Malware of the Week – Banker
Malicious with 98% Confidence
SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.
DeepView unique and patented methods – specifically in this case, force code execution – identified 4 indicators. At the time of its discovery, market leading malware detection vendors had not identified this file of malicious. A link to the full report with descriptions and details is below.
Some key highlights and indicators follow. Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.
Type of Malware: Banker
- Attempts to modify browser security settings
- [FCE] Sample writes a large amount of files (Over 100)
- [FCE] Repeatedly searches for a not-found process
- Performs some HTTP requests
- Performs some DNS requests
- Checks whether any human activity is being performed by constantly checking whether the foreground window changed
- A process attempted to delay the analysis task
- Queries for the computer name
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Checks adapter addresses which can be used to detect virtual network interfaces
Other Compelling Indicators:
- One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
- Allocates read-write-execute memory (usually to unpack itself)
MITRE ATT&CK Indicators:
|MITRE Tactic||MITRE Technique|
|Command and Control||Remote File Copy|
|Credential Access||Credential Dumping|
|Defense Evasion||Disabling Security Tools File Deletion NTFS File Attributes|
|Discovery||Process Discovery Virtualization / Sandbox Evasion|
Selection from The Report:
See Full Detailed Report:
Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.