Sample

The sample in the post is “Supper” (aka “Interlock RAT”): a ~176 KiB 64-bit Windows DLL (exports start as socks.dll) that’s designed to run mostly fileless/in-memory.

What it does, in practice:
- Initial beacon over HTTPS: sends a small magic-prefixed packet containing a JSON host profile (C2 IP, domain/workgroup, hostname, integrity level, OS “veros” mapping, etc.). After that, it switches to a custom binary protocol with a 12-byte header + 8-byte encrypted payload, where the header effectively carries the payload’s decryption key (and is further masked to frustrate naïve inspection).
- Encryption/obfuscation: uses a custom stateful XOR stream cipher (per-byte evolving state + 4-byte key), and then XOR-masks header fields using constants like 0x4D4D4D4D.
- Execution model: essentially everything is executed via cmd.exe, not by dropping and running “tools.”
- Core capabilities (high level):
- Reverse shell implemented by spawning hidden cmd.exe, wiring up stdin/stdout pipes, and forwarding IO to/from the C2.
- One-shot command execution via cmd.exe /c 1> 2>&1, then reads the output back into memory, exfils it, and wipes the log.
- Encrypted config handling: can dump/update config, and (on demand) writes a single encrypted config blob to C:\Users\\AppData\Local\Temp\e35r4g.log (key stored at the start of the file, making offline decryption possible if recovered).
- Self-delete: drops an embedded helper DLL (e.g., main.dll exporting run) to a random temp path and executes it via rundll32.exe to remove the original payload from disk—then continues resident in memory.