Malware of the Week – RAT

0100704d57f45d0db395959a1235933a8883015cdbeb85a004cf28e96ba7f17e (SHA-256)

Malicious with 98% Confidence 

SecondWrite’s DeepView Sandbox analyzed this file this week and declared it to be malicious.

DeepView unique and patented methods – specifically in this case, force code execution (FCE) – identified 6 indicators.  At the time of its discovery, several market leading malware detection vendors had not identified this file as malicious.  A link to the full report with descriptions and details is below.  

Some key highlights and indicators follow.  Those discovered by DeepView proprietary method are flagged with [FCE] for forced code execution.

Type of Malware:  RAT

  • [FCE] Creates known SpyNet files, registry changes and/or mutexes
  • Installs itself for autorun at Windows startup
  • [FCE] Executes one or more WMI queries
  • Strings possibly contain hardcoded URLs
  • A process created a hidden window

Evasiveness Indicators:

  • [FCE] Attempts to identify installed AV products by registry key
  • Attempts to repeatedly call a single API many times in order to delay analysis time
  • Queries for the computer name
  • Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available
  • Detects VMWare through the in instruction feature

Other Compelling Indicators:

  • Executed a process and injected code into it, probably while unpacking
  • Reads data out of its own binary image

MITRE ATