> Analysis · ffdd7105679e_

~/packetpursuit $ cat /intel/analyses/ffdd7105679e.../report.md

typeanalysisfamilynfedigitalcomconfidencemediumpedelphibankerc2certificatepersistencemitre-attck
SHA-256: ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c

nfedigitalcom: ffdd7105 — "TikTok" masquerade, Delphi VCL EXE with QR-code banking logic

Executive Summary

A 4.76 MB Embarcadero Delphi PE32 EXE that masquerades as TikTok (ByteDance 1.0.3.46). Compiled 2018-06-26 and sharing the nf-edigital-com OpenCTI label with sibling DLL 4eb1fbf2. Unlike the DLL variant, this EXE adds System.Net.HttpClient + Indy SSL wrappers, a DelphiZXingQRCode class, and heavy GDI+/VCL bloat. No CAPE detonation available (no Windows guest). All observations static-only.

What It Is

Field Evidence
SHA-256 ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c ^[metadata.json]
File PE32 executable (GUI) Intel 80386, 11 sections ^[file.txt]
Compiled 2018-06-26 19:54:24 UTC ^[exiftool.json]
Linker MSVC 10.17 (Embarcadero Delphi linker compatible; sibling DLL uses Linker 2.25) ^[exiftool.json] ^[pefile.txt]
Size 4 765 696 bytes ^[metadata.json]
Version info CompanyName ByteDance, FileDescription TikTok, FileVersion 1.0.3.46 ^[exiftool.json]
Exports __dbk_fcall_wrapper, dbkFCallWrapperAddr ^[pefile.txt:417]
Signing Unsigned ^[rabin2-info.txt]
Family label nf-edigital-com (OpenCTI), banker ^[triage.json]

The .rsrc section contains 64×64 PNG icons styled as TikTok branding ^[binwalk.txt]. The actual binary is pure Delphi — extensive System.SysUtils, System.Classes, Vcl.Forms, Vcl.StdCtrls, Vcl.ComCtrls, Vcl.Dialogs, Vcl.Menus strings throughout ^[strings.txt:1068, 5194, 13277, 13527, 14571].

Build / RE

Toolchain. Embarcadero Delphi — confirmed by System.SysUtils and Vcl.* generics collections, TApplication, TForm, TButton, TEdit, TPanel, TTimer, TLabel, TMemo, TComboBox, TListBox, TListView class names ^[strings.txt:5194–15128]. Linker version 10.17 (as reported by exiftool) rather than the "Linker 2.25" seen in the DLL sibling; this may reflect a different Delphi version or build configuration.

Packing / obfuscation. None. rabin2 reports overlay: false and entropy in .text is 6.45 (consistent with statically-linked VCL, not compressed payload) ^[rabin2-info.txt] ^[pefile.txt:92]. No UPX, no custom packer, no anti-debug beyond the standard IsDebuggerPresent (not observed in IAT) and possible CheckRemoteDebuggerPresent (not observed).

Anti-analysis. Minimal. No VM-detection strings, no anti-disassembly, no encrypted sections. The export table retains debug wrapper __dbk_fcall_wrapper — a sign the build was compiled with debug info enabled ^[pefile.txt:417]. This is common in Delphi default templates and is not a deliberate anti-analysis measure, but it does increase file size by ~100 KB.

Embedded resources. .rsrc holds three 64×64 PNG icons (TikTok-themed) and version-info block ^[binwalk.txt] ^[pefile.txt:278–296]. No RCData payload, no manifest resources, no embedded PE.

Notable classes. DelphiZXingQRCode appears 25+ times ^[strings.txt:25636–25738]. This is a QR-code generator library. Combined with the Brazilian NFe (Nota Fiscal Eletrônica) banking context, the malware likely generates QR codes for PIX or boleto transactions — redirecting payments or displaying fake payment prompts.

Network stack. Two distinct HTTP/HTTPS paths present:

  1. System.Net.HttpClient / System.Net.HttpClient.Win / TWinHTTPClient / TWinHTTPRequest / TWinHTTPResponse → wraps native winhttp.dll (loaded at runtime, not in IAT) ^[strings.txt:23395–23642]
  2. TIdSSLContext / TIdSSLSocket / Indy OpenSSL (ssl_connect, ssl_read, ssl_write, ssl_shutdown) → second C2 path via Indy TCP/TLS ^[strings.txt:29031–29600]

Certificate / crypto. No crypt32.dll imports visible in the IAT (same pattern as the sibling DLL). The TWinHTTPClient.PCERT_CONTEXT reference ^[strings.txt:23434] suggests certificate handling occurs through the WinHTTP wrapper rather than direct Crypt32 API calls at load time. Runtime LoadLibraryA/GetProcAddress calls (imported) likely resolve CertOpenSystemStoreW and PFXExportCertStoreEx on demand.

