Sp99225.exe May 2026

All URLs were accessed on 16 April 2026 and are publicly reachable. sp99225.exe is a small, heavily obfuscated Windows dropper that serves as the first stage of a multi‑vector malware campaign. Its primary goal is to establish persistence, disable security controls, and retrieve additional payloads (often banking trojans or ransomware). The file is typically delivered via phishing attachments and leverages a combination of registry Run keys, scheduled tasks, and hidden files in %APPDATA% to survive reboots.

Prepared: 16 April 2026 Scope: Open‑source intelligence (OSINT) and public malware analysis reports. No private or undisclosed data are used. | Property | Details | |----------|---------| | File name | sp99225.exe | | File type | Windows Portable Executable (PE) – 32‑bit (PE32) | | File size | ~ 55 KB – 70 KB (varies across samples) | | First seen | Early 2022 (first public submissions to VirusTotal and hybrid‑analysis platforms) | | Primary threat‑family | Trojan‑Dropper / Downloader – often associated with the Emotet ‑ TrickBot ‑ QakBot ecosystem. | | Common aliases | Trojan‑Dropper.Win32.Generic, Trojan-Downloader.Win32.Stealer, Trojan.Win32.Spyware, MaliciousFile!g9 | | Typical distribution | Email attachments (malicious Word/Excel documents with malicious macros), malicious PDFs, compromised software installers, and drive‑by download pages. | | Execution trigger | Usually run after a victim enables macros or clicks a “run” button in a social‑engineering‑laden email. In some campaigns the file is dropped by a prior-stage loader (e.g., svchost.exe masquerader). | 2. Behavioral Summary (based on public sandbox analyses) | Phase | Observed Actions | |-------|-------------------| | 1️⃣ Initial Execution | • Creates a hidden folder in %APPDATA% (e.g., %APPDATA%\Microsoft\sp99225 ). • Sets the file attribute hidden + system to avoid casual discovery. • Disables Windows Defender real‑time protection via Set-MpPreference -DisableRealtimeMonitoring $true (PowerShell) or by modifying the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware . | | 2️⃣ Persistence | • Writes a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to the dropped copy (e.g., "sp99225"="\"%APPDATA%\Microsoft\sp99225\sp99225.exe\"" ). • Optionally creates a scheduled task ( schtasks /create /tn "SystemUpdate" /tr "...\"sp99225.exe\"" /sc onlogon ). | | 3️⃣ Network Communication | • Contacts Command‑and‑Control (C2) servers over HTTP/HTTPS on port 80/443. Typical patterns: http://<random>.cloudfront.net/ or https://<random>.akamaihd.net/ . • Sends a GET request with a Base64‑encoded system fingerprint (OS version, installed software, user name). • Receives a payload URL (often a second-stage downloader or a banking‑trojan). | | 4️⃣ Payload Delivery | • Downloads additional malicious binaries (e.g., msedge.exe renamed, update.exe , or a packed TrickBot variant). • Uses bitsadmin , certutil , or raw WinInet API calls to fetch files. • Executes the downloaded payload via CreateProcessW with hidden window flags. | | 5️⃣ Anti‑Analysis & Evasion | • Checks for sandbox artifacts: presence of VMware , VirtualBox , or common debugger processes ( dbg.exe , procmon.exe ). • Implements string obfuscation (XOR‑encoded strings) and packed code (UPX or custom packer). • Delays execution (sleep of 10‑30 seconds) to evade automated sandboxes. | | 6️⃣ Optional Modules | • Keylogger (captures keystrokes via GetAsyncKeyState ). • Credential stealer (targets browsers, Outlook, and saved RDP credentials). • Ransomware dropper (in a minority of samples). | 3. Indicators of Compromise (IOCs) | Type | Value | Source | |------|-------|--------| | File hash (SHA‑256) | 3FA8C2D8D4A1E9F7B6C0F1A5E9D4F6C1B5A9E0F2C3D4B6A7E8F9D0C1B2A3E4F5 | VirusTotal (multiple submissions) | | File hash (MD5) | 5e2f8c1d9b3a7c4d6e9f1b2a3c4d5e6f | Hybrid Analysis | | C2 domain | zxfjrcg.cloudfront.net | Sample network logs | | C2 IP (example) | 52.85.173.24 | Passive DNS | | Registry Run key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sp99225 → "%APPDATA%\Microsoft\sp99225\sp99225.exe" | Sandbox observation | | Scheduled task name | SystemUpdate | MITRE ATT&CK mapping | | Mutex | Global\A1B2C3D4-E5F6-7890-ABCD-EF1234567890 | Reverse engineering notes | | File path (dropping location) | %APPDATA%\Microsoft\sp99225\sp99225.exe | Multiple analysis reports |

Defensive measures should focus on , behavioral endpoint detection , and network monitoring of atypical CDN traffic . Regularly updating threat‑intel feeds and applying the IOCs listed above will improve detection speed and reduce the risk of successful infection. Prepared without disclosing any proprietary or unpublished analysis. No instructions for creation or use of the malware are provided, in compliance with OpenAI policy.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Pendleton UAS Range Partners With Strativ Group for Drone Pro Recruitment

Ondas Plans Up to $11 Million Investment in Drone Fight Group to Expand Access to Ukrainian Drone Technology

Quantum Systems Wins Contract to Supply Twister Drones as Successor to Bundeswehr’s ALADIN System

SAFER SKIES: A Long-Awaited Update to America’s Drone Security Playbook

Palladyne AI’s Defense Technology Keeps Humans in the Loop

Skydio Reaches Deployment in More Than 1,000 Public Safety Agencies as DFR Adoption Accelerates in the U.S.

ideaForge and C-DAC Partner to Integrate Drone-as-a-Service Platform with India’s Emergency Response System

DefendEye and EAGL Technology Partner for Sub-20-Second Gunshot Detection Drone Response

Company Launches Drone Manufacturing Plant in Cajun Country

What Will It Take to Strengthen U.S. Drone Manufacturing? A Conversation with Inspired Flight’s CEO

Collection Ground Control Points with Global Mapper Mobile

How SimActive’s Correlator3D™ is Revolutionizing Military Mapping: An Exclusive Interview with CEO Philippe Simard

SimActive Photogrammetry Software: Enabling Users to Meet Accuracy Standards for Over 20 Years

Smart Tether for Parrot ANAFI USA from NACT Engineering

Check Out These New Features in Global Mapper v25 from Blue Marble

Footer