PureRAT variant observed in AI Video Player

Executive Summary

I analyzed a malware chain beginning with DriveVideoSetup-x64-0.1.0.exe, distributed through a fake Drive Video /SMVEO-themed lure. The malware uses a staged execution chain that moves from Python bytecode into shellcode, then into multiple protected .NET assemblies.

The chain includes heavy obfuscation and encryption, runtime patching ,certificate generation, protobuf references, and authenticated WebSocket communications.

Dynamic analysis observed the malware enrolling with infrastructure, creating certificate material under%LOCALAPPDATA%\SMVEO\, connecting to agent.sm-veo.com, and loggingagent starting 2.3.0, auto-enrolling, and ws connection.

Multiple indicators suggest this activity is likely PureRAT.

Execution Workflow

PureRAT Workflow


DriveVideoSetup-x64-0.1.0.exe ↓ Persistence via CurrentVersion\Run ↓ python.pyc ↓ Base85 decode ↓ zlib decompress ↓marshal.loads() ↓ shellcode3.bin ↓ VirtualAlloc / RtlMoveMemory / CreateThread ↓ .NET Loader Stage:Mdswhvizp / Ykzrh-style protected loader ↓ Encrypted resources and virtualized dispatch ↓ Embeddedresource: Xuvrfuo ↓ TripleDES-CBC decrypt ↓ Raw inflate after small header ↓ .NET Stage: Uwjoqtb ↓Encrypted resources / runtime patch metadata ↓ Certificate enrollment ↓ Authenticated WebSocketcommunications ↓ Remote tasking / script execution

Delivery and Sandbox Caveat

The lure uses a fake Google Drive-stylevideo download flow and delivers: DriveVideoSetup-x64-0.1.0.exe

The certificate signer / publisher artifact observed across related samples is: Smartcore LLC

Persistence is established through: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

The Python stage may not execute immediately. In several sandbox-style environments, the installer may only stage persistence. The later Python → shellcode → .NET chain may require reboot, logon, or manual triggering of the persisted Run key.

App Any Run Snadbox Run
Note: Non-Public sandbox when run under Windows 11 has full execution chain

Python Stage

We view python disassembly using pycdas to get ab understanding of the structure:
Python PYCDAS output

***Note: When decoded, this loads another python file that is also encoded + encrypted.***

The persisted Python bytecode stage contains loader indicators:

marshal base64 b85decode decompress import

The deobfuscation order observed for this stage is:

base85 decode ↓ zlib decompress↓ marshal.loads() ↓ Python loader execution

Python Stage 2:

Second Python Stage 

This second stage of python has 2 blobs, one is Base64 (RSA key) and the second is another Base85 + zlib blob. The interesting thing about this stage is the "hybrid_decrypt" function with performs
xor + aes + rc4 functions.

Python Stage 3 (Shellcode Loader):

Python PYCDAS Shellcode Loader Stage
dst16 >0x09
key16 0x19
encrypted blob @ >0x241
custom 16-round PRNG/stream cipher resulting PE starts at offset 0x104C after decryption

.NET Loader and Virtualization

Follow-up analysis of extracted .NET loader stage, internally named Ykzrh.exe (smveo-csharp-agent.exe) in one recovered artifact, revealed a substantial virtualization and runtime reconstruction layer. This helps explain why the .NET portions of the chain initially appeared incomplete or nonsensical in decompilers.

Ykzrh.exe in DnSpy
The loader reconstructs method references dynamically using encrypted token maps, delegateinitialization, reflection, and a custom bytecode interpreter. This appears to be protection infrastructure around the malware rather than the malware's core RAT functionality.
Grabbing internal embedded resource
Obtaining Embedded Payload
MZ Array in DnSpy .NET analysis

Xuvrfuo Decryption

The first major .NET resource extraction pivot was the embedded resource:
Embedded .NET resource Loaded
Raw inflate after a small header
Resource: Xuvrfuo
Algorithm: TripleDES-CBC
Padding: PKCS7
TripleDES Key: 1E4760505B92C0AA0DE15226D001EE47
TripleDES IV: 1AB225BFC42E570D
CyberChef Decode

.NET Stage: Uwjoqtb

The decompressed payload from Xuvrfuo produced the protected .NET assembly: UwjoqtbVersion Framework.NET Framework 4.0 Timestamp2026-05-23 Microsoft DetectionTrojan:MSIL/PureRat.ABA!MTB

The assembly is heavily protected and contains multiple encrypted resources. Static decompilation shows many stubs, proxy methods, and incomplete code paths. Runtime debugging and resource decryption show that important functionality is activated dynamically.

Final .NET PureRat Stage

Certificates and C2

The malware creates a working directory under:

%LOCALAPPDATA%\SMVEO\
Artifact Purpose
client.crt Generated client certificate.
client.key Generated client private key.
ca.crt CA certificate material used by the agent.
Infrastructure Context
smveo.com Lure / infrastructure domain.
admin.sm-veo.com Enrollment / administration endpoint.
agent.sm-veo.com Agent communication endpoint.
wss://agent.sm-veo.com:8443/v1/ws Observed WebSocket C2 endpoint.
103.183.115.177:56001 Observed in lab.
103.183.115.177:56002 Observed in lab.
103.183.115.177:56003 Observed in lab.

The certificate workflow suggests mutual TLS-style authentication and custom certificate validation. This would make casual interception with Burp, Fiddler, or mitmproxy more difficult unless the certificate validation path is bypassed.

