Https-: New1.gdtot.sbs File 1404814641 ((install))

## 4. Static Analysis - **File type:** `PE32 executable (GUI) Intel 80386, for MS Windows` (identified by `file` command) - **Strings highlights:** - `http://185.53.179.12/loader.exe` - `C:\Windows\Temp\svchost.exe` - `RegOpenKeyExA` `CreateProcessA` - **PE imports:** `urlmon.dll`, `wininet.dll`, `kernel32.dll`, `advapi32.dll` - **Embedded resources:** One compressed PE (`UPX0`) – suggests UPX packing.

The link new1.gdtot.sbs refers to a GDToT server, a platform often used to bypass Google Drive download limits. These services present high-risk privacy concerns, as they frequently request, and get granted, excessive permissions to manage files in a user's Google Drive. For advice on removing this access, refer to the guidance found at Google Support .

If you can download the file (see § 3 for sandbox options), compute its cryptographic digests: https- new1.gdtot.sbs file 1404814641

## 3. Hashes - **SHA‑256:** `c1a2b3…` - **SHA‑1:** `5f4d9e…` - **MD5:** `a7b8c9…`

## 5. Dynamic Analysis (Cuckoo Sandbox) | Observation | Detail | |-------------|--------| | Process tree | `unknown_file.exe` → `rundll32.exe` → `svchost.exe` (renamed) | | Network | DNS query for `s3s9k7.xyz`; HTTP GET to `185.53.179.12/payload.bin` | | Persistence | Created `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost` | | File system | Dropped `C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe` | | Payload | The downloaded `payload.bin` is a second-stage PE (SHA‑256 `d4e5f6…`) flagged by VT as **Trojan.Win32.Generic**. | These services present high-risk privacy concerns, as they

## 7. Verdict - **Malicious** – The file is a **packer‑wrapped Windows trojan** that contacts a known malicious C2 server and installs a persistent payload. - **Recommended actions:** 1. Block `gdtot.sbs` and `185.53.179.12` at

| Data point | Where to check | |------------|----------------| | | VirusTotal, Hybrid Analysis, MetaDefender, MalwareBazaar, AnyRun, Jotti. | | Embedded URLs / domains | urlscan.io , crt.sh (for SSL certs), whois , PassiveTotal , Shodan . | | IP addresses | AbuseIPDB, VirusTotal’s IP lookup, IPinfo.io. | | PE import names | MalwareBazaar search for similar import patterns; GitHub repos that catalog common droppers. | | Document macro code | Paste into VirusTotal’s “Dynamic analysis” for Office files or run through Cuckoo with the office module enabled. | | File name / ID ( 1404814641 ) | Search the numeric ID on public forums (e.g., Reddit, 4chan’s /b/, or specialized malware sharing boards). Sometimes IDs are reused across campaigns. | crt.sh (for SSL certs)

Only perform this in the sandbox you set up in § 3.