Malware of the Week – Banker

789594b367f64047b7f5701cc1a80299d1fb9134cb6c788adcf40070c8f851bf (SHA-256)

Malicious with 98% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.

DeepView unique and patented methods – specifically in this case, force code execution – identified 4 indicators.  At the time of its discovery, market leading malware detection vendors had not identified this file of malicious.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.

Type of Malware:  Banker

  • Attempts to modify browser security settings
  • [FCE] Sample writes a large amount of files (Over 100)
  • [FCE] Repeatedly searches for a not-found process
  • Performs some HTTP requests
  • Performs some DNS requests

Evasiveness Indicators:

  • Checks whether any human activity is being performed by constantly checking whether the foreground window changed
  • A process attempted to delay the analysis task        
  • Queries for the computer name
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Checks adapter addresses which can be used to detect virtual network interfaces

Other Compelling Indicators:

  • One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
  • Allocates read-write-execute memory (usually to unpack itself)

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlRemote File Copy
Credential AccessCredential Dumping
Defense EvasionDisabling Security Tools File Deletion NTFS File Attributes
DiscoveryProcess Discovery Virtualization / Sandbox Evasion

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.