silverfox: e772de93 — C x64 stub with Sangfor EDR masquerade and dual-lang .rsrc icon set

Executive Summary

A 374 KB PE32+ x64 dropper belonging to the SilverFox (ValleyRAT) C-stub cluster. Masquerades as Sangfor Endpoint Detection and Response (sfavui.exe) with an unusually complete dual-language (EN/ZH) .rsrc icon set and embedded AV UI strings. It uses XOR-thunk API dispatch with a 50-entry runtime decryption table, process hollowing, and MoveFileExW(MOVEFILE_DELAY_UNTIL_REBOOT) self-erasure. Static-only — no CAPE detonation available.

What It Is

This is the C-stub SilverFox variant — same build class as 82d425516199 (MSVC 6.0 linker, stripped, XOR-thunk dispatch, no .buildid), not the Rust variant (ed1a00479fe2) or the RC4 loader variant (139329dc9).

How It Works

Masquerade layer: The binary carries two complete VS_VERSIONINFO blocks (LangID 0x0409 EN-US and 0x0804 ZH-CN), both claiming Sangfor authenticity. The .rsrc section contains 32 RT_ICON entries with dual-language sets (English + Simplified Chinese), sizes ranging from 0x128 to 0x10828 bytes, and entropy 5.93^[pefile.txt:157-175]. RT_STRING table 0x6 embeds Chinese AV UI strings: 官网网址, 病毒库版本, 开始扫描时间, 扫描路径, 威胁详情, etc.^[pefile.txt:1186-1241]. Binwalk confirms four 256×256 PNG icons at offsets 0xA2A8, 0x129F8, 0x16A28, and 0x1EE98^[binwalk.txt].

Anti-static / dispatch layer: Every imported API call is indirected through a single XOR-thunk: (*(code *)(DAT_xxxx ^ _DAT_00408000))(...)^[ghidra:FUN_00403f94], matching the pattern observed in the C-stub cluster (82d425516199). An initialization routine at FUN_0040577e walks a 50-entry table (pointer, length, single-byte XOR key) and in-place decrypts API names and data blobs before execution^[ghidra:FUN_0040577e].

Payload delivery: FUN_00403f94 implements a reflective loader. It creates a file-mapping object, maps a PE image into memory, iterates sections (0x28-byte header walk), VirtualProtects each to RWX, copies decrypted payload bytes, restores original protect, then returns control^[ghidra:FUN_00403f94]. The source of the mapped image is embedded in the .rsrc or overlay — a SilverFox LZSS-compressed + stream-cipher payload has been observed in siblings.

Process hollowing: FUN_004046d1 creates a suspended child process (CREATE_SUSPENDED | CREATE_NO_WINDOW, flag 0x8000000), allocates remote memory (NtAllocateVirtualMemory), writes the decrypted payload (NtWriteVirtualMemory), then calls NtResumeThread^[ghidra:FUN_004046d1]. It reads Nt* function pointers from ntdll.dll resolved at runtime via LoadLibraryW/GetProcAddress.

Privilege elevation: FUN_004044e9 attempts to acquire SeDebugPrivilege via LookupPrivilegeValueA → AdjustTokenPrivileges, then performs a ShellExecuteExW self-relaunch with elevated integrity^[ghidra:FUN_004044e9].

Self-erasure: The dropper schedules self-deletion via MoveFileExW with MOVEFILE_DELAY_UNTIL_REBOOT — consistent with SilverFox C-stub behavior^[pefile.txt:404].

Sandbox gate: Entry-point FUN_0040594f checks argc; if argc <= 1, it exits cleanly^[r2:entry0]. This forces execution via a command-line argument or prevents detonation in simple sandbox launches.

Decompiled Behavior

Entry point (FUN_0040594f): The C runtime entry does standard msvcrt init (__getmainargs, _environ, _controlfp(0x10000,0x30000)), then gates on argc. If passed, it calls FUN_00401000 (main payload) and finally thunk_FUN_0040100d^[ghidra:FUN_0040594f].

XOR-decrypt table (FUN_0040577e): 50 iterations. Each entry at PTR_DAT_004083e0 holds a pointer to an encrypted blob; the corresponding length and single-byte XOR key sit 0x10 bytes apart in .data^[ghidra:FUN_0040577e]. This decrypts API names and configuration strings before any Win32 calls are made.

Loader core (FUN_00403f94): Opens a handle via CreateFileW, maps it with CreateFileMappingA/MapViewOfFile, walks the mapped MZ/PE headers, copies sections into a freshly allocated memory block, and fixes protections. The final jmp to the entry point is not visible in the decompile (likely tail-call optimized or in a sibling function)^[ghidra:FUN_00403f94].

Process injector (FUN_004046d1): Classic hollower. Arguments include a path string and process creation flags. On failure of NtCreateSection/NtMapViewOfSection, it falls back to VirtualAllocEx + WriteProcessMemory^[ghidra:FUN_004046d1].

C2 Infrastructure

None observed statically. SilverFox C-stub variants resolve C2 at runtime from the decrypted payload; no hardcoded domains, IPs, or URLs in the unobfuscated strings. The payload itself is LZSS-compressed + stream-cipher encrypted inside .rsrc^[ghidra:FUN_00403f94].

