Https- New1.gdtot.sbs File 1404814641 Site

## 1. Overview - **Source URL:** https://new1.gdtot.sbs/file/1404814641 - **Date collected:** 2026‑04‑17 - **Initial impression:** Hosted on a domain frequently used for “one‑click” downloads.

## 4. Static Analysis - **File type:** `PE32 executable (GUI) Intel 80386, for MS Windows` (identified by `file` command) - **Strings highlights:** - `http://185.53.179.12/loader.exe` - `C:\Windows\Temp\svchost.exe` - `RegOpenKeyExA` `CreateProcessA` - **PE imports:** `urlmon.dll`, `wininet.dll`, `kernel32.dll`, `advapi32.dll` - **Embedded resources:** One compressed PE (`UPX0`) – suggests UPX packing. https- new1.gdtot.sbs file 1404814641

## 5. Dynamic Analysis (Cuckoo Sandbox) | Observation | Detail | |-------------|--------| | Process tree | `unknown_file.exe` → `rundll32.exe` → `svchost.exe` (renamed) | | Network | DNS query for `s3s9k7.xyz`; HTTP GET to `185.53.179.12/payload.bin` | | Persistence | Created `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost` | | File system | Dropped `C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe` | | Payload | The downloaded `payload.bin` is a second-stage PE (SHA‑256 `d4e5f6…`) flagged by VT as **Trojan.Win32.Generic**. | Static Analysis - **File type:** `PE32 executable (GUI)

## 2. Metadata | Property | Value | |----------|-------| | Domain reputation | Blacklisted on URLhaus (malware distribution) | | SSL cert issuer | Let’s Encrypt (valid until 2026‑07‑01) | | File ID timestamp | 2014‑09‑23 09:47:21 UTC (possible upload date) | | ## 2