Detection and Hunting

Certificate signer pivot: Smartcore LLC
Runtime strings: agent starting 2.3.0, auto-enrolling, registered successfully, ws connected, running script
YARA: GitHub YARA Rules

Indicators of Compromise

Network

Type Value Context
Domain smveo.com Lure / infrastructure.
Domain admin.sm-veo.com Enrollment / administration endpoint.
Domain agent.sm-veo.com Agent WebSocket endpoint.
URL wss://agent.sm-veo.com:8443/v1/ws Observed WebSocket C2 endpoint.
IP 103.183.115.177 Observed infrastructure, Vietserver / AS63737.
Port 8443 WebSocket / TLS communications.
Port 56001 Observed in lab.
Port 56002 Observed in lab.
Port 56003 Observed in lab.

Files and Artifacts

Artifact Context
DriveVideoSetup-x64-0.1.0.exe Initial installer.
python.pyc Persisted Python bytecode stage.
shellcode3.bin Recovered shellcode stage.
Mdswhvizp Protected .NET loader stage.
Ykzrh.exe Internal name observed in one extracted .NET loader artifact.
Uwjoqtb Protected .NET stage recovered from Xuvrfuo.
%LOCALAPPDATA%\SMVEO\ Working directory for certificates, logs, and data.
client.crt Generated client certificate.
client.key Generated client private key.
ca.crt CA certificate material.

Samples

Sample SHA256
DriveVideoSetup-x64-0.1.0.exe f3284e498890139de2f94be50b260ec7547a91a63d72b926b71ae343106edc02
drivevideo.pyc e70cc6dddce8717ea5b4d3597d1543d43cfa9a0c2eac6c52f309adfe879b7352
python.pyc ca36b7438f248e01a20808fa0bbd30938eb3fac792b5ca59bf3ade01afa48992
Ykzrh.exe 6ef97cd831f3cd77ee2dcf98b100b31672887ede7c34ed2017039b9ae434ff9d
Xuvrfuo 628adb8b1814491d74b1cbf9d1ef25e36e93f58f8bc2d24b536bcd1627232a34
Uwjoqtb.dll 8e751724a30386948628c786e6cf4c894aebec8aa36d979b13d6b61a6b5e29c7

Registry

Key Context
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Persistence for later Python-stage execution.

Key Findings

  • Three-stage Python loader chain.
  • Stage 3 decodes Base64 shellcode.
  • Shellcode uses custom 16-round stream cipher.
  • Recovered PE matches operational .NET agent.
  • Agent generates certificates and enrolls with SMVEO infrastructure.
  • Authenticated WebSocket communications observed.
  • Strong overlap with publicly documented PureRAT activity.

Comments

Post a Comment

Popular posts from this blog

Beware of Fake 7zip Installer: upStage Proxy

Image
Deep dive into the UpStage Proxy malware campaign abusing a fake 7-Zip installer to deploy a GO-based residential proxy backdoor on Windows systems. Over the past couple weeks analysts have been looking at a suspicious 7zip installer which turns the host into a residential proxy (proxyware). I'm playfully calling this upStage Proxy (with a heroquest boardgame theme). More on the name will become clear in this article. The installer comes from 7zip[.]com, which, while looking professional, and having been around for quite some time, is in fact not the official site for the 7zip tool. The official site is 7-zip.org . *Update February 10, 2026: At this time the download link is now pointing to the official 7-zip.org download. The installer is signed by (now revoked) certificate:  "JOZEAL NETWORK TECHNOLOGY CO., LIMITED". The installer drops a version of 7zfm.exe that is also signed with this signer.  This version of 7zfm.exe differs from the official build in an importan...
Read more

Microsoft Store Apps May Deliver Go Backconnect Proxy Malware

Image
Analysis of fake utility installers delivering proxyware malware through Microsoft App Store. With findings related to Ghostsocks. Quick Summary A consolidated analysis of suspicious Microsoft Store utility apps, including WinDirStat and LightShot impersonators, that load a shared Go-based client.dll backconnect/proxy implant. Primary payload: client.dll Primary C2: mylabubus.shop Compiler: Go 1.24.9 Assessment: Backconnect / proxy malware Contents Executive Summary Key Findings Technical Analysis Evidence Summary Campaign Correlation Indicators of Compromise MITRE ATT&CK Mapping Responsible Disclosure Updates Executive Summary I analyzed a suspicious Microsoft Store utility package, focusing in particular on a WinDirStat impersonator. The analysis combined manual reverse engineering and runtime testing with AI-assisted workflows using REMnux MCP, Malcat MCP with Claude, and automated sandbox analysis. The application presented itself as a normal El...
Read more

TamperedChef: Suspicious Recipe App is really Malware

Image
TamperedChef analysis: deep dive into a recipe-themed Windows/Electron app that hides obfuscated JS, covert C2 behavior, IOCs, and hunting tips. Hello World!  Let me introduce you to a new malware I'm calling TamperedChef .  Yesterday I came across the article Malvertising Alert: Recipe App Hijacks Credentials and Appears to Establish C&C Connection . This got me curious, so I decided to dig a bit deeper. I manually went to recipelister ( VirusTotal )  and downloaded recipelister.exe.  After reading the aforementioned blog, which observed the 7z-out folder, I figured why not use 7zip to extract recipelister.exe. Within the compressed file was app-64.7z, which I again extracted I extracted using 7zip.  At this point we have the main contents of what would appear in "AppData\Local\Temp\2w1rXpxZnwDUwuTeNvdD6FUkeI0".  Extracting app.asar: In order to extract app.asar to be easier to look at, I used this 7z asar plugin .  This is where things get int...
Read more