← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Habo Analysis System + My own Iocs - Dropped Spybot Extraction with Invalid X[RAR] Cert.
Certificate Stuffing & Root Exploitation- This binary employs a high-level Certificate Grafting technique. The threat actor has manually appended a chain of X509 certificates to the file's overlay to manipulate the host's trust store.The Microsoft Anchor: The inclusion of the Microsoft Code Verification Root (Serial: 610C1206...) is a strategic TTP. By pinning a defunct Safer Networking Ltd. certificate to a Microsoft root, the binary aims to exploit Windows Authenticode logic which may default to "Trusted" if the root is recognized, regardless of leaf expiration.Signature Status: Invalid/Not Signed. Despite the 22MB of certificate metadata, the Authentihash does not match. The certificates are static artifacts in the overlay, not functional cryptographic signatures.2. Hardware-Level Evasion (RDTSC)The sample contains Direct CPU Clock Access (RDTSC) instructions. This is a non-standard behavior for legitimate installers and is used for Anti-Analysis (T1497.001): See References for more information.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (99 / 731 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-MD5 | 3c27fae825e942c76301b3a01426bf3d | MD5 of bbd26f0f272c4bd4d69cf2ccf6bba01e76d35f08c2b56224d9020fdafd42ea33 | 2026-05-06 | |
| FileHash-MD5 | 5421c4af02d4cb80c8c9784c501d4703 | MD5 of 60614d1d239ae51c81baf357b04ca17d54b312fa5a6842db23e303726a3fc08d | 2026-05-06 | |
| FileHash-MD5 | bb3677c5ebd8ebe1a53d636bda7bf423 | MD5 of d78b5af24d7ab7a02473f20476716cefe238e102127bf0d7db2a390100d0fe04 | 2026-05-06 | |
| FileHash-MD5 | 00071af6d95c1002e5f9b63ea00a37a3 | — | 2026-05-06 | |
| FileHash-MD5 | 022c2f6dccdfa0ad73024d254e62afac | — | 2026-05-06 | |
| FileHash-MD5 | 0ba1acfee0532249412f53ee6374ee93 | — | 2026-05-06 | |
| FileHash-MD5 | 20807a8c7e22ef615dc2e9b8a27ed479 | — | 2026-05-06 | |
| FileHash-MD5 | 21a40ade8a7a6f96dd51958d919493b8 | — | 2026-05-06 | |
| FileHash-MD5 | 544b7fe37cb975f8cc97256704fe53bb | — | 2026-05-06 | |
| FileHash-MD5 | 54acba9cfd7154c02ceacf6310cf3cfa | — | 2026-05-06 | |
| FileHash-MD5 | 6b44700917f45b19b96b46b345b6f0e7 | — | 2026-05-06 | |
| FileHash-MD5 | 6c986c28d3c4e5b42a64ddc1a74f6b28 | — | 2026-05-06 | |
| FileHash-MD5 | 820ab10bb0186a7845a1b6460e50088b | — | 2026-05-06 | |
| FileHash-MD5 | 8c9740a3b7603b0a746213dae8c89526 | — | 2026-05-06 | |
| FileHash-MD5 | 926a6c1b2ae78ffc81a76677af266bab | — | 2026-05-06 | |
| FileHash-MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 | — | 2026-05-06 | |
| FileHash-MD5 | bbeceeee43106ac5f17a7365a90cfbcb | — | 2026-05-06 | |
