eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4 (SHA-256)
Malicious with 100% Confidence
SecondWrite’s DeepView Sandbox analyzed this file – a Windows PE32 Executable – this week and declared it to be malicious. At the time of its discovery, all the major malware detection vendors had not identified this file as malicious. DeepView unique and patented methods identified 3 indicators – specifically in this case, one of each of force code execution (FCE), program level indication (PLI), and automated sequence detection (ASD).
A link to the full report with descriptions and details is below. Some key highlights and indicators follow.
Type of Malware: RAT
- HTTP traffic contains suspicious features which may be indicative of malware related traffic
- Executed a process and injected code into it, probably while unpacking
- Installs itself for autorun at Windows startup
- Creates known XtremeRAT mutexes
- Creates known XtremeRAT files, registry keys or mutexes
Evasiveness Indicators:
- [FCE] Attempts to repeatedly call a single API many times in order to delay analysis time
- [PLI] Contains obfuscated control-flow to defeat static analysis
- Detects the presence of Wine emulator
- Detects VMWare through the in instruction feature
- Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Other Compelling Indicators:
- [ASD] Automatic Sequence Detection maliciousness score: 56%
- Anomalous binary characteristics
- The binary likely contains encrypted or compressed data
- Creates a slightly modified copy of itself
- Sample contacts servers at uncommon ports
MITRE ATT&CK Indicators:
MITRE Tactic | MITRE Technique |
Command and Control | Commonly Used PortCustom Command and Control ProtocolUncommonly Used Port |
Defense Evasion | Process InjectionVirtualization / Sandbox EvasionSoftware Packing |
Discovery | Process DiscoveryVirtualization / Sandbox EvasionSecurity Software Discovery |
Privilege Escalation | Process Injection |
Persistence | Registry Run Keys / Startup Folder |
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.