hippamsascom: c20bbb80 — Olson Group "AI feed" masquerade, 502-export semantic obfuscation, self-loading dropper

Executive Summary

Fourth confirmed sibling in the hippamsascom / sunwukong MSVC x64 self-loading dropper cluster. Masquerades as "AI feed Enterprise Manager" by Olson Group (secondary block claims "Purdy - Green B.V." / "AI feed - Dutch Version"). Signed with a fabricated intermediate CA bearing SANs across .group and .io domains. Contains a record-setting 502 semantic export names mapping to only 19 unique RVAs. The .data section (entropy 7.97) holds a custom stream-cipher encrypted PE decrypted at runtime via PEB-resolved APIs and manually mapped into RWX memory. No CAPE detonation available — static inference only.

What It Is

• SHA-256: c20bbb8043a930c2a02111ca8753d179ab1a2ce124ea3c58977906372055b1b5 ^[file.txt]
• Size: 1,481,272 bytes (≈ 1.4 MB) ^[rabin2-info.txt]
• Type: PE32+ executable (GUI) x86-64, 7 sections ^[file.txt]
• Linker: MSVC 14.44 (VS 2022), compiled Mon 2026-05-04 ^[rabin2-info.txt], ^[exiftool.json]
• Subsystem: Windows GUI; ASLR + NX compatible, large-address aware ^[pefile.txt:70-77]
• Filename on disk: Chain.exe (MalwareBazaar) ^[metadata.json]
• Family: hippamsascom (confirmed sibling) ^[metadata.json]
• OpenCTI co-labels: hippamsas-com, sunwukong, signed ^[triage.json]
• CAPE status: skipped — no Windows guest available ^[dynamic-analysis.md]

How It Works

1. Version-Info Masquerade

Two StringFileInfo blocks embedded in VS_VERSIONINFO:

• Primary: CompanyName: "Olson Group", FileDescription: "AI feed Enterprise Manager", OriginalFileName: "AIfeed_client.exe", ProductName: "AI feed" ^[exiftool.json:36-43], ^[pefile.txt:306+]
• Secondary: CompanyName: "Purdy - Green B.V.", FileDescription: "AI feed - Dutch Version", ProductName: "AI feed" ^[pefile.txt:321+]

The secondary block targets Dutch-speaking victims or adds apparent localization legitimacy. Both share version 2.6.1519.829 — same build-id pattern as the Emard/Littel siblings.

2. Export-Table Semantic Obfuscation

502 named exports, 19 unique target RVAs. The top reused targets:

^[pefile.txt:340+], ^[ghidra:export-table]

Names follow machine-generated developer-jargon pattern (<Verb><Noun><Suffix>: CheckerCompressComponent, CredentialValidate, MemoryDecryptUnpacker, etc.), consistent with the cluster’s template.

3. Empty IAT + PEB-Walking API Resolution

IMAGE_DIRECTORY_ENTRY_IMPORT VA = 0, Size = 0. No static IAT. ^[pefile.txt:226-228]

Runtime resolution via PEB module-list traversal:

• FUN_14002ae40: walks gs:[0x60] (PEB) → Ldr.InMemoryOrderModuleList, returns module base ^[ghidra:FUN_14002ae40]
• FUN_14002af00: parses PE export directory of a loaded module, hashes each export name (DJB2-like), compares against hardcoded constants to resolve API addresses ^[ghidra:FUN_14002af00]

Hash constants observed in FUN_14002b460:

^[ghidra:FUN_14002b460], ^[r2:fcn.14002b460]

String pool in .rdata contains kernel32.dll, shell32.dll, gdi32.dll, user32.dll, comctl32.dll, ole32.dll, GetProcAddress, LoadLibraryA, LoadLibraryW, ShellExecuteA, ShellExecuteW ^[strings.txt:10125+]

4. Custom Stream-Cipher Payload Decryption

Encrypted payload resides in .data (size 0xFCE8C raw, entropy 7.977) ^[pefile.txt:122-139].

Decryption routine FUN_140029e60 (called by FUN_14002b3a0):

1. Allocates three 1 KB working buffers via resolved API.
2. Derives keystream from a seed/key block at [rip + 0xd2f] via XOR-sum with positional offsets and a final 0x95 byte.
3. Decrypts payload in-place into an RWX buffer (VirtualAlloc, size 0xF4800, protection PAGE_EXECUTE_READWRITE / 0x40).
4. Copies decrypted data with resolved memcpy (FUN_14002adf0). ^[ghidra:FUN_140029e60], ^[r2:fcn.140029e60]

The decryption uses a multi-pass XOR with offsets r14, r14+r11-1, and a final 0x95 constant — same algorithm as sibling 9a3c18be.

