> Analysis · d364a2f6997f_

~/packetpursuit $ cat /intel/analyses/d364a2f6997f.../report.md

typeanalysisfamilyasgardprotectorconfidencemediumcreated2026-05-27updated2026-05-27peloaderpackerevasionmalware-family
SHA-256: d364a2f6997fd4874ba180207f6785151532c0fd3f014e36d44f330d50037191

asgardprotector: d364a2f6 — IExpress SFX dropper embedding AutoIt3 + Dayton.a3x script

Executive Summary

Sibling to d59dc2f2 (SomaliaCruises.exe, Terminals.a3x). Same wextract.exe build (identical PDB GUID), same fabrication of PE timestamp to 2085, same 2-file CAB payload structure. The .a3x script name is Dayton.a3x; the lure filename is StatingConnectors.exe. Resource directory timestamps are 2023-08-06, five days after the sibling's 2023-08-01, suggesting a batch-built cluster. No dynamic analysis available (CAPE skipped — no Windows guest); payload behavior remains opaque.

What It Is

  • File: StatingConnectors.exe, PE32+ x86-64, 2.22 MB (2,224,128 bytes).^[file.txt]
  • Build: MSVC 14.30 (VS 2022), linker version 14.30, compiled timestamp 2085:08:19 (fabricated).^[exiftool.json:15]^[pefile.txt:34]
  • PDB: wextract.pdb, GUID 94098867-5fc9-b268-c53c-be826110dd1e — identical to d59dc2f2.^[rabin2-info.txt:13]
  • Signature: Unsigned — certificate directory empty, same as sibling.^[pefile.txt:212]
  • Embedded archive: Microsoft Cabinet at offset 0xADA6C (711,276), 1,503,947 bytes, 2 files.^[binwalk.txt:5]
  • Payload: AutoIt3.exe and Dayton.a3x. CAB header hex confirms filenames at offsets 0xADA8C and 0xADABC.^[raw binary inspection]

How It Works

The outer binary is a repacked wextract.exe (IExpress CAB self-extractor). Standard execution flow:

  1. Extracts the embedded CAB to a temporary directory (%TEMP%\msdownld.tmp).^[strings.txt:100]
  2. Reads the RUNPROGRAM directive from the SED stored in .rsrc.^[strings.txt:91]
  3. Executes the post-extraction command.

For this sample, the RUNPROGRAM directive resolves to "AutoIt3.exe" Dayton.a3x.^[strings.txt:5124] POSTRUNPROGRAM cleanup is also present.^[strings.txt:92]

The .rsrc section (2.1 MB, entropy 7.299) holds the CAB archive plus an AVI spinner animation (resource IDs 0xBB9/0xBBA). Resource directory timestamps are 0x64CFBEEA (2023-08-06), differing from the PE header's fabricated 2085 timestamp, confirming repacking.^[pefile.txt:535-546]

Decompiled Behavior

Ghidra confirms identical entry logic to d59dc2f2:

  • Entry at 0x140001150 -> __security_init_cookie -> __mainCRTStartup.^[ghidra:entry-140001150]
  • RunInstallCommand (0x14000721c) reads SED directives (RUNPROGRAM, POSTRUNPROGRAM, REBOOT, SHOWWINDOW) from .rsrc and executes the target command via CreateProcess-like logic.^[ghidra:RunInstallCommand-14000721c]
  • GetTempDirectory (0x14000521c) creates %TEMP%\msdownld.tmp, validates disk space, and sets extraction path.^[ghidra:GetTempDirectory-14000521c]
  • No anti-debug, anti-VM, or encryption in the outer SFX — stock Microsoft tool with modified resources.

The malicious logic lives in the compiled Dayton.a3x, which is opaque without an AutoIt decompiler or dynamic execution.

C2 Infrastructure

None observable from static analysis. The compiled .a3x is the only potential C2-bearing component. Floss failed on the outer binary due to a CLI argument error (same pipeline bug as the sibling analysis).^[floss.txt]

Interesting Tidbits

  • Filename bait: StatingConnectors.exe — business / software-themed lure (different from sibling's travel theme).
  • Identical PDB GUID: confirms the outer SFX is from the same binary source as d59dc2f2, not independently compiled.
  • Resource timestamp delta: 2023-08-06 vs 2023-08-01 on sibling — five-day spread, consistent with a builder generating multiple variants from the same base.
  • Size delta: 2.22 MB vs 1.87 MB sibling — the CAB and .a3x are slightly larger, suggesting different payload contents.
  • Sibling cluster: 87a158f2 (Easter.a3x) uses the same IExpress+AutoIt3 pattern, broadening the cluster beyond the two asgardprotector-labeled samples.

How To Mess With It (Homelab Replication)

See the d59dc2f2 sibling report for the full IExpress SFX dropper reproduction recipe. For this variant specifically:

  1. Modify the SED to set AppLaunched="AutoIt3.exe" Dayton.a3x.
  2. Swap Terminals.a3x for Dayton.a3x in the source files list.
  3. Rebuild; the resulting binary will match this sample's structure.

Verification step: binwalk output.exe should show Microsoft Cabinet archive data at 0xADA6C, and strings should reveal "AutoIt3.exe" Dayton.a3x.

Deployable Signatures

YARA rule

This sample fits the same AsgardProtector_IExpress_AutoIt_Dropper rule used for d59dc2f2 (see sibling report). The rule matches on wextract.pdb + AutoIt3.exe + .a3x + SED directives, which this binary satisfies. No family-specific YARA delta is needed for the outer SFX.

Sigma rule

Extend the sibling Sigma rule with this filename:

title: IExpress SFX AutoIt Execution — AsgardProtector cluster
status: experimental
description: Detects execution of IExpress self-extractor that drops and runs AutoIt3 with an .a3x script (AsgardProtector cluster)
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        CommandLine|contains:
            - 'AutoIt3.exe'
            - '.a3x'
    selection_parent:
        ParentImage|endswith:
            - '\wextract.exe'
            - '\SomaliaCruises.exe'
            - '\StatingConnectors.exe'
    selection_temp:
        CommandLine|contains:
            - '\msdownld.tmp'
            - '\IXP'
    condition: selection_main and (selection_parent or selection_temp)
falsepositives:
    - Legitimate IExpress installers that happen to include AutoIt (rare)
level: high

IOC list

Indicator Type Notes
d364a2f6997fd4874ba180207f6785151532c0fd3f014e36d44f330d50037191 SHA-256 Outer SFX
StatingConnectors.exe Filename Business-themed lure
wextract.pdb PDB path Outer SFX marker (GUID matches sibling)
AutoIt3.exe + Dayton.a3x File pair Post-extraction execution
%TEMP%\msdownld.tmp Directory Extraction target
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 Cleanup command Post-run cleanup

Behavioral fingerprint

This binary is a PE32+ x64 Microsoft Cabinet self-extractor with a .rsrc section exceeding 2.0 MB and entropy >7.2. Upon execution, it writes AutoIt3.exe and a .a3x file (Dayton.a3x) to a temporary directory under %TEMP%, then launches the AutoIt interpreter with the compiled script as its argument. No network indicators are visible in the outer SFX; all malicious behavior is expected to reside in the compiled AutoIt script, which requires dynamic analysis or an AutoIt decompiler to inspect. The PDB GUID (94098867-5fc9-b268-c53c-be826110dd1e) is shared with at least one sibling (d59dc2f2), indicating a common builder or repacker origin.

Detection Signatures

ATT&CK Technique Implementation Evidence
T1204.002 (User Execution: Malicious File) Double-click SFX lure Filename StatingConnectors.exe^[triage.json:5]
T1059.005 (Command and Scripting Interpreter: Visual Basic) AutoIt3 script execution AutoIt3.exe + Dayton.a3x^[strings.txt:5124]
T1027 (Obfuscated Files or Information) Compiled AutoIt script (.a3x) Dayton.a3x is opaque binary^[binwalk.txt]
T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys) Potential — AddRegRunOnce called in RunInstallCommand if g_CMD != 0 Observed in RunInstallCommand decompile^[ghidra:RunInstallCommand-14000721c]

References

  • d364a2f6997fd4874ba180207f6785151532c0fd3f014e36d44f330d50037191 (this analysis)
  • asgardprotector — family entity page
  • iexpress-sfx-dropper — concept page for the delivery mechanism
  • autoit-compiled-script-dropper — concept page for the payload pattern
  • Sibling: d59dc2f22167b0a44bf103d664842112981d4b3dbe62f7a27e671cddbbac9d73 (SomaliaCruises.exe, Terminals.a3x)
  • Cluster: 87a158f2dfdbc21bae4a72270df0e9e710434d7ae19d8b1ca206d26374a8a966 (Easter.a3x, unclassified)

Provenance

  • File type: file v5.45.^[file.txt]
  • PE sections & headers: pefile Python module.^[pefile.txt]
  • Strings: strings from binutils.^[strings.txt]
  • Floss: flare-floss v2.3.0 (failed due to CLI argument error).^[floss.txt]
  • Capa: Mandiant capa v7 (installer limitation warning).^[capa.txt]
  • Binwalk: binwalk v2.3.4.^[binwalk.txt]
  • radare2: rabin2 v5.9.2.^[rabin2-info.txt]
  • Ghidra: v12.1, decompiled entry, RunInstallCommand, GetTempDirectory.^[ghidra:entry-140001150]^[ghidra:RunInstallCommand-14000721c]^[ghidra:GetTempDirectory-14000521c]
  • CAB extraction: manual header parsing from raw binary (Python struct).
  • No dynamic analysis available (CAPE skipped — no Windows guest).^[dynamic-analysis.md]