WinInet + URLMon Dual-Path HTTP Downloader

A downloader that implements two independent HTTP fetch paths — a primary WinInet path (InternetOpenW → InternetOpenUrlW → InternetReadFile → WriteFile) and a fallback URLMon path (URLDownloadToFileW) — to retrieve a remote payload. If the primary path fails or the execution helper returns false, the fallback path sleeps a random duration, regenerates a random filename, and retries.

Detection / Fingerprint

• IAT imports both WININET.dll (InternetOpenW, InternetOpenUrlW, InternetReadFile, InternetCloseHandle) and urlmon.dll (URLDownloadToFileW) in the same binary.
• String artifacts: hardcoded User-Agent (often Chrome masquerade), %TEMP% expansion, randomized filename pattern (%s\\%d%d.exe).
• Post-download: Zone.Identifier ADS deletion via DeleteFileW.

Observed In

• phorpiex campaign droppers (MSVC9, 10 KB) ^[/intel/analyses/025f57988953e3d23e1657a9af5610887e57c5390a82f73b4b2b99c30eef3b70.html] ^[/intel/analyses/6b8527a7f761e8a5489b81ea8a79cbbbd9c09485b9b5d7c28cd892ef66599339.html]

Related Techniques

• rc4-encrypted-powershell — alternative payload fetch method observed in other dropper families
• embedded-rcdata-config — where payload URLs are stored encrypted instead of plaintext