Reversing APT Tool : SManager (Unpacked)

Reversing highly sophisticated espionage tool from Chinese APT group.

It’s my second blog on SManager , in the first part of the blog i had reversed the packed sample of SManager , which is the installer of Smanager. Previous blog can be read from here.

In this particular blog, we will see the internals of unpacked sample of SManager which i had un-packed from the previous sample mentioned in the my first blog about SManager.

So, Let’s dig-in

Static Analysis:(Basic)

File Information:

File Information shows it’s related to Chinese APT group.

Static Analysis:(Advanced)

Mainly what’s happening in this sample is that , it exports to 2 file and creates one service.

DllEntryPoint is the main entry point.


Starting from the entry point, “Dll_Main_Entry” function which consists of thread_buffr_file_ops function.two functions “thread_ps_info_store” and “thread_buffr_file_ops”.

Code of Dll_Main_Entry function.
Graph of Dll_Main_Entry function.


Where in first “thread_ps_info_store” function what happens is that it extracts the system information and returns that information to Dll_Main_Entry function using the functions “GetCurrentThreadId” and “GetCurrentProcessId”.

Code of “thread_ps_info_store”
call graph of “thread_ps_info_fetcher”


Using functions like “rtrn_thread_buffr_heap_info” & “FILE_oPS_THREAD_ops” ,threads information along with the processor information is being extracted from the infected systems.

Code of thread_buffr_file_ops function.
call graph of thread_buffr_file_ops function.

Now, moving on to the second exported file which is used to create service for Communications with C2 with legit dll injection.


In this function, manly the service is being created for making connections with the Command and Control server (C2 aka C&C).

code and call graph of create_service_for_plugin function.

Now moving on , to another lastly exported “Entery” file in disassembly.


Here i had renamed the “Entery” function as this function for convenience for normal user to understand what it does. & what it does is that it downloads the plugin from the Command and Control Server (C2 aka C&C) using the function “plugin_download_from_C2_using_C2” after raising the exceptions using “SetUnhandledExceptionFilter” and also by setting the error mode at 0x8002u for the C2 communications happen smoothly as plugin_download_from_C2_using_C2 will downloads the plugin file from C2 and open the new plugin file on system.

Code of plugin_download_by_raising_exceptions function.
call graph of plugin_download_by_raising_exceptions function.


In this function, for downloading the plugin from C&C server, following are the functions that are being deployed :

startup_plugin_sock_comm, C2_ops_for_downloading_plugin.

code of plugin_download_from_C2_using_C2 function.
Call Graph of plugin_download_from_C2_using_C2 function.


In this particular function, mainly what happens is that socket communications begins with the C&C server fro downloading plugin.

Call graph and code of startup_plugin_sock_comm function.


This function is particular responsible for downloading malicious plugin from the C2 server.

Code and Call Graph of C2_ops_for_downloading_plugin function.

Dynamic Analysis:(Advanced)

Setting up three breakpoints in the Dll_Main_Entry function for debugging the malicious dll what we obtain as a output which is similar to our static analysis for this unpacked binary.

Firstly it loads some .dll as shown in image below and then after it injects the payload ad starts some services and finally downloads the plugin.

IDA view of dynamic debugging of SManager.
output log of Smanager debugged.

Indicators of Compromise(IOCs) and Detections

Network [ C2 Communications]

VT Graph.

Att&ck IDs

T1129, T1085, T1085.

Att&ck Mitre Techniques

Sample from Report


MD5: c11e25278417f985cc968c1e361a0fb0

SHA1: 989334094ec5ba8e0e8f2238cdf34d5c57c283f2

SHA256: f659b269fbe4128588f7a2fa4d6022cc74e508d28eee05c5aff26cc23b7bd1a5

YARA Signature:

Thankyou for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store