Malware of the Week – Infostealer

5550110ddb42ca9358fe3a99d911eedcc3a607b08bcea7b7b9c9b55a358e5cf8 (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file last week and declared it to be malicious.

DeepView unique and patented methods – specifically in this case, force code execution and program level indication – identified 1 indicator each.  At the time of its discovery, all of the major malware detection vendors had not identified this file of malicious.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary methods are flagged with [FCE] for forced code execution and [PLI] for program level indication.

Type of Malware:  Infostealer

  • [FCE] Sniffs keystrokes
  • A process created a hidden window
  • Performs some DNS requests
  • [FCE] Installs itself for autorun at Windows startup
  • [FCE] Drops a binary and executes it

Evasiveness Indicators:

  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Checks whether any human activity is being performed by constantly checking whether the foreground window changed
  • A process attempted to delay the analysis task
  • Checks adapter addresses which can be used to detect virtual network interfaces
  • Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

Other Compelling Indicators:

  • Drops a binary and executes it
  • Possible date expiration check, exits too soon after checking local time

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlRemote File Copy Custom Command and Control Protocol
Credential AccessCredential Dumping
Defense EvasionFile Detection Hidden Window Software Packing
DiscoveryVirtualization / Sandbox Evasion
PersistenceRegistry Run Keys / Start Up Folder

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.