From securityonline.info
First, Huan reads the given PE file and encrypts it with the CBC mode AES-128 encryption algorithm. For the encryption, I used Tiny AES in C and prepared a padding code for the requirement of this library. When the encryption is complete, it compiles the loader using the Visual Studio compiler (MsBuild.exe) and creates an executable. After that, it creates a section (called .huan) on that executable and embeds the encrypted content, size information, IV, and symmetric key. Both keys are created randomly for each copy of the loader. The layout of this section can be seen below.