Malware of the Week – Banker
789594b367f64047b7f5701cc1a80299d1fb9134cb6c788adcf40070c8f851bf (SHA-256)
Malicious with 98% Confidence
SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.
DeepView unique and patented methods – specifically in this case, force code execution – identified 4 indicators. At the time of its discovery, market leading malware detection vendors had not identified this file of malicious. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow. Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.
Type of Malware: Banker
- Attempts to modify browser security settings
- [FCE] Sample writes a large amount of files (Over 100)
- [FCE] Repeatedly searches for a not-found process
- Performs some HTTP requests
- Performs some DNS requests
Evasiveness Indicators:
- Checks whether any human activity is being performed by constantly checking whether the foreground window changed
- A process attempted to delay the analysis task
- Queries for the computer name
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Checks adapter addresses which can be used to detect virtual network interfaces
Other Compelling Indicators:
- One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
- Allocates read-write-execute memory (usually to unpack itself)
MITRE ATT&CK Indicators:
| MITRE Tactic | MITRE Technique |
| Command and Control | Remote File Copy |
| Credential Access | Credential Dumping |
| Defense Evasion | Disabling Security Tools File Deletion NTFS File Attributes |
| Discovery | Process Discovery Virtualization / Sandbox Evasion |
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.