5. In-Memory PE Manual Mapping

FUN_14002b460 performs standard manual-mapping of the decrypted PE:

1. Checks MZ header.
2. Resolves VirtualAlloc, VirtualProtect, memcpy, NtUnmapViewOfSection via hash lookups.
3. Allocates RWX memory for the mapped image.
4. Copies headers and sections.
5. Relocates base relocations (.reloc section present in host but payload is mapped fresh).
6. Walks import table of payload (expected empty because payload resolves APIs itself, consistent with cluster).
7. Calls entry point of mapped payload. ^[ghidra:FUN_14002b460], ^[r2:fcn.14002b460]

6. Sandbox / Parent-Process Gate

FUN_14002b270 iterates loaded modules via FUN_14002ae40 and compares module-name hashes against two hardcoded values (0x5a, 0x59). If neither matches, execution falls through to the decryption path; otherwise returns failure. This is the same hash-based parent-process check observed in siblings 0c9e772d and 9a3c18be. ^[ghidra:FUN_14002b270], ^[r2:fcn.14002b270]

7. Anti-Debug via TLS Callback Array

Four entries in the TLS callback array at 0x140125600, invoked before main(). The first callback (FUN_14000109e) and its satellite functions (FUN_1400010a9, FUN_1400010c9, FUN_1400010ee) perform environment checks. This matches the multi-callback anti-debug gate in the 8eddf076 sibling. ^[ghidra:TLS-callback-array], ^[r2:fcn.14000109e]

8. Authenticode Signing

Authenticode PKCS#7 at offset 0x167408 (size 0x2638). Certificates discovered by binwalk:

• Leaf: Olson - Schmeler LLC / CN = Olson Group Intermediate CA 1
• SANs: olsongroup.group, *.olsongroup.group, www.olsongroup.group, olsongroup-blaise.io, *.olsongroup-blaise.io, www.olsongroup-blaise.io ^[strings.txt:10385-10390], ^[binwalk.txt]
• Intermediate: fabricated Olson Group Intermediate CA 1 (self-issued appearance)
• Root cross-sign: DigiCert Assured ID Root CA + DigiCert Trusted Root G4 (both present in chain) ^[strings.txt:10357-10421]
• Timestamping: DigiCert Trusted G4 TimeStamping RSA4096 SHA256 2025 CA1 ^[strings.txt:10418-10432]

The fabricated CA uses a ca@olsongroup.group email in Subject and Issuer fields, confirming it is attacker-generated rather than a leaked legitimate cert.

Decompiled Behavior

Entry point (0x14002abd0) decompiled by Ghidra:

undefined8 entry(void) {
  bool bVar1;
  undefined8 uVar2;
  undefined7 extraout_var;

  FUN_140028864();          // TLS callback / anti-debug init
  uVar2 = FUN_14002b270();  // parent-process / sandbox gate
  if ((int)uVar2 == 0) {
    FUN_140028864();
    bVar1 = FUN_14002bad0();  // secondary check (likely debugger/time)
    if ((int)CONCAT71(extraout_var,bVar1) == 0) {
      FUN_140028864();
      FUN_140028864();
      FUN_140028864();
      FUN_14002b3a0();          // decrypt + map payload
      return 0;
    }
  }
  FUN_140028864();
  return 0xffffffff;
}

^[ghidra:entry]

The four successive FUN_140028864() calls before payload execution are time-wasting / entropy-gathering steps identical to the Littel LLC sibling.

C2 Infrastructure

No hardcoded C2 IPs, domains, or URLs found in static strings or decompiled code. C2 is expected to be resolved dynamically by the decrypted payload (same pattern as cluster siblings). The ShellExecuteA / ShellExecuteW APIs are resolved but not called in the host binary — they are forwarded to the child mapped PE. ^[strings.txt:10211-10218]

Embedded resource table contains a 256x256 PNG icon (likely used for desktop shortcut masquerade) and standard version resources. No network-specific resources observed. ^[binwalk.txt]

Interesting Tidbits

• Export inflation record: 502 exports is the highest count observed in this cluster so far (previous peak: 330 in 9a3c18be). The reuse ratio is stable at ~26:1. ^[pefile.txt:340+]
• Dual VS_VERSIONINFO: The Purdy - Green B.V. block is the first observed dual-masquerade within a single binary in this cluster — possibly A/B testing localization, or a leftover from a build pipeline reusing the same resource script. ^[pefile.txt:321+]
• Icon presence: Unlike some siblings (e.g., Lumma stealer cluster strips .rsrc), this binary retains a 256x256 PNG icon in .rsrc, reinforcing the social-engineering masquerade. ^[binwalk.txt]
• Compiler timestamp: 2026-05-04 — only three weeks before the triage date (2026-05-26), indicating active development. ^[exiftool.json]
• capa / floss failures: capa signatures were missing from the venv (ERROR: Using default signature path, but it doesn't exist); floss received invalid arguments. Toolchain hygiene issue, not binary evasion. ^[capa.txt], ^[floss.txt]

How To Mess With It (Homelab Replication)

Goal: reproduce the static fingerprint (high export count, empty IAT, semantic export names, custom cipher payload) on a research VM.

