typetechniqueconfidencehighcreated2026-06-04updated2026-06-04obfuscationdefense-evasionmalware-familyloader

RC4 In-Place Section Decryption

What It Does

The PE's .text, .data, and import sections are encrypted with RC4 at build time. A small bootstrap stub embedded at entry point performs in-place RC4 decryption using a key derived from XOR-obfuscated API strings, then patches the IAT and jumps to the decrypted payload.

Detection / Fingerprint

Entry point contains KSA (Key-Scheduling Algorithm) loops followed by PRGA (Pseudo-Random Generation Algorithm) loops.
High-entropy .text or .data sections in the on-disk PE (entropy > 7.8 for RC4-encrypted regions).
Post-decentropy drops sharply to ~6.0–6.5 for valid x86/x64 code.

Implementation Patterns

RC4 key length varies by sample (28 bytes observed in one SilverFox variant).
Decryption is done in-place — the stub overwrites encrypted sections with plaintext rather than allocating new buffers.
IAT repair follows immediately after decryption, restoring import addresses before calling the real entry point.

Observed in: silverfox (RC4 loader variant)
Related technique: peb-walking-api-resolution

> Technique · RC4 In-Place Section Decryption_

RC4 In-Place Section Decryption

What It Does

Detection / Fingerprint

Implementation Patterns

Related