| FileHash-MD5 | c594b792b9c556ea62a30de541d2fb03 | — | 2026-05-06 | |
| FileHash-MD5 | d767c37f2cc18859b81c540ce0ac3074 | — | 2026-05-06 | |
| FileHash-MD5 | fe1d0ee5901dd167ee9b28eece31786c | — | 2026-05-06 | |
| FileHash-MD5 | 22ced87f8cfbeec19f10ea768b9f5033 | — | 2026-05-06 | |
| FileHash-MD5 | 34089452663d70c43bfa1ed91d8e6e14 | — | 2026-05-06 | |
| FileHash-MD5 | 38c9c4c2aaae66d5678d716d13bf3c89 | — | 2026-05-06 | |
| FileHash-MD5 | 3c0b12db306768e0c503d8b146df98c0 | — | 2026-05-06 | |
| FileHash-MD5 | 3eaa732d4dae53340f9646bdd85dac41 | — | 2026-05-06 | |
| FileHash-MD5 | 5aafebbc10957e661762e0e7fadc057b | — | 2026-05-06 | |
| FileHash-MD5 | 7236e0fea327ddf9e9ad9d38ba694ead | MD5 of 0eac52db2b25c5d555fca56454cce2ececc2ca8ca7d460e91496e968773db967 | 2026-05-06 | |
| FileHash-MD5 | 9aea8072fe8459f1fb075382c5799ef0 | — | 2026-05-06 | |
| FileHash-MD5 | fcd48eacaae2f8827200a34a017e68dc | — | 2026-05-06 | |
| FileHash-MD5 | 3c27fae825e942c76301b3a01426bf3d | MD5 of 30a412a94292bf2caad60c49e6ad80ade8313cd5 | 2026-05-06 | |
| FileHash-MD5 | 5421c4af02d4cb80c8c9784c501d4703 | MD5 of 7ad7f2c13f21e5e8fc4fafc0bb98f746badbd031 | 2026-05-06 | |
| FileHash-MD5 | bb3677c5ebd8ebe1a53d636bda7bf423 | MD5 of 6f9741c8cac4127c3eec1ab310ee84498ddccb46 | 2026-05-06 | |
| FileHash-MD5 | bafd58df33190e67b306dd82e6bd788a | MD5 of 8e1a8792b6a060438bb1dc57cc79f270d91e609b9282e4bf0962826d41f4db27 | 2026-05-06 | |
| FileHash-MD5 | 45ad83e995f6fa09bd690a9918efb523 | MD5 of 06ba7ba78f28bae929217d3d85db760f5caaca03c22222df92776408d9fb1604 | 2026-05-06 | |
| FileHash-MD5 | 17a857bc1be12716de262a1bf2950637 | MD5 of 395bf0e6acbfbb77d537f44246ac0a868ae8404b7423b9c7ace3834a018b99be | 2026-05-06 | |
| FileHash-MD5 | 01f285244e4869395df685ebdbb8330b | MD5 of d7cdde13a298eae7341b2eb43205ed8279098581bf4ff4b1403a7b0ab302dfaf | 2026-05-06 | |
| FileHash-MD5 | 3715ac5854e357a5ce684d6d9f6169d1 | MD5 of 7a1e46c1ac51f81363d57ea8353d3226956336f9109d44493df413549ec6964d | 2026-05-06 | |
| FileHash-MD5 | 48dd1740982aed344ef236867ff8a809 | MD5 of 40162944e70c54caffa4fd455282b3c5db6c9e8865615264c1b8b89370263a26 | 2026-05-06 | |
| FileHash-MD5 | 4d1deff28695d78023c59b2a2eec6e32 | MD5 of 3df1112dd08237b89c1943a98b0476fe70f102893d602b7517a777fdd0c5c658 | 2026-05-06 | |
| FileHash-MD5 | 782f563df4a4a8f6e7ddd8a18cf38e37 | MD5 of 49b91b56d69cd01d688f44504f168277822debd7c5f687e2bc46cd2b452045e9 | 2026-05-06 | |
| FileHash-MD5 | 7d146e8e57b23e1f0fa3f177d0077b38 | MD5 of 854fa5a20c0340180b895d367f1eb24a14d11522a66f8c6e307047106ea75ded | 2026-05-06 | |
| FileHash-MD5 | 8908749e9ae906ce7035730e4d157dc1 | MD5 of b315d181c6f11ebc940e3115ab835f5b795f4bd3c2305352feb42eceb3414d08 | 2026-05-06 | |