Imports summary. The IAT is dominated by user32 (170+ GUI APIs), kernel32 (100+), ole32/oleaut32 (COM/OLE), advapi32 (registry), shell32 (folder paths), version (version info), msvcrt (CRT), winmm (time), SHFolder, comctl32, gdi32. No wininet, no ws2_32, no nspr4, no crypt32 in the static import table ^[pefile.txt:420–1000].

Deploy / ATT&CK

All observations below are static-onlydynamic-analysis.md reports "skipped — no CAPE machine currently available" ^[dynamic-analysis.md]. No runtime confirmation of C2, persistence, or payload delivery.

TTP Technique Evidence Confidence
Certificate theft T1552.001 System.Net.HttpClient.Win.PCERT_CONTEXT list type ^[strings.txt:23434]; family context from sibling DLL 4eb1fbf2 ^[entities/nfedigitalcom.md] Medium (inferred)
C2 beaconing T1071.001 TWinHTTPClient + TWinHTTPRequest + TIdSSLContext + TIdSSLSocket ^[strings.txt:23395, 23401, 29558, 29584] Medium (inferred)
Registry persistence T1547.001 System.Win.Registry / TRegistry ^[strings.txt:10261, 10368]; RegCreateKeyExW, RegSetValueExW imported ^[pefile.txt:745–756] Low (capability present, no key observed)
Process injection capability T1055 OpenProcess, VirtualAlloc, WriteProcessMemory (kernel32 imported) ^[pefile.txt:848, 884] Low (APIs present, no call graph)
Data staging T1074 TMemoryStream ^[strings.txt:5194, 5205] — common Delphi pattern for buffering harvested data before C2 upload Low
Application discovery T1083 FindFirstFileW, FindNextFileW ^[pefile.txt:802, 823] Low (generic)
QR-code generation DelphiZXingQRCode ^[strings.txt:25636–25738] High (static)
Version info masquerade T1036.005 "ByteDance / TikTok" version block ^[exiftool.json] High (static)

Attribution. Brazilian banking malware targeting NFe digital certificates. The nf-edigital-com label is shared with sibling DLL 4eb1fbf2 (May 2026 build). This EXE was compiled in June 2018, making it substantially older — likely an earlier build or a retrofitted dropper reusing the same infrastructure label.

Decompiled Behavior

No Ghidra / radare2 decompilation completed — radare2 MCP timed out on analysis (4.76 MB Delphi VCL). The entry point 0x3D48C4 lands in .text which hosts 4 MB of statically-linked VCL + application code. Manual symbol reconstruction from strings reveals standard Delphi Application.RunTForm event loop (OnCreate, OnShow, OnClick, OnClose handlers present) ^[strings.txt:6108, 14044, 12326, 14062]. Malicious logic is almost certainly staged inside a TForm.OnCreate or TTimer.OnTimer event, not the export stub. This matches the pattern documented in delphi-vcl-certificate-harvesting.

C2 Infrastructure

No hardcoded URLs, IPs, domains, or mutex names recovered from strings. C2 is likely runtime-decrypted or pulled from a remote source (consistent with TWinHTTPClient + System.JSON pairing). The System.JSON class names appear ~40 times ^[strings.txt:19841–20280], suggesting JSON-encoded C2 messages or config.

Interesting Tidbits

  • QR-codes for PIX: DelphiZXingQRCode is a third-party QR generator. In Brazilian banking malware, QR codes are used for PIX instant-payment redirection — the victim scans a code that sends money to the attacker's wallet instead of the legitimate recipient.
  • Dual TLS stack: Both WinHTTP (Microsoft native) and Indy SSL (OpenSSL wrapper) present. This provides fallback if one stack is blocked or monitored.
  • Debug exports in production: __dbk_fcall_wrapper retained. Amateur-hour build hygiene or deliberate artifact from a builder tool.
  • No Crypt32 in IAT: Same as sibling DLL. The family deliberately avoids static import of certificate APIs, resolving them at runtime via GetProcAddress + LoadLibraryA.
  • PNG branding is credible: The .rsrc icons are 64×64 RGBA, styled like TikTok. Social-engineering delivery vector likely "download TikTok update" or similar lure.

How To Mess With It (Homelab Replication)

Goal: Build a Delphi EXE with comparable IAT + VCL bloat + HTTPClient + QR-code class, then verify capa hits.

