
peb-walking-api-resolution — runtime API resolution technique
version-info-masquerade — VS_VERSIONINFO social-engineering technique

Provenance

Static artifacts: file.txt, exiftool.json, pefile.txt, strings.txt, rabin2-info.txt, binwalk.txt, metadata.json, triage.json
Decompilation: radare2 (entry, fcn.14002d9c0, fcn.14002dac0, fcn.14002d590, fcn.14002d650, fcn.14002db80) and pyghidra (entry-14002d370, FUN_14002d9c0, FUN_14002dac0, FUN_14002db80)
capa.txt: ERROR — missing capa signatures database ^[capa.txt]
floss.txt: ERROR — argument parsing failure ^[floss.txt]
dynamic-analysis.md: skipped — no Windows CAPE guest available ^[dynamic-analysis.md]

> Analysis · 341165a42115_