Interesting Tidbits

• The Sangfor masquerade here is unusually complete: dual VS_VERSIONINFO blocks, dual-language icon sets, and embedded Chinese AV scanning UI strings. Previous SilverFox variants used randomized or minimal version info^[silverfox].
• The Authenticode signature is a standard Microsoft Windows code-signing chain — likely appended post-build to evade reputation scoring, not attributable to the threat actor. signed: true in rabin2 indicates the security directory is non-empty^[rabin2-info.txt:27].
• Linker version 6.0 in a May 2026 build is anachronistic — either a fabricated header or a deliberate downgrade to blend with older legitimate software^[exiftool.json:18].
• Resource timestamps (0x6A0E58E0, May 21 00:59:12 2026) are 5 minutes after the PE compile timestamp, suggesting an automated build-and-pack pipeline^[pefile.txt:448].
• The argc == 1 gate is trivially bypassed by any sandbox that passes arguments, but it defeats naive double-click detonation.

How To Mess With It (Homelab Replication)

Toolchain:

• MSVC 14.x (cl.exe) or MinGW-w64 for x64 PE
• Strip symbols (/DEBUG:NONE, strip -s)
• Link with /SUBSYSTEM:WINDOWS

XOR-thunk dispatch recipe:

1. Build a DLL name + API name string table in .data.
2. Encode each string with a single-byte XOR key known only at build time.
3. At startup, walk the table and in-place decrypt.
4. Resolve each API via LoadLibraryW → GetProcAddress.
5. Store resolved function pointers in a .data array.
6. Replace every call site with (*(fptr_array[idx]))(...).

Process hollowing recipe:

1. CreateProcessW(target_path, NULL, ..., CREATE_SUSPENDED | CREATE_NO_WINDOW, ...).
2. NtUnmapViewOfSection on the child's base image.
3. NtAllocateVirtualMemory at the preferred image base.
4. Write PE headers + sections with NtWriteVirtualMemory.
5. NtSetContextThread to update RIP + set IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint.
6. NtResumeThread.

Verification: Run capa <repro.exe> and compare to this sample's capa output. This sample's capa run failed (signature path missing), so install capa signatures first.

Deployable Signatures

YARA

rule silverfox_c_stub_sangfor_masquerade {
    meta:
        description = "SilverFox C-stub dropper with Sangfor AV masquerade and XOR-thunk API dispatch"
        author = "pp-hermes"
        date = "2026-06-04"
        hash = "e772de930167a24868814510021d73d8c061b4d7af0946ac302e53bb1c9cba56"
    strings:
        $s1 = "Sangfor Technologies Inc." ascii wide
        $s2 = "Sangfor Defender Antivirus Client UI" ascii wide
        $s3 = "sfavui.exe" ascii wide
        $s4 = "Sangfor Endpoint Detection and Response" ascii wide
        $api1 = "LoadLibraryW" ascii
        $api2 = "GetProcAddress" ascii
        $api3 = "CreateProcessW" ascii
        $api4 = "VirtualAllocEx" ascii
        $api5 = "WriteProcessMemory" ascii
        $msvc = "msvcrt.dll" ascii
    condition:
        uint16(0) == 0x5A4D
        and pe.machine == pe.MACHINE_AMD64
        and (3 of ($s*))
        and (4 of ($api*))
        and $msvc
        and pe.sections[4].name == ".rsrc"
        and pe.sections[4].raw_size > 0x40000
}

Sigma

title: SilverFox C-Stub Process Hollowing
description: Suspended child process created by a PE with Sangfor masquerade metadata
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - 'sfavui.exe'
            - 'sfavui'
    selection_child:
        CommandLine|contains:
            - 'CREATE_SUSPENDED'
        CreationOptions:
            - 0x00000004
    condition: selection_parent and selection_child
falsepositives:
    - Unknown
level: critical

IOCs

Behavioral fingerprint

On launch, this binary decrypts a 50-entry XOR table in-place to resolve API names, then loads ntdll.dll to obtain NtAllocateVirtualMemory, NtWriteVirtualMemory, and NtResumeThread. Within ~5 seconds it spawns a suspended child process (flag 0x8000000), writes a decrypted PE payload into the child's address space, adjusts thread context, and resumes execution. It attempts SeDebugPrivilege elevation and schedules self-deletion via MoveFileExW with MOVEFILE_DELAY_UNTIL_REBOOT. The parent exits quickly after hollowing, leaving no on-disk payload.

Detection Signatures

Capa execution failed (default signature path missing); no capability mapping available for this sample. FLoSS returned zero decoded strings, confirming tight XOR obfuscation of the string table.

References

• Artifact ID: 592c69bf-d3a2-46ff-9594-ec7c24df06c5^[triage.json]
• Original source: MalwareBazaar / OpenCTI (label silverfox, valleyrat, trojan/silverfox.bg[qtsc])^[triage.json]
• Cluster sibling: 82d425516199d497c3a25edc4c3ad05c14469f697230f3ad17fe03ce73cd0216 — C x64 lean stub, same XOR-thunk dispatch, LZSS payload extraction^[silverfox]
• Related technique: version-info-masquerade
• Related family page: silverfox

Provenance

• file.txt — file(1) 5.45
• exiftool.json — ExifTool 12.76
• pefile.txt — pefile 2024.8.26
• rabin2-info.txt — radare2 5.9.8
• strings.txt — strings (GNU binutils) 2.42
• binwalk.txt — binwalk v2.3.4
• triage.json — in-house triage pipeline
• Ghidra decompilation — PyGhidra MCP, Ghidra 11.1.1
• r2:entry0, fcn.0040594f — radare2 decompile (pdc)
• Report written: 2026-06-04 by Titus (pp-hermes)