CosmicDuke Trojan 8-27-25

8/27/2025

This sample was obtained from MalwareBazaar . This analysis was conducted in a virtual machine running REMnux.

Additionally, the host machine was connected to ProtonVPN, and the REMnux VM was configured to use NAT through the host, which helps obscure the host’s public IP in the event of an accidental compromise.

The analysis is going to be conducted using Any.Run , an online sandbox environment.

I connected to ProtonVPN to make sure my IP stays private.

Here is my REMnux machine.

These are the first results that appear in Bazaar.

Of course, I am going to pick one that is as vague as possible. (That’s what is generally the most fun!)

File name: 3bed731751ea0f8459e5799a7a80bc3c

MDA5: 3bed731751ea0f8459e5799a7a80bc3c

SHA1: 5b2b4c63505148b7b121373343c820a17a5f1730

SHA256: 814bb8b124df47b7b1c3cd751cd03d73e90d76d6885c8880c497a43bd4f6fa05

The threat is marked as unknown and the suspected country of origin is Indonesia. It is detected by various sources, such as ClamAV, Hybrid Analysis, Intezer, and more.

Funny enough, the Any.Run query showed “No threats detected.”

A Cape analysis was already completed, but I am going to ignore that for now. There otherwise were no immediate IOCs to look out for.

Here I went ahead and downloaded and extracted the sample. The password for Malware Bazaar samples is always infected.

There is actually not that much that Any.Run was able to pick up. Clicking “Play” caused the application to run itself. Clicking “Install” just said it installed something with no noticeable effect.

Any.Run does mention it checks Internet Explorer’s security settings, which is interesting. However, it just does not appear to call any C2 servers or make any weird requests that were immediately obvious.

I even did a quick 5 minute investigation of the PCAP file in Wireshark. No dice.

Here is a better picture of the GUI.

The better half of me would not be concerned, but that half is not winning today.

At this point, I reviewed the Cape analysis. The attached VirusTotal link showed that 6 vendors flagged the file as the CosmicDuke Trojan .

Doing some Threat Intelligence, VirusTotal claims that there is an execution parent: 24df47b7b1c3cd751cd03d73e90d76d6885c8880c497a43bd4f6fa05.scr (the screenshot file)

Looking into VirusTotal a bit closer, it becomes clear that the screenshot file and the main executable are actually the exact same, just with different names.

There is also another executable that is dropped. That executable supposedly uses long sleeping durations for evasions, which 100% makes sense why I would not catch anything rock-solid on a 60-second Any.Run sandbox. It was also heavily related to other VirusTotal entries, which would therefore support the claim that this is a known Trojan and not something new.

All in all, after reviewing some TI sources, I can conclude that this software is malicious and most likely the CosmicDuke Trojan. However, due to the limitations of Any.Run, I was not able to 100% verify that.

At this point in time, it is sad to say, but the malware analysis cannot be completed using only Any.Run. Unfortunately, at this time, I am not going to do a static analysis on this sample.

From here, the best way to investigate this file is through available Threat Intelligence sources.

V/r,