1. Toolchain: MSVC 2022 (v143), x64 Release, /GS- (no stack canary), /DYNAMICBASE (ASLR), /NXCOMPAT.
2. Structure:
   • Write a minimal C host binary with zero IAT entries (no CRT, custom entry point via /ENTRY).
   • Embed the secondary PE in .data as a blob, encrypted with a simple XOR loop plus positional offset.
   • Implement PEB-walking module resolution (gs:[0x60] → InMemoryOrderModuleList) and export-name hashing (DJB2 variant).
3. Export obfuscation: Use a Python script to generate 500+ faux export names (<Verb><Noun><Suffix>), assign them to ~20 unique stub functions (each returns a constant or NOPs), and inject them into the PE export directory with a custom tool or editbin / pe-bear.
4. Build the PKCS#7: Generate a self-signed leaf + intermediate CA with OpenSSL, cross-signing not required for the replica (just the certificate table presence), and embed via signtool or direct append to SECURITY directory.
5. Verification: Run capa <repro.exe> — should hit obfuscated files or information, dynamic API resolution, code signing, and packed executable if your cipher is recognized. Compare export count with python -c "import pefile; print(len(pefile.PE('repro.exe').DIRECTORY_ENTRY_EXPORT.symbols))".

Deployable Signatures

YARA

rule Hippamsascom_SelfLoader_OlsonGroup
{
    meta:
        description = "hippamsascom / sunwukong cluster: Olson Group masquerade, empty IAT, semantic export flood"
        author = "pp-hermes"
        date = "2026-06-15"
        sha256 = "c20bbb8043a930c2a02111ca8753d179ab1a2ce124ea3c58977906372055b1b5"
    strings:
        $s1 = "Olson Group" wide
        $s2 = "AI feed Enterprise Manager" wide
        $s3 = "AIfeed_client.exe" wide
        $s4 = "Purdy - Green B.V." wide
        $s5 = "AI feed - Dutch Version" wide
        $s6 = "olsongroup.group" ascii
        $s7 = "olsongroup-blaise.io" ascii
        $s8 = "Olson Group Intermediate CA 1" ascii
        $s9 = "www.olsongroup.group" ascii
        $api1 = "kernel32.dll" ascii
        $api2 = "GetProcAddress" ascii
        $api3 = "LoadLibraryA" ascii
        $api4 = "ShellExecuteA" ascii
        $magic = { 4D 5A }  // MZ header
    condition:
        uint16(0) == 0x5A4D and
        pe.number_of_exports > 400 and
        pe.exports_index > 0 and
        pe.imports("") == 0 and
        3 of ($s*) and
        2 of ($api*) and
        $magic
}

Sigma Rule

title: Hippamsascom Self-Loader Execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains: 'AIfeed_client.exe'
        - Image|contains: 'AI feed'
        - Description|contains: 'AI feed Enterprise Manager'
        - Company|contains: 'Olson Group'
        - Company|contains: 'Purdy - Green B.V.'
    condition: selection
falsepositives:
    - Unknown (legitimate Olson Group software is not known to exist)
level: high

IOC List

Behavioral Fingerprint

This binary is a Windows x64 PE with zero import table entries, resolving all Win32 APIs at runtime via PEB module-list traversal and export-name hashing. On launch it reads PEB gs:[0x60], walks loaded modules, hashes module names against constants 0x5a and 0x59, and aborts if the expected parent is absent. It then allocates ~1 MB of RWX memory, decrypts a secondary PE from its .data section using a custom keystream (XOR with positional offsets and final byte 0x95), manually maps the decrypted image, and transfers execution. The export table contains 400+ semantically-plausible developer-jargon names mapping to fewer than 20 unique stubs — an anti-analysis fingerprint of this cluster.

Detection Signatures

References

• hippamsascom — cluster entity page
• sunwukong — related cluster under Erdman Group masquerade
• semantic-jargon-export-obfuscation — technique deep-dive
• peb-walking-api-resolution — shared PEB technique
• version-info-masquerade — VS_VERSIONINFO social engineering pattern
• MalwareBazaar: https://bazaar.abuse.ch/sample/c20bbb8043a930c2a02111ca8753d179ab1a2ce124ea3c58977906372055b1b5/

Provenance

Analysis generated from artifacts collected during triage-fast on pp-hermes. Static tools: file, exiftool, pefile.py (export/table enumeration), rabin2 (r2 binary info), strings, binwalk (embedded objects), radare2 (pdc decompilation, level-2 analysis), pyghidra (decompilation confirmed). capa and floss failed due to missing signatures and CLI argument error respectively — not evasion. CAPE detonation skipped (no Windows guest). Report written 2026-06-15.