| FileHash-MD5 | 8c4976eeea15388c72cb7ab94d663885 | MD5 of 59f7926bc1ddcac00db3d69c17f9a76d9619306f89e81890b76baffc549a5629 | 2026-05-06 | |
| FileHash-MD5 | 9cedb06b4df08d359b64441a13a80877 | MD5 of 0a8a50a4c13760c51eca3da3e6393e9c840fe9687fd46d49487b7fc007f0387f | 2026-05-06 | |
| FileHash-MD5 | bc24688dbebae97cb5e49b5106024406 | MD5 of 1974d0cd71ba727d3cdaba9d58ed7a6cf856529d0af9f2fb3ebacac0e1ff98c8 | 2026-05-06 | |
| FileHash-MD5 | f86dcba87741a1dea30440e482d6a3ef | MD5 of 2d2ae42df5e10d8907c42b8b67bcc89fab74f7f58bbfcd224d85d2ae8d86cc41 | 2026-05-06 | |
| FileHash-MD5 | 0141129a5904fb581644b17ed8f7003c | MD5 of 4f1ef139b334498e290f2dbe3eeaa7a1fd4da9d036f20ef1b63625b19264eb87 | 2026-05-06 | |
| FileHash-MD5 | 0432e14b94f2af6a582238b87856a03b | MD5 of 304f1f5df7b2243a96f0243be68dc83110653ccfe50b594b0b043975fbe47167 | 2026-05-06 | |
| FileHash-MD5 | 08a8b08fdd3e8750176794330788db38 | MD5 of 4084bca537f0033bed49d19f5f3370d1c17de55ef56d9f8b6098c0a7bf32996d | 2026-05-06 | |
| FileHash-MD5 | 08e91e9834e72b299a3e087816ab05ad | MD5 of aa3985afa4201b16f8a74dbc25648354aadb7dd3a3cf682a9233831c3dbc1646 | 2026-05-06 | |
| FileHash-MD5 | 1882918a38327164d61f35656aec1014 | MD5 of 13a62d7307dc40e579af8ecf3c742c4eafac3ead3c9d19ebeabd121519098be2 | 2026-05-06 | |
| FileHash-MD5 | 33fc1a7941b1f984e6ed2969b055aeab | MD5 of dc33520e91e6e71d9c5957a29513e2f2b22d49973962aa9a602b97c55495830e | 2026-05-06 | |
| FileHash-MD5 | 4b65b4d156eb282337cb9b340ffb949a | MD5 of ef37f2d92a3fb09f79c371770d2a46ac4ea0a71f874857d9ec2414478c2cb40f | 2026-05-06 | |
| FileHash-MD5 | 7026441ee9fe222d90493f7c4d5bfce6 | MD5 of 72e18a363311281bfbd8b281427a4843b71eaeb419620bbcaae720aa5c22ae1c | 2026-05-06 | |
| FileHash-MD5 | 7046bc2866d20a7ec4433174acc2bc18 | MD5 of 9a6386beab3e44b46b2e802ded8979a0f1dae4dcbb0bc6ed17818cf9f5177519 | 2026-05-06 | |
| FileHash-MD5 | 784a4c1a9c5eb951994afabd22e21f39 | MD5 of 4954b6312d958473d7db0ec88817d61f6f4d4bb7eecb9473ba6608d8e15b8c29 | 2026-05-06 | |
| FileHash-MD5 | 7c2f7db0c08827f8e8b70c1bb3f36dcb | MD5 of c4bb603295db83a1e5f3ef6a0aeecd8080f818d471ad5aef04c22b19fce7e8f5 | 2026-05-06 | |
| FileHash-MD5 | 8134c7f4777d6aabebc9ad180e5ae3b4 | MD5 of f180b85cec18c42b514df7c95d2a370c7a4fc25a2573092a48c660266b024f9f | 2026-05-06 | |
| FileHash-MD5 | 82bee102e0c51c4eed94b0aab662ce86 | MD5 of 3859a730a0f412073b81cab33a8071845f55bce0ee6b6f951350217a120abe48 | 2026-05-06 | |
| FileHash-MD5 | 8cd4b351244b15c40194185b2c804154 | MD5 of 631ae7074649a665d62ac6fc940d203eff715c88b4b57ee46865286607909231 | 2026-05-06 | |
| FileHash-MD5 | 9b1de08aceae476297b0a964e74878d7 | MD5 of 7417e95c0fe20e165e7dc049cc3e1a54e5c484265ef5b08828eb2e2e51fea706 | 2026-05-06 | |
