> Analysis · 8eddf076bf8b_

~/packetpursuit $ cat /intel/analyses/8eddf076bf8b.../report.md

familyhippamsascomconfidencehighcreated2026-06-15
SHA-256: 8eddf076bf8b47cfd10dc5fbbd05588bc9bd7d05739671f6bc32a2d717e88e2e

hippamsascom: 8eddf076 — Matchpool.exe — "redundant alarm" masquerade, Hane Group fabricated cert

Build / RE

Toolchain: MSVC 14.44 (Visual Studio 2022), C, x64 Release ^[rabin2-info.txt]. LinkerVersion=14.44, compiled 2026-04-29 ^[exiftool.json]. PE32+ GUI, 7 sections, ImageBase 0x140000000 ^[pefile.txt].

Import Table: Zero IAT. IMAGE_DIRECTORY_ENTRY_IMPORT VA=0, Size=0 ^[pefile.txt:223]. No static imports; all Win32 APIs resolved at runtime via PEB-walking export hash lookup ^[r2:fcn.14002a870], ^[r2:fcn.14002a930].

Exports: Semantic-jargon obfuscation — hundreds of export names (App.exe_AllocCalculateSocket, App.exe_BufferProcessor, App.exe_ArchiveReader, etc.) mapping to only ~21 unique RVAs ^[r2:list_exports]. Same saturation pattern as sibling 0c9e772d and sunwukong.

Anti-Analysis / Evasion:

  • Export-obfuscation saturation (T1027) ^[r2:list_exports].
  • Parent-process / sandbox gate at entry ^[r2:entry0] → fcn.14002aca0 checks parent process name against two hardcoded hash constants (0x5a / 0x59) before permitting payload decryption ^[r2:fcn.14002aca0]. Same gate pattern as 0c9e772d.
  • Payload encrypted in .data section (entropy 7.97, 0xFCE00 bytes) ^[pefile.txt:123-139] ^[binwalk.txt]. Decrypted at runtime via custom stream cipher (fcn.140029890 — 1024-byte/256-byte/128-byte state buffers with multi-round substitution and XOR, static XOR byte 0x95) into RWX memory, then manually mapped as a PE ^[r2:fcn.14002add0], ^[r2:fcn.14002ae90], ^[r2:fcn.14002b3b0].

Signing: Authenticode PKCS#7 with fabricated intermediate CA. Certificate alt-names include hanegroup.digital, *.hanegroup.digital, hanegroup-lesly.digital, hanegroup-russel.group, hanegroup-lamont.group, and synthetic employee emails (Emmalee_Prohaska29@gmail.com, Juston.Corwin@hotmail.com, Jewell_Stark@yahoo.com) ^[strings.txt:10078-10149]. Cross-signed by DigiCert Trusted Root G4 ^[strings.txt]. Same fraudulent playbook as 0c9e772d (Emard LLC) and fa16b64a (Erdman Group) but with a fresh synthetic identity.

Embedded Resources: PNG icon 256×256 in .rsrc, XML manifest, plus Authenticode security directory (0x16B600, 0x2710 bytes) ^[binwalk.txt].

Notable Functions:

  • fcn.14002add0: Main payload decryptor orchestrator. Allocates RWX buffer (0xF4800 bytes), copies encrypted payload from .data (rip+0x42db = 0x14002f120), calls fcn.140029890 (stream cipher), then calls fcn.14002ae90 (PE mapper/loader) ^[r2:fcn.14002add0].
  • fcn.140029890: Custom stream-cipher decryptor. Initializes 1024-byte, 256-byte, and 128-byte state buffers, performs multi-round byte substitution using .rdata lookup tables and XOR/add/ROL operations. Key schedule includes static XOR byte 0x95 ^[r2:fcn.140029890].
  • fcn.14002ae90: In-memory PE mapper / loader. Validates decrypted MZ header (0x5a4d), resolves VirtualAlloc, memcpy, VirtualProtect via PEB hash lookup, maps sections, fixes relocations, resolves imports from the decrypted PE, and transfers execution ^[r2:fcn.14002ae90]. Self-loader pattern identical to 0c9e772d.
  • fcn.14002a870: PEB-walking helper. Traverses InMemoryOrderModuleList from TEB/PEB ^[r2:fcn.14002a870].
  • fcn.14002a930: Hash-based export resolver. Takes module base + 32-bit hash constant (e.g. 0x1bc2c88a, 0x5337dd3c, 0xfd08d565) and returns API pointer ^[r2:fcn.14002a930].
  • fcn.140028294: Anti-debug / timing gate. Checks global state dword; if unset, loops 5 iterations calling a timing/tick function ^[r2:fcn.140028294].

Code Quality: No stack canary, no CFG, no PDB path. Stripped but retains IMAGE_DEBUG_TYPE_POGO debug directory entry ^[pefile.txt]. Release build, not debug.

Deploy / ATT&CK

No CAPE detonation available (no Windows guest) ^[dynamic-analysis.md]. All behavioural claims are static inference.

Technique ID Evidence
Masquerading T1036.002 Version info claims "redundant alarm Enterprise Protector" by Hane Group, OriginalFilename redundantalarm_9821.exe ^[exiftool.json]
Obfuscated Files or Information T1027 Semantic export obfuscation (hundreds of names → ~21 unique RVAs) ^[r2:list_exports]
Software Packing T1027.002 Custom stream-cipher payload decryption into RWX memory + manual PE mapping ^[r2:fcn.14002add0], ^[r2:fcn.140029890]
Native API T1106 PEB-walking hash resolver for all Win32 APIs ^[r2:fcn.14002a870], ^[r2:fcn.14002a930]
Code Signing T1553.002 Fabricated Hane Group intermediate CA with DigiCert cross-sign ^[strings.txt], ^[binwalk.txt]
Evade Detection T1497 Parent-process hash gate at entry ^[r2:fcn.14002aca0]
Process Injection (inferred) T1055 Self-loader maps decrypted PE into RWX memory and transfers execution ^[r2:fcn.14002ae90]

C2 / Network: No hardcoded IPs, domains, or URL paths in static strings. C2 infrastructure is presumed runtime-resolved inside the encrypted payload. The loader resolves ShellExecuteA/W and SHGetSpecialFolderPathW via PEB walk (import resolution loop in fcn.14002ae90), suggesting the decrypted payload may use standard Windows file/execution APIs for staging.

Persistence (inferred): Unknown without dynamic execution. Typical cluster behaviour suggests %APPDATA% or Startup folder staging, but this is speculative.

Attribution / Clustering:

  • Label hippamsas-com from OpenCTI/MalwareBazaar, co-tagged sunwukong ^[triage.json].
  • Confirmed same build cluster as sunwukong and 0c9e772d: MSVC x64, zero IAT, PEB-walking hash resolution, semantic export obfuscation, Authenticode fraud with fabricated intermediate CA + DigiCert cross-sign, version-info masquerade, encrypted .data payload, custom stream-cipher, self-loading PE mapper.
  • Diverges in masquerade identity (this sample = "Hane Group" / "redundant alarm"; 0c9e772d = "Emard LLC" / "JBOD monitor"; fa16b64a = "Erdman Group" / "1080p protocol") and certificate alt-name pattern.
  • Confidence: high that all three represent the same loader/dropper family rotating synthetic corporate identities per campaign.