Complex 4627.bin - Download

The binary was retrieved from a public “file‑sharing” forum (URL redacted for compliance). The SHA‑256 fingerprint is:

A4B9F0E7C3D2F5A1E9B6C8D4E2F1A7B9C3D0E9F6A1B2C4D5E6F7A8B9C0D1E2F

A cryptographic hash ensures integrity throughout the analysis. Complex 4627.bin Download

| Capability | Description | |------------|-------------| | Data Exfiltration | Collects system information (OS version, installed software, user accounts) and sends it to the C2 via TLS. | | Lateral Movement | Attempts SMB shares and uses Pass‑the‑Hash if credentials are cached. | | Payload Delivery | Deploys a Linux ELF backdoor (Payload B) on any reachable Linux host on the same subnet, using SMB/SMB2 for file transfer. | | Self‑Destruct | After three failed C2 connections, overwrites its own file on disk with random data and deletes registry entries. | The binary was retrieved from a public “file‑sharing”

Using radare2, the PE‑Stub was disassembled. It consists of: Using radare2 , the PE‑Stub was disassembled

// Pseudo‑code extracted from loader
uint8_t* get_key() 
    uint8_t mac[6];
    GetAdaptersInfo(..., mac);
    SHA256(mac 

The loader then decrypts Payload A and jumps to its entry point.

| Offset (hex) | Size (bytes) | Description | |--------------|--------------|-------------| | 0x0000 | 0x2000 | Random padding (high entropy) | | 0x2000 | 0x1000 | PE‑Stub – tiny Windows PE loader (32‑bit) | | 0x3000 | 0x4000 | Encrypted Payload A (AES‑256‑CBC) | | 0x7000 | 0x2000 | Compressed Payload B (UPX‑like) | | 0x9000 | 0x1800 | Embedded Resources (PNG, ZIP) | | 0xA800 | 0x5800 | Self‑Modifying Code Region | | 0x10000 | 0x1000 | Signature Block (RSA‑2048) |

The entropy of the first 0x2000 bytes is 7.98 bits/byte, typical of random padding used to thwart signature‑based detection.