> Family · euone_

~/packetpursuit $ cat /intel/families/euone.md

typeentityconfidencelowcreated2026-05-30updated2026-05-30malware-familypeinstallerdelphievasiongcleaner

euone

Also labeled gcleaner by MalwareBazaar / OpenCTI. euone is a sub-label or droplet family beneath the broader gcleaner umbrella — other dropped-by-gcleaner samples in this corpus carry different family names (bb5file, us0file, uniqfile, masslogger, salatstealer, etc.), suggesting gcleaner is a multi-payload downloader or bundler rather than a single malware family.

Overview

The only euone-labelled sample in this corpus is a Delphi 7-era VCL GUI installer (setup_euone.bin). It presents a minimal checkbox form with obfuscated control names and carries a 202 KB custom-named RCDATA payload blob. Attribution confidence is low — the label may be an artifact of the gcleaner dropper's payload rotation rather than a distinct family.

Build Stack

  • Language/Compiler: Borland Delphi 7 (or compatible versions 6–2007) — VCL runtime, DVCLAL / PACKAGEINFO resources, SOFTWARE\Borland\Delphi\RTL registry path. ^[sample 0c9236cf/pefile.txt]
  • PE: PE32, x86, Windows GUI subsystem. Eight sections (CODE, DATA, BSS, .idata, .tls, .rdata, .reloc, .rsrc). ^[rabin2-info.txt:1-34]
  • Signing: Unsigned. ^[pefile.txt:256]
  • Timestamp: Fabricated Borland default (1992-06-19 22:22:17), a nuisance for compile-age heuristics. ^[pefile.txt:38]
  • Payload storage: Embedded inside a custom RCDATA resource with a randomised type name (e.g., RTIRTWERQQ). Entropy 7.37 on 202 KB. ^[strings.txt:6546] ^[pefile resource dump]

Deployment / TTPs

Technique Observation ATT&CK
Social-engineering installer Fake setup wizard (setup_euone.bin) with a checkbox form. T1204.002
Resource staging Large compressed/encrypted blob in .rsrc extracted at runtime via standard VCL resource APIs (FindResourceA, LoadResource, LockResource, SizeofResource). T1027
File write / execution Imports CreateFileA, WriteFile, CreateThread, VirtualAlloc — sufficient to stage and launch a dropped binary. T1105
Fabricated compile timestamp Classic Borland 1992 stamp; anti-heuristic. T1070

No network C2, registry persistence, or anti-VM counters are visible from the single sample.

Capabilities

  • delphi-vcl-installer-obfuscated-form
  • rcdata-embedded-payload-staging
  • setup-wizard-social-engineering-checkbox
  • borland-timestamp-fabrication
  • gcleaner-droplet

Notable Analyses

  • 0c9236cfdf676b4b62e409fbf08b7dd39905d641e54e4e66d3d705ec274be337 — Delphi VCL installer with 202 KB RCData payload, obfuscated form class Tke5rhiwr, no CAPE detonation. ^[/intel/analyses/0c9236cfdf676b4b62e409fbf08b7dd39905d641e54e4e66d3d705ec274be337.html]

Related

  • gcleaner — umbrella label / dropper family from which euone samples are dropped.
  • Delphi VCL installer pattern — create a technique page if observed in a second family.

References

  • MalwareBazaar tag: gcleaner + euone
  • OpenCTI labels: dropped-by-offloader, gcleaner, euone, exe