In incident response, we always lookout for samples and exploits that employ a new technique or a zero-day, so that we can track emerging threat patterns and strategize our defenses and preemptive measures. But occasionally, we also come across samples that are almost archaic and considered ‘legacy’ in terms of the Tactics, Techniques and Procedures (TTP) used, but surprisingly executes fine on modern systems. This blog post is about one such sample that we noticed in our queue and analysed.

Malware authors usually perform their malicious activities in different stages. Here, the malware we are analyzing is one such, showing its true colors only at its final stage. The initial stages are all  downloaders which aid in delivering the final payload to the victim’s system. Also, the malware author has employed various techniques to stay under the radar. One of which is using a file which looks like a DOS executable with a strong encryption/obfuscation, wherein the directories are not parsed correctly and contains only minimal information required for execution.

Detailed analysis is as follows:

Analyzed Filename: Adobe Photoshop Elements 2021 V19.0 Multilingual Downloader.exe

File MD5: 0db72f12c66b039f19be743bf0ead45f

Initially we thought it may be a corrupted file and might not execute (No Sections, No Directories, No Header, No Imports/Exports, File size 1KB) but figured out that it was in fact a compiled MS-DOS executable, initially submitted to VirusTotal (VT) via E-mail from Korea. The physical attributes of the sample increased our curiosity and we decided to do a deeper analysis of the file. On execution, it downloads a file from ultracams12[.]club, a malicious site and drops it into the startup folder and then self-deletes. Upon restart, the downloaded file gets executed and connects to another malicious site, in order to download other malware/adware files to infect the end user machine and gain a foothold in the network.

Figure 1: Hex View

The above figure is the hex view of the sample. It does not have valid field values except for the fields responsible for file execution like Address of Entry Point  (AEP), file characteristics, linker versions, section and file alignment and subsystem which enables it to execute successfully without any issue. Nowadays, malware authors change the PE structure to evade detection. The malware initially deobfuscates 2A3h bytes in the memory at the offset mentioned at the entry point on the execution. 

Figure 2: Execution and Self-Deletion

The entry point of the file was identified by using static analysis as shown in Figure 3. It also has an offset value from where it is going to deobfuscate code into memory which is executed later.

Figure 3: Actual Entry Point

Figure 4, the execution of the deobfuscation routine continues until the counter reaches 2A3h which involves shift, XOR and rotate operations.

Figure 4:  Logic Involved

Once the counter reaches 2A3h, the execution is transferred to the deobfuscated code which sends a request to download the sample. 

Figure 5: Code in memory after deobfuscation

The code tries to download the file from http[:]//ultracams12[.]club  and continues its execution. This is done using standard Windows API calls like InternetOpenA(), ShGetFolderPathA (), lstrcatA(), CreateFileA(), InternetReadFileA(), WriteFile() and CloseHandle().

Figure 6: Executed code downloads the malicious file
Figure 7: GET Request sent to download malicious file

This site and the files referring to the same has detections in VirusTotal as malicious. The serving IP address for the site and the files is and the domain is registered from Brazil.

Figure 8: ChromeUpdater.exe

The downloaded files’ name was ChromeUpdater.exe and it’s properties are as shown in Figure 9. The downloaded file is also not digitally signed and its file size is around 8 KB.

Figure 9: File Properties

From Figure 10, we can glean that the debug string and TimeStamp is suspicious.

Figure 10: Debugger string svchost.pdb

We can see from Figure 11 that the file got downloaded into the startup folder and moved into AppData/Roaming folder using powershell, “powershell Move –Item –Force –Verbose –Path ./* -Destination ‘C:\Users\k7user\AppData\Roaming

Figure 11: Powershell command for file relocation

On further analysis, we observed that the entry point of the program and its timestamp is suspicious as can be seen from Figure 12.

Figure 12: Entry point of Program and Suspicious Time Stamp
Figure 13: Main Function in Chromeupdater.exe

In the main function where Form1 is set to run. When Form1 loads, the downloaded  file is moved from the startup folder to Appdata/Roaming using powershell and adds the run entry to the registry as shown in Figure 14 and 15.

Figure 14: Registry Key
Figure 15: Form1_Load method

From Figure 16, we gleaned that chromeupdater.exe connects to a site which redirects to a possible phishing website. However, from Figure 15, we see that the code navigates to https[:]\\\A5EA3V which redirects to a Portuguese site http[:]\\\. This sample under consideration connects to adware and phishing sites and also downloads malware from those sites.

Figure 16: Connections to Random Pages (Adware, Phish)

Here, this malware uses URL shortener service, in order to hide the maliciousness of the original sites. In the code, the mentioned url is ”’https[:]\\\A5EA3V”which redirects and connects to “http[:]\\futebol[.]sovideodahora[.]xyz\”. It proceeds to connect to anonymous random sites and tries to download files which are in fact malicious.

In an attempt to monetize the service, the shortener service provider starts to send pop-up ads along with page redirection to potentially dangerous sites. When we look into the history of those sites in some online detection sites like VirusTotal, there were numerous positive detections i.e. most of the files downloaded from the sites were flagged as malicious. This malware uses service in order to hide the actual URL from the users (similar to how phishing is done).

Many URL shortener services are available on the internet such as Bitly, Rebrandly, Polr, TinyURL, BL.INK, Hyperlink, T2M, Yourls, Shorby, The original purpose of URL shortening services was to overcome the problem caused by long URLs in E-mail messages. But, nowadays it is being abused for malware and phishing attacks

Let us see an example for the URL shortener service,, which is used by this malware. If a threat actor wants to download malicious binaries into a user’s machine, he creates a short URL of its own link with the help of, which can then be included in the malicious binary or sent via email. 

Figure 17: URL Shortener Service

We have listed some shortened URLs which download malicious binaries to the users machine and have positive detections in VT. Most of the submissions are from the United States, Great Britain and Spain.

Figure 18: List of Malicious URLs

We at K7 have detection for all such malicious URLs and the downloaded malicious files. Users are requested to use a reputable product like K7 Total Security and keep it updated to stay protected from the latest threats. Users are also recommended to be cautious when clicking on URLs, even if it looks legitimate. So the motto should be “Be Vigilant, Stay Protected”.

Indicators Of Compromise (IOCs)

MD5File NameK7 Detection Name
0db72f12c66b039f19be743bf0ead45f Adobe Photoshop Elements 2021 V19.0 Multilingual Downloader.exeTrojan ( 005741031 )
d3da2b742449333f758de33b3506409b KeePass.exe Trojan ( 005748891 )
d2fa171a4bb1eb4017121bea2d4f5902 ChromeUpdater.exe Trojan ( 005748891 )


http [:]//ultracams12[.]club/svchost[.]exe
http [:]//viewsultimate[.]getforge[.]io/
http [:]//futebol[.]sovideodahora[.]xyz/

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Curious Case of a Peculiar Downloader”