Malware of the Week – BOT

f34d7021989b1e9ccf9551d3d850f6105c337f7c9d5674d20a449a89f6cf6548 (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious. 

DeepView unique and patented methods – specifically in this case, force code execution (FCE) and program level indication (PLI) – identified 14 indicators.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.

Type of Malware:  BOT

  • [FCE] Installs itself for autorun at Windows startup
  • [PLI] More than %50 of the external calls do not go through the import address table
  • [FCE] Expresses interest in specific running processes
  • [FCE] Attempts to modify proxy settings
  • [FCE] Installs a hook procedure to monitor for mouse events

Evasiveness Indicators:

  • [FCE] Checks whether any human activity is being performed by constantly checking whether the foreground window changed
  • [FCE] A process attempted to delay the analysis task
  • [FCE] Attempts to repeatedly call a single API many times in order to delay analysis time
  • Checks adapter addresses which can be used to detect virtual network interfaces
  • Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

Other Compelling Indicators:

  • [FCE] Internet Explorer creates one or more martian processes
  • [FCE] Sniffs keystrokes
  • [FCE] Connects to IP address(es) that are no longer responding to requests (legitimate services will remain up-and-running usually)
  • [FCE] Network activity contains more than one unique useragent
  • [FCE] Creates an Alternate Data Stream (ADS)

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlCommonly Used PortConnection ProxyCustom Command and Control Protocol
Credential AccessCredential Dumping
Defense EvasionNTFS File Attributes
DiscoveryProcess DiscoverySystem Information DiscoveryVirtualization / Sandbox Evasion
PersistenceRegistry Run Keys / Startup Folder

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.