After my initial excitement died down, I sat down and took a look at the ~I32SUN.exe file and was saddened to find it looked just like CMD.exe. Hoping for something modified or different, I threw both files into BinDiff, but was saddened to see a 100% match on all functions. The only difference I could find between the two files was the versions and even that was slight.
So what was the deal with it landing on the system? I have yet to figure out the decoding on the RAT itself, but my suspicions are that the attackers requested CMD.exe through their web interface. In doing so, this spawned their process to run on my system and it was reversed back over the HTTP tunnel. I am hoping it may be possible to see any commands executed or data exfiltrated in decoding the content. More to come.