Malware of the Week – RAT

1176637004956c3cde0de41c5dde29ad7be714d07d6426174d89b56b85669f9b (SHA-256)

Malicious with 100% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file – a Windows PE32 Executable – this week and declared it to be malicious.  At the time of its discovery, all of the major malware detection vendors had not identified this file as malicious.  DeepView unique and patented methods identified 3 indicators – specifically in this case, one of each of force code execution (FCE), program level indication (PLI), and automated sequence detection (ASD).  

A link to the full report with descriptions and details is below.  Some key highlights and indicators follow.  

Type of Malware:  RAT

  • HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • Executed a process and injected code into it, probably while unpacking
  • Installs itself for autorun at Windows startup
  • Creates known XtremeRAT mutexes
  • Creates known XtremeRAT files, registry keys or mutexes

Evasiveness Indicators:

  • [FCE] Attempts to repeatedly call a single API many times in order to delay analysis time
  • [PLI] Contains obfuscated control-flow to defeat static analysis
  • Detects the presence of Wine emulator
  • Detects VMWare through the in instruction feature
  • Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
  • [PLI] Contains obfuscated control-flow to defeat static analysis
  • [PLI] A process attempted to delay the analysis task

Other Compelling Indicators:

  • [ASD] Automatic Sequence Detection maliciousness score: 56%
  • Anomalous binary characteristics
  • The binary likely contains encrypted or compressed data
  • Creates a slightly modified copy of itself
  • Sample contacts servers at uncommon ports

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Command and ControlCommonly Used PortCustom Command and Control ProtocolUncommonly Used Port
Defense EvasionProcess InjectionVirtualization / Sandbox EvasionSoftware Packing
DiscoveryProcess DiscoveryVirtualization / Sandbox EvasionSecurity Software Discovery
PersistenceRegistry Run Keys / Startup Folder

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.