  1. Install Delphi Community Edition or RAD Studio 10.4+.
  2. New VCL Forms Application. Drop a TButton, TEdit, TPanel, TTimer.
  3. Uses clause: Add System.Net.HttpClient, System.Net.HttpClient.Win, System.JSON, System.Win.Registry, Winapi.Windows.
  4. Add QR library: Install ZXing.Delphi or DelphiZXingQRCode package from GitHub.
  5. Code snippet:
    procedure TForm1.Button1Click(Sender: TObject);
var
  Client: THTTPClient;
  Reg: TRegistry;
begin
  Client := THTTPClient.Create;
  Reg := TRegistry.Create;
  // Enumerate certificate store via WinHTTP PCERT_CONTEXT
  // POST JSON to C2
  // Generate QR code
end;
  6. Compile with default (Debug) configuration to retain __dbk_fcall_wrapper.
  7. Verification: Run file your.exe — should show PE32 executable (GUI) Intel 80386 and Linker 10.x. Compare strings to this sample; should match System.* and Vcl.* patterns.

Deployable Signatures

YARA

rule nfedigitalcom_delphi_exe {
    meta:
        description = "nfedigitalcom Delphi EXE — TikTok masquerade, QR-code class, dual TLS"
        author = "PacketPursuit SOC"
        date = "2026-06-06"
        hash = "ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c"
        family = "nfedigitalcom"
    strings:
        $a = "TikTok" wide ascii
        $b = "ByteDance" wide ascii
        $c = "DelphiZXingQRCode" ascii
        $d = "System.Net.HttpClient.Win" ascii
        $e = "TWinHTTPClient" ascii
        $f = "TIdSSLContext" ascii
        $g = "__dbk_fcall_wrapper" ascii
        $h = "System.Win.Registry" ascii
        $i = "TMemoryStream" ascii
    condition:
        uint16(0) == 0x5A4D and
        pe.number_of_sections >= 10 and
        pe.exports("__dbk_fcall_wrapper") and
        5 of ($a, $b, $c, $d, $e, $f, $g, $h, $i)
}

Sigma (process creation)

title: nfedigitalcom Delphi EXE Execution
status: experimental
description: Detects execution of nfedigitalcom Delphi EXE with TikTok masquerade and VCL bloat
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\\X36527c2.exe'
        - OriginalFileName: 'TikTok'
        - Description: 'TikTok'
    condition: selection
falsepositives:
    - Legitimate TikTok application (unlikely with CompanyName ByteDance and no Authenticode)
level: high

IOC List

Type Value Context
SHA-256 ffdd7105679e62d8d5c7f22907d5ffe1ffbbe9b6374d957a1c3639f112f7778c Sample hash
SHA-1 5e9713100b7128623cc02d2dde37005657a251df Section .bss
MD5 c820b78eeab62ba200061b0339a5ade3 Section .bss
File name X36527c2.exe On-disk filename
Export __dbk_fcall_wrapper Debug wrapper
Export dbkFCallWrapperAddr Debug wrapper
Version 1.0.3.46 FileVersion
Company ByteDance VersionInfo masquerade
Product TikTok VersionInfo masquerade

Behavioral Fingerprint

This binary is a large (4.7 MB) PE32 GUI executable compiled by Embarcadero Delphi, retaining debug exports (__dbk_fcall_wrapper). It masquerades as TikTok via version-info fields and .rsrc PNG icons. Static strings confirm a dual HTTP/HTTPS communication stack (WinHTTP via System.Net.HttpClient and Indy SSL via TIdSSLContext), JSON message parsing (System.JSON), registry access (System.Win.Registry), and QR-code generation (DelphiZXingQRCode). No hardcoded C2 URLs are visible in static strings; C2 routing is likely runtime-resolved. No crypt32.dll APIs appear in the IAT — certificate APIs are resolved dynamically, consistent with harvesting Brazilian NFe digital certificates.

Detection Signatures

No capa output available for this sample (capa tool failed — signature path missing, see capa.txt). The capability list above is manually mapped from imports + strings. A future capa re-run with correctly installed signatures should detect:

  • communication/http/client (TWinHTTPClient)
  • communication/ssl (TIdSSLContext)
  • data/json (System.JSON)
  • persistence/registry (TRegistry)
  • collection/credentials (certificate context, inferred)

References

  • Artifact ID: 825f057d-75b2-4ab0-8c88-3b77b9d47a93 ^[metadata.json]
  • MalwareBazaar entry: not directly retrieved; label from OpenCTI connector nf-edigital-com
  • Sibling DLL analysis: /intel/analyses/4eb1fbf29f86031e47808cbcac92dfb4370fc4c0b63153f564afcceb9ac60578.html
  • Entity page: nfedigitalcom
  • Technique page: delphi-vcl-certificate-harvesting

Provenance

Analysis conducted 2026-06-06 using:

  • file v5.45, exiftool v12.76, pefile Python library, radare2 (analysis timed out on 4.76 MB Delphi VCL), strings, binwalk
  • floss and capa failed during pipeline execution
  • No CAPE detonation — report is static-only
  • All claims tagged with ^[filename] provenance markers