Malware of the Week – Banker

17e826fa0f6297f80b459948ab12efbdefc06f3cb999184a5cb1eddcf7b7d550 (SHA-256)

Malicious with 98% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file last week and declared it to be malicious using our proprietary techniques – which in this case revealed 5 indicators of significance.  A link to the full report with descriptions and details is below. 

Some key highlights and indicators follow: 

Type of Malware:  Banker

  • Creates known Dyreza Banking Trojan files, registry keys and/or mutexes
  • Sample contacts servers at uncommon ports
  • Tries to locate where the browsers are installed

Evasiveness Indicators:

  • Sniffs keystrokes
  • Detects VMWare through the in-instruction feature
  • Checks whether any human activity is being performed by constantly checking whether the foreground window changed
  • A process attempted to delay the analysis task        
  • Checks adapter addresses which can be used to detect virtual network interfaces

Other Compelling Indicators:

  • Drops a binary and execute
  • One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
  • Contains obfuscated control-flow to defeat static analysis
  • Deletes its original binary from disk\
  • Strings possibly contain hardcoded IP Addresses

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlRemote File Copy Custom Command and Control Protocol Remote File Copy Uncommonly Used Port
Credential AccessCredential Dumping
Defense EvasionCode Signing File Deletion NTFS File Attributes
DiscoveryProcess Discovery6 Virtualization / Sandbox Evasion
ImpactService Stop

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.