EN, Security Boulevard

When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Three

Dear blog readers,

 Continuing the “When Data Mining Conti Leaks Leads to Actual Binaries and to a Hardcoded C2 With an Encryption Key on Tripod.com – Part Two” blog post series in this post I’ll continue analyzing the next malicious software binary which I obtained by data mining Conti Leaks with a lot of success. 

The actual malicious software binary location URL:

hxxp://shighil.com/dl2.exe

MD5: c2055b7fbaa041d9f68b9d5df9b45edd
SHA-1: e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA-256: 342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

Here’s the actual analysis.

Executive Summary

dl2.exe is a Windows x86_64 PE executable (849.5 KB) exhibiting characteristics consistent with malicious software. The binary demonstrates sophisticated capabilities including registry manipulation, dynamic API resolution, file system operations, and system information gathering. Analysis identified multiple high-risk behaviors typical of malware, particularly around persistence mechanisms and anti-analysis techniques.

Key Findings

Critical Capabilities (High Severity)

1. Registry Manipulation

2. Dynamic API Resolution

  • Function: sub_40b868 (0x40b868)
  • APIs Used: GetProcAddress, LoadLibrary, GetModuleHandle
  • Risk: High – Common evasion technique to bypass static analysis and API monitoring
  • Details: Dynamically resolves function addresses at runtime, making static detection more difficult

Medium Severity Capabilities

3. File System Operations

  • Functions: sub_423718, sub_4228a4, sub_423360, sub_41aeec
  • APIs Used: CreateFile, DeleteFile, MoveFile, CopyFile, FindFirstFile, FindNextFile, GetFileAttributes
  • Risk: Medium – Can manipulate files on the system

4. System Information Gathering