| FileHash-MD5 | a3c7cf1ebcd1877abed0caeb8c096d21 | MD5 of 49191e821b66bfb53d2ed6f29ffdaaeca8e462b46d7b967d688b94613c23c2c6 | 2026-05-06 | |
| FileHash-MD5 | a984826178be443167d438d85059a0cb | MD5 of 61cfc7b630aff4ba173b291dd1e2d75107a400f351462d574cdbabcb453d9560 | 2026-05-06 | |
| FileHash-MD5 | ada0c5033ea8b2e955be9336ad401e5f | MD5 of f03a439d39441efeb787f28804c5c82f6f0596b15c023db079dc80edb124b090 | 2026-05-06 | |
| FileHash-MD5 | b3e2572bfdc690ba2b099d078ec50abc | MD5 of 9eacc6f96502f85278080b043808bd03e921c25375212195adc5ad4493d7844e | 2026-05-06 | |
| FileHash-MD5 | c05b6930b6ceedf756aad4ccaa81a09c | MD5 of 10cf8c8713378e6301d7fc5c8db851139370b5ae81c6abf5b796d435b2a6c7ac | 2026-05-06 | |
| FileHash-MD5 | ccde3dbb22a4e2a1adc4ada02d732f58 | MD5 of cc0841be5beca19ef3d206c94ba6d84518f3d0a64b8fced532180b1f0194d93a | 2026-05-06 | |
| FileHash-MD5 | d16f2e77fc84d31a45a5ef2727ab835d | MD5 of 35f986f368e909db232bb4837910dff944e1fbfce163d9b85f4970f9717fb750 | 2026-05-06 | |
| FileHash-MD5 | dfed02b4e268893ccd6108a4a594d714 | MD5 of 21f570007786f5dd8ddc7998f5cb658c9e6b63cc2e704c194b980b24ac1ea2b3 | 2026-05-06 | |
| FileHash-MD5 | f3c78ec5480c14f43f426c45f53eccda | MD5 of 9d1adf5495928ea6cab86a365b240f5f567bae4681ecc404e5f809c8d60ea23c | 2026-05-06 | |
| FileHash-MD5 | ff675eb98734368eb977a556c0b72cae | MD5 of 93be3948023ae7b2aaef6c4bb62cee38e70b63672865e7b47bd9474acc8d48d1 | 2026-05-06 | |
| FileHash-MD5 | 9f19f88c7a89e46a5c9c7ea7e3587367 | — | 2026-05-06 | |
| FileHash-MD5 | 02d3c5101187b366d60e7126d79f5c6d | — | 2026-05-06 | |
| FileHash-MD5 | 091f51a7a1c3a4504a224cc081ce9cee | — | 2026-05-06 | |
| FileHash-MD5 | 0c7d63ceabbd4bc0f2b4c72ce6f959e3 | — | 2026-05-06 | |
| FileHash-MD5 | 2a0011f85f6cc91b5386f834cdc830bc | — | 2026-05-06 | |
| FileHash-MD5 | 2b3ec9ad3633f779bd7a5bc8a2221a1b | — | 2026-05-06 | |
| FileHash-MD5 | 46f5131e766d248db0248a86c494b71c | — | 2026-05-06 | |
| FileHash-MD5 | 4a49b6443921b0b14dd4e38917d590d8 | — | 2026-05-06 | |
| FileHash-MD5 | 5869e160f33893828608e3f70034dc73 | — | 2026-05-06 | |
| FileHash-MD5 | 5919f6108f098e14c2f37619021ebd4d | — | 2026-05-06 | |
| FileHash-MD5 | 6c111dcecbe2ba9188ed47614d88ef0a | — | 2026-05-06 | |
| FileHash-MD5 | 6c736902b4d3235b07f73f3073d29e86 | — | 2026-05-06 | |
| FileHash-MD5 | 74f0dbe805326022e3b073294d6b2da7 | — | 2026-05-06 | |
| FileHash-MD5 | 7e3a0fe51645bbaf5a95b7d3d661ae29 | — | 2026-05-06 | |
| FileHash-MD5 | 81b06b950b6f848d37d3e8a42497cef3 | — | 2026-05-06 | |
| FileHash-MD5 | 8265c47fd13c4bc06b41cd4c4368d98c | — | 2026-05-06 | |
| FileHash-MD5 | 8492a4755a561bce841171ccb922dd0d | — | 2026-05-06 | |
| FileHash-MD5 | 8b8ce566a9692e6088cd26db49d2a0fa | — | 2026-05-06 | |
| FileHash-MD5 | a1d96d97dddbd2530998dcd1ad5e0914 | — | 2026-05-06 | |
| FileHash-MD5 | b5b078b8fd52bf347a491235d0942ce6 | — | 2026-05-06 | |
| FileHash-MD5 | bad256a0112108fe6391f3f5c15eb95b | — | 2026-05-06 | |
| FileHash-MD5 | ea7853288c9e53934a7bf905ccbdeecf | — | 2026-05-06 | |
| FileHash-MD5 | f1b2fa6013a502806397bb000bffa16c | — | 2026-05-06 | |
| FileHash-MD5 | f38e821b18644ef099be78f7971a06b9 | — | 2026-05-06 | |
| FileHash-MD5 | f58e42ac905fcd69d8b10a5b0251059e | — | 2026-05-06 | |
| FileHash-MD5 | 9f19f88c7a89e46a5c9c7ea7e3587367 | — | 2026-05-06 | |
| FileHash-MD5 | 9f19f88c7a89e46a5c9c7ea7e3587367 | — | 2026-05-06 | |
| FileHash-MD5 | 9f19f88c7a89e46a5c9c7ea7e3587367 | — | 2026-05-06 |
References (10)
↗ https://vtbehaviour.commondatastorage.googleapis.com/afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778048469&Signature=3y8LGGE52IUhhx7hMK9GsZthoRtiom8xy%2Fc5fyc0MJCsTSAblPs7nnE0YLV9E0mixvkxzBSCDGMpIt5vnQeTQ8t23sFEPJfm6SpG8DL4RXYGw7c6UALrxOofauzPiAuvBf%2Bnw5biEXDjWFuplGYRt83ZncF0nR5Bj4iwk2qDJ0xdgl86BUkgtNNd04hN16UsjAaL%2BojrFR4%2Fi%2F49ETbftnR2dvnXyVfPU0e0AF2TTg2hk8In2OMG
↗ The PE creation date is 2013, but the first global submission was 2021. This indicates a "dormant" or "re-packed" binary where a legacy installer was modified to serve as a modern dropper.Staged Execution: The binary drops spybotsd162.exe and .tmp variants into %TEMP%. This creates a TTP Chain where the initial "trusted" process spawns secondary, unsigned payloads to establish persistence while the user believes they are running a routine security scan.
↗ Temporal Inconsistency & PersistenceThe 8-Year Gap.
↗ The code measures CPU cycles to detect the "timing slide" caused by hypervisor intervention in a Sandbox or Virtual Machine.Conditional Detonation: If the environment is identified as a VM, the malicious payload remains suppressed to prevent capture by automated security orchestration.
↗ This is a Weaponized Wrapper. Whether deployed by a malicious actor or a rogue enterprise entity, the technical reality is the same: the file uses Brand Reputations and Microsoft Root Strings to bypass the standard "Gatekeeper" functions of the OS.
↗ Pending Rec-Block Hash: afad4f7fca4a8e2fd3e5a3dc3da079684bae7cc0bc2692ce70cd9ffd188b5034
↗ Rec: Process Monitoring: Audit all instances of RDTSC calls originating from unsigned binaries in the %USERPROFILE%\Downloads or %TEMP% directories.
↗
↗ <Missing CN> Issuer Microsoft Code Verification Root Valid From 2006-05-23 17:01:29 Valid To 2016-05-23 17:11:29 Algorithm sha1RSA Thumbprint 58455389CF1D0CD6A08E3CE216F65ADFF7A86408 Serial Number 61 0C 12 06 00 00 00 00 00 1B
↗ 2023-02-24 0 / 69 Win32 EXE SpyBot - Search & Destroy 1.6.0.30 Final.tmp