AsgardProtector

Malware family observed as an iexpress-sfx-dropper that repackages the Microsoft Cabinet self-extractor (wextract.exe) to silently drop and execute an autoit-compiled-script-dropper payload. The outer SFX is unsigned, carries a fabricated PE timestamp, and embeds a CAB archive containing AutoIt3.exe and a compiled .a3x script.

Overview

Build Stack

• Toolchain: MSVC 14.30 (VS 2022) for the base wextract.exe.^[sample d59dc2f2/exiftool.json]
• Packing: Microsoft Cabinet (CAB) embedded in .rsrc. No custom packer or encryption on the outer PE.
• Signing: Unsigned — certificate directory stripped.^[sample d59dc2f2/pefile.txt]
• Timestamp manipulation: PE header claims 2085 compilation; resource directory shows 2023-08-01, indicating post-build repacking.^[sample d59dc2f2/pefile.txt]

Deploy / TTPs

Capabilities

• sfx-silent-extraction
• cabinet-embedded-payload
• autoit3-interpreter-execution
• compiled-script-obfuscation
• timestamp-manipulation
• unsigned-repacked-system-binary

Variants / Aliases

• neuralpulsecore4-sbs (OpenCTI label co-occurring with asgardprotector)

Notable Analyses

• d59dc2f2 (SomaliaCruises.exe, Terminals.a3x) — deep analysis with CAB extraction, Ghidra decompile, YARA/Sigma rules.^[/intel/analyses/d59dc2f22167b0a44bf103d664842112981d4b3dbe62f7a27e671cddbbac9d73.html]
• d364a2f6 (StatingConnectors.exe, Dayton.a3x) — sibling with identical SFX structure, different .a3x name.^[sample d364a2f6/strings.txt]

Related

• iexpress-sfx-dropper — the repurposed Microsoft tool chain
• autoit-compiled-script-dropper — the compiled-script payload pattern