54e64e
OpenCTI opaque family label. Currently a single-sample family: a MSVC C++ x64 dropper masquerading as a system-analyzer tool.
Overview
The 54e64e label is assigned by OpenCTI/MalwareBazaar as a family identifier for a Windows loader/dropper cluster. As of 2026-06-01 only one sample has been analysed: a 5.2 MB MSVC C++ PE that behaves as a masqueraded "System Analyzer Tool" which downloads a second-stage payload, disables Windows Defender, and executes the payload. OpenCTI also co-labels this sample dropped-by-amadey, suggesting it is part of the Amadey downloader delivery chain, though this relationship is not independently confirmed.
Build Stack
Two distinct build morphs observed within the same family label:
Morph 1 — Null-padded MSVC C++ (3b13b28c)
- Compiler: MSVC 19.43 (Visual Studio 2022 17.3+) ^[/intel/analyses/3b13b28ca3a6d3c82228f5cc6a6e0bef583e9c3b3092da4c20fe72c75f3dd386.html]
- Language: C++ with full MSVC standard library (STL strings, streams, exception support)
- Packing/Obfuscation: None. No packer, no strip, no encryption. Binary is padded to ~5 MB with null bytes after a small overlay UAC manifest.
- Signing: Unsigned
Morph 2 — UPX-packed x64 (c8db13c1)
- Packer: UPX (3 sections: UPX0, UPX1, UPX2) with modified/hacked header that defeats standard UPX decompression. ^[/intel/analyses/c8db13c15ad99cc002dda644384e730497972a9995510918f5fc7e2c071b9a0f.html]
- Compiler: Unknown — timestamp zeroed by UPX
- Import table: Stripped to four KERNEL32 functions (
LoadLibraryA,GetProcAddress,VirtualProtect,ExitProcess) rebuilt at runtime - Signing: Unsigned
- Payload indicators: AES S-Box tables found inside compressed UPX1 section, suggesting encrypted second-stage content
Deploy / TTPs
| Technique | ATT&CK ID | Evidence |
|---|---|---|
| Ingress Tool Transfer | T1105 | URLDownloadToFileW to fetch http://80.253.249.169:5000/upfevb.exe |
| Impair Defenses | T1562.001 | Spawns hidden powershell Add-MpPreference -ExclusionPath |
| Virtualization/Sandbox Evasion | T1497.001 | PRNG-based delay loop and verbose fake diagnostic output |
| Signed Binary Proxy Execution | T1218.011 | ShellExecuteA to launch downloaded payload |
| User Execution | T1204.002 | PE GUI executable, user-launched |
| Bypass UAC | T1548.002 | Admin gate via AllocateAndInitializeSid + CheckTokenMembership |
| Match Legitimate Name or Location | T1036.005 | Masquerades as "System Analyzer Tool v4.2.1" |
Variants / Aliases
- Amadey dropper (unconfirmed upstream relationship; OpenCTI co-label:
dropped-by-amadey) - Build artifact name:
certpert(from PDB path)
Notable Analyses
- raw/analyses/3b13b28ca3a6d3c82228f5cc6a6e0bef583e9c3b3092da4c20fe72c75f3dd386 — Deep static analysis; static-only (CAPE skipped). Null-padded MSVC C++ "certpert" dropper with fake diagnostic masquerade, Defender exclusion via PowerShell, HTTP payload fetch.
- raw/analyses/c8db13c15ad99cc002dda644384e730497972a9995510918f5fc7e2c071b9a0f — UPX-packed x64 sibling with modified/hacked packer. Three sections, four KERNEL32 imports, compressed payload with AES S-Box indicators. Standard UPX decompression fails. Static-only (CAPE skipped).
- raw/analyses/cc4aa789cf0c80b32004b90be6be0ad80944ad85730c6095cc3ca29469059503 — Third morph: Go 1.25.4 PE64 infostealer. Signed DV cert CN=
askart.com, 24 randomizedmain.*functions, GUI subsystem, no.rsrc, no hardcoded C2. Matches golang-stealer-build-pattern and unclassified-go-pe64 cluster; not build-related to prior MSVC siblings. Static-only (CAPE skipped).
Capabilities
- admin-rights-gate-sid-check
- prng-delay-loop-evasion
- fake-diagnostic-output-masquerade
- http-payload-download
- defender-exclusion-powershell
- shell-execute-dropped-payload
- upx-compression-with-modified-header
- runtime-import-table-rebuild
- go-infostealer-randomized-function-names
- authenticode-signing-throwaway-dv-cert
- gui-subsystem-no-window-code
- runtime-c2-resolution-no-hardcoded-ioc