agentic-sdlc-intake-attack

Indicators of Compromise

These indicators are provided for defensive detection and incident-response correlation. They are evidence-bound to the inspected artifact described here. Network indicators are not known from this artifact unless separately discovered. No C2 URLs are asserted.

File Indicators

Type Indicator Context Confidence
Archive filename core_fix_v2.zip ZIP attachment framed as a repository fix or useful artifact Confirmed
Payload filename core_fix_v2.exe Windows executable inside the archive Confirmed
Archive SHA-256 647248d2c272c9c2cf11d1be039910728beca88c1359b4a42c932d4e29cf6380 Hash of inspected archive Confirmed
EXE SHA-256 d85d164e46fabb085609f2586e8fec364539a6ec81f74659f0cb28ac76e7880b Hash of contained executable Confirmed
EXE MD5 4db8e85743a1ae8b1d26a3bccbffb6d1 Legacy hash for correlation only Confirmed

Static Characteristics

Type Indicator Context Confidence
File type Windows x64 PE executable Not a source diff, patch, or normal repo fix Confirmed
Runtime string Go 1.25.4 Go runtime indicator visible statically Confirmed
Subsystem Windows GUI Unusual for a source-code fix artifact Confirmed
Module path YHWntfKsr Random-looking visible module path Confirmed
Decoy strings Russian calendar/AVL-tree demo text Visible text unrelated to claimed repository fix Confirmed
Certificate subject CN=computrabajo.com Suspicious/self-signed-looking certificate with random-looking organization/location fields Confirmed static observation
API behavior advapi32.dll!GetUserNameA and kernel32.dll!VirtualProtect Dynamic loading and memory-protection behavior observed statically Confirmed static observation
Hooking behavior patching GetUserNameA with a jump stub Behavior inferred from static inspection, not execution Confirmed static observation
Replacement string 5a3f1c7f6f2f7421 Hard-coded string found during static inspection Confirmed

Contextual Indicators

Non-Indicators