Yet another Delphi Infostealer Trojan (April 12, 2013)


The Dell SonicWALL Threats Research team has discovered a new Delphi based information stealing Trojan. All the dropper samples of this family and the dropped components are Delphi files. The main goal for this multi-component malware is to steal confidential information from the victim computer.

Infection Cycle:

Below is a sample of the DNS queries that the Trojan performed during analysis:


Upon execution, the dropper downloads the secondary component in an encrypted form and saves it as:

  • %SYSTEM32%adodbupd.dat [Detected as GAV: EncAgent.HPE (Trojan)]

The dropper and all the subsequent downloaded files contain obfuscated API names to make analysis difficult for researchers. We were able to locate the decryption routine which revealed the calls during runtime. This is very similar to the Chinese bot we had posted a SonicALERT before which indicates possible connections between the authors of the two malware.

The dropper decrypts a portion of the downloaded file in memory. It then creates an explorer.exe process in suspended mode, injects the decrypted file into the suspended explorer.exe process and runs it.

The hijacked explorer process further creates two DLL files:

  • %SYSTEM32%IUNSYw32.dll
  • %SYSTEM32%IUNSKw32.dll

It creates two different restart mechanisms for each of these. IUNSYw32.dll is registered as a winlogon notification package which looks after the logon and startup events:

IUNSKw32.dll is registered as a ServiceDll for svchost based service with name “Intel(R) Management Services”.

Once this service is started it downloads another encrypted file vdocert130327.dat and saves it as:

  • %SYSTEM32%itusbcore.dat [Detected as GAV: EncAgent.HPE_2 (Trojan)]

The downloaded file is then decrypted in memory and injected into a new svchost.exe process. This final process now acts as an information stealer.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Agent.HPE (Trojan)
  • GAV: Agent.HPE_2 (Trojan)
  • GAV: EncAgent.HPE (Trojan)
  • GAV: EncAgent.HPE_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.