5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8 (SHA-256)
Malicious with 100% Confidence
SecondWrite’s DeepView Sandbox analyzed this file last week and declared it to be malicious.
DeepView unique and patented methods – specifically in this case, force code execution and program level indication – identified 1 indicator each. At the time of its discovery, all of the major malware detection vendors had not identified this file of malicious. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow. Those discovered by DeepView proprietary methods are flagged with [FCE] for forced code execution and [PLI] for program level indication.
Type of Malware: Infostealer
- [FCE] Sniffs keystrokes
- A process created a hidden window
- Performs some DNS requests
- [FCE] Installs itself for autorun at Windows startup
- [FCE] Drops a binary and executes it
Evasiveness Indicators:
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Checks whether any human activity is being performed by constantly checking whether the foreground window changed
- A process attempted to delay the analysis task
- Checks adapter addresses which can be used to detect virtual network interfaces
- Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
Other Compelling Indicators:
- Drops a binary and executes it
- Possible date expiration check, exits too soon after checking local time
MITRE ATT&CK Indicators:
| MITRE Tactic | MITRE Technique |
| Command and Control | Remote File Copy Custom Command and Control Protocol |
| Credential Access | Credential Dumping |
| Defense Evasion | File Detection Hidden Window Software Packing |
| Discovery | Virtualization / Sandbox Evasion |
| Persistence | Registry Run Keys / Start Up Folder |
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.