Note: this report may be incomplete because the AI analysis reached the following limit(s): token. # Malware Triage Report ## Summary **File:** `9da5191c78e49b46e479cdfe20004a9d76ccc4a545deeb83e3c07f83db9cf736` (#AID=195#) **Type:** PE x64 GUI executable (~395 KB) **Compiler/Runtime:** Built with the **Zig** programming language, using Mingw-w64 / MSVC 2015 linker artifacts (string `\\.\pipe\zig-childprocess--`, "Zig WinHTTP Client"). **Signing:** Authenticode-signed with a certificate issued to **"NVIDIA Corporation"** by DigiCert Trusted G4 (serial `0997c56caa59055394d9a9cdb8beeb56`, validity 2023-01-13 → 2026-01-16). Almost certainly a stolen/abused certificate — legitimate NVIDIA tooling is not Zig-built single-file droppers. **Kesakode hint:** `StxRATLoader` (confidence 0/100 — low confidence but matches observed behavior). The sample is a **Zig-language downloader/loader** that fetches `python3.zip` from a hard-coded server, deploys it under `%LOCALAPPDATA%`, and runs a Python payload (`maintaindown.py`) via a renamed Python interpreter (`svpy.exe`). It implements retry/persistence loops with `Sleep` between attempts and uses dynamically-resolved `WinHttp*` APIs. ## Key detections / IOCs **Network IOC** - `https://down.temp-xy.com/update/python3.zip` (hard-coded HTTPS URL) **File / Path artifacts** - `tmp\python3.zip` (download target) - Drop dir resolution chain: `LOCALAPPDATA` → `XDG_DATA_HOME` → `HOME` → `USERPROFILE` → fallback `C:\Users\Public` - `svpy.exe` (renamed Python interpreter used as the launcher) - `maintaindown.py` (downloaded Python script executed by `svpy.exe`) - 10-character random suffix using alphabet `abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789` **Command / Execution artifacts** - `cmd.exe /d /e:ON /v:OFF /c "` (Zig `std.process.Child` shell-launch prefix) - `\\.\pipe\zig-childprocess--` (Zig std-lib child-process pipe) **Certificate (likely abused / stolen)** - Subject: `NVIDIA Corporation`, Org Unit `2-J`, Santa Clara, CA, US - Issuer: `DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1` - Serial: `0997c56caa59055394d9a9cdb8beeb56` - Hash/Crypto: SHA256 / RSA, 2023-01-13 → 2026-01-16 **Yara matches** - `DownloadUsingWinHttp` (UNCOMMON) - `RunShell` (UNCOMMON, lateral movement) - `Zlib` (used for ZIP extraction) **Anomalies** - `DebugTimeDateStampInTheFuture` / `TimeDateStampInTheFuture` → 2090-07-13 (forged timestamps) - `GuiSubsystemNoWindowApi` (GUI subsystem but no user32 → silent execution) - `XorInLoop` ×19, `HighXrefLoopingFunction`, `ManyHighValueImmediates` (string-decryption / obfuscation indicators) - `SectionNameUnknown` (`.buildid`), `NoChecksum` ## Evidence 1. **High-level info (`analyse_infos`)** — PE x64, signed by NVIDIA, debug timestamp in 2090. Imports include `WinHttp*` (resolved at runtime via `LoadLibraryW("winhttp.dll")` + `GetProcAddress`), `CreateProcessW`, `CreateNamedPipeW`, `OpenEventLogW`, `SystemFunction036` (RtlGenRandom), CRT mingw imports. 2. **Downloader logic in `sub_140010791` (VA `0x140010791`)** — decompilation shows: - Resolves drop directory via `LOCALAPPDATA` → `XDG_DATA_HOME` → `HOME` → `USERPROFILE` → fallback `C:\Users\Public`. - Generates a 10-character random subdir using RtlGenRandom over the base62 alphabet. - Builds path `tmp\python3.zip`. - Lazy-loads `winhttp.dll`, resolves `WinHttpOpen/Connect/OpenRequest/SendRequest/ReceiveResponse/QueryHeaders/ReadData/CloseHandle`. - Sends an HTTPS request with User-Agent `"Zig WinHTTP Client"` to `https://down.temp-xy.com/update/python3.zip`. - Reads response in 0x1000-byte chunks, writes file, extracts ZIP entries. - Retries 3 times with `Sleep(1000)` / `Sleep(3000)` between attempts. 3. **Payload launcher in `sub_14000e56c` (VA `0x14000e56c`)** — builds a path ending with `svpy.exe`, the dropped/renamed Python interpreter used to run the downloaded script. 4. **`maintaindown.py` reference (`sub_140014363`, VA `0x140014363`)** — confirms the Python script that `svpy.exe` will execute. Naming ("maintain"+"down") is consistent with persistence/maintenance staging. 5. **Shell execution** — function `sub_14001c971` references `cmd.exe /d /e:ON /v:OFF /c "`. Combined with `CreateProcessW`, this enables arbitrary shell command execution. 6. **No legitimate-installer artifacts** — no resources, no version info, no MSI/CAB, no NVIDIA product strings beyond the cert subject, no GUI even though tagged as GUI subsystem. Inconsistent with any real NVIDIA tool. ## Counter-arguments - The binary is signed with a chain to DigiCert and the certificate is not expired. However, NVIDIA code-signing certs leaked in 2022 (Lapsus$) have been widely abused, and the rest of the file is incompatible with legitimate NVIDIA tooling. - Kesakode confidence is 0/100 for `StxRATLoader` — family attribution is weak, but the malicious behavior itself is unambiguous. - "Downloading a python.zip" can in isolation appear in legitimate installers; combined with random folder names, `C:\Users\Public` fallback, no UI, future-dated timestamps, abused cert, and the unbranded `down.temp-xy.com` host, the legitimate interpretation is not credible. - Some XOR-in-loop hits stem from Zig's runtime/std code (zlib, string utilities) rather than custom obfuscation. ## Verdict **MALICIOUS — Loader / Downloader (Python-based RAT stager).** Confidence: **High (~95%)**. The sample is a Zig-built Windows downloader signed with an almost certainly abused/stolen NVIDIA code-signing certificate. It downloads a ZIP archive containing a Python runtime + a maintenance script (`maintaindown.py`) from `https://down.temp-xy.com/update/python3.zip`, drops it in a randomly-named folder under `%LOCALAPPDATA%` (or `C:\Users\Public` fallback), and executes the script through a bundled / renamed Python interpreter `svpy.exe`, with `cmd.exe` available for arbitrary shell execution. Behavior aligns with Kesakode's `StxRATLoader` hint — a first-stage loader for a Python-based RAT. **Recommended actions:** block this SHA-256, block the domain `down.temp-xy.com`, hunt EDR/SIEM for `svpy.exe` and `maintaindown.py` artifacts under `%LOCALAPPDATA%` and `C:\Users\Public`, and revoke trust in certificate serial `0997c56caa59055394d9a9cdb8beeb56` if not already revoked.