Malware of the Week – RAT

eea79b7dcdbcb684d1900d7ce9eb485edd4e741abfb0858c47176645afe8b0a4 (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file – a Windows PE32 Executable – this week and declared it to be malicious.  At the time of its discovery, all the major malware detection vendors had not identified this file as malicious.  DeepView unique and patented methods identified 3 indicators – specifically in this case, one of each of force code execution (FCE), program level indication (PLI), and automated sequence detection (ASD).  

A link to the full report with descriptions and details is below.  Some key highlights and indicators follow.  

Type of Malware:  RAT

  • HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • Executed a process and injected code into it, probably while unpacking
  • Installs itself for autorun at Windows startup
  • Creates known XtremeRAT mutexes
  • Creates known XtremeRAT files, registry keys or mutexes

Evasiveness Indicators:

  • [FCE] Attempts to repeatedly call a single API many times in order to delay analysis time
  • [PLI] Contains obfuscated control-flow to defeat static analysis
  • Detects the presence of Wine emulator
  • Detects VMWare through the in instruction feature
  • Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available

Other Compelling Indicators:

  • [ASD] Automatic Sequence Detection maliciousness score: 56%
  • Anomalous binary characteristics
  • The binary likely contains encrypted or compressed data
  • Creates a slightly modified copy of itself
  • Sample contacts servers at uncommon ports

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlCommonly Used PortCustom Command and Control ProtocolUncommonly Used Port
Defense EvasionProcess InjectionVirtualization / Sandbox EvasionSoftware Packing
DiscoveryProcess DiscoveryVirtualization / Sandbox EvasionSecurity Software Discovery
Privilege EscalationProcess Injection
PersistenceRegistry Run Keys / Startup Folder

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.