1404814641: Https- New1.gdtot.sbs File

# Extract strings, limit to printable ASCII > 4 chars strings -a -n 5 unknown_file > strings.txt

## 6. OSINT Correlation - **Domain `gdtot.sbs`** appears in 42 recent VT submissions, 35 of which are classified as **Malware** (mostly ransomware droppers). - **IP `185.53.179.12`** listed on AbuseIPDB with 1,218 reports for “malware distribution”. - **File ID `1404814641`** referenced on a 4chan thread discussing “new .exe drops from GDTOT”. https- new1.gdtot.sbs file 1404814641

# Identify file type file unknown_file

## 7. Verdict - **Malicious** – The file is a **packer‑wrapped Windows trojan** that contacts a known malicious C2 server and installs a persistent payload. - **Recommended actions:** 1. Block `gdtot.sbs` and `185.53.179.12` at # Extract strings, limit to printable ASCII >

## 3. Hashes - **SHA‑256:** `c1a2b3…` - **SHA‑1:** `5f4d9e…` - **MD5:** `a7b8c9…` - **File ID `1404814641`** referenced on a 4chan

## 5. Dynamic Analysis (Cuckoo Sandbox) | Observation | Detail | |-------------|--------| | Process tree | `unknown_file.exe` → `rundll32.exe` → `svchost.exe` (renamed) | | Network | DNS query for `s3s9k7.xyz`; HTTP GET to `185.53.179.12/payload.bin` | | Persistence | Created `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost` | | File system | Dropped `C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe` | | Payload | The downloaded `payload.bin` is a second-stage PE (SHA‑256 `d4e5f6…`) flagged by VT as **Trojan.Win32.Generic**. |

# Look for URLs grep -Eo '(http|https)://[a-zA-Z0-9./?=_-]+' strings.txt | sort -u Only perform this in the sandbox you set up in § 3. | Observation | How to capture | |-------------|----------------| | Process creation tree | Windows Sysinternals Process Monitor (ProcMon) or Linux strace / auditd . | | Network traffic | Wireshark, tcpdump , or the sandbox’s built‑in network view. Look for DNS queries, HTTP(S) POSTs, or connections to known C2 domains. | | File system changes | ProcMon (Windows) or inotifywait (Linux). Note creation of new executables, scheduled tasks, registry autoruns, or startup shortcuts. | | Registry modifications | ProcMon (filter Reg* ) or a dedicated registry snapshot tool. | | Memory dumping | Use Volatility or the sandbox’s memory capture feature; later run malfind , yarascan , etc. | | Screenshots / UI | Some sandboxes (Any.Run) record a video of the session. Useful for ransomware that displays ransom notes. |