Https- New1.gdtot.sbs File 1404814641 Apr 2026

## 3. Hashes - **SHA‑256:** `c1a2b3…` - **SHA‑1:** `5f4d9e…` - **MD5:** `a7b8c9…`

## 2. Metadata | Property | Value | |----------|-------| | Domain reputation | Blacklisted on URLhaus (malware distribution) | | SSL cert issuer | Let’s Encrypt (valid until 2026‑07‑01) | | File ID timestamp | 2014‑09‑23 09:47:21 UTC (possible upload date) | https- new1.gdtot.sbs file 1404814641

# Investigation Report – File 1404814641 Verdict - **Malicious** – The file is a

## 7. Verdict - **Malicious** – The file is a **packer‑wrapped Windows trojan** that contacts a known malicious C2 server and installs a persistent payload. - **Recommended actions:** 1. Block `gdtot.sbs` and `185.53.179.12` at Dynamic Analysis (Cuckoo Sandbox) | Observation | Detail

# Identify file type file unknown_file

## 5. Dynamic Analysis (Cuckoo Sandbox) | Observation | Detail | |-------------|--------| | Process tree | `unknown_file.exe` → `rundll32.exe` → `svchost.exe` (renamed) | | Network | DNS query for `s3s9k7.xyz`; HTTP GET to `185.53.179.12/payload.bin` | | Persistence | Created `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost` | | File system | Dropped `C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe` | | Payload | The downloaded `payload.bin` is a second-stage PE (SHA‑256 `d4e5f6…`) flagged by VT as **Trojan.Win32.Generic**. |

*All hashes searched on VirusTotal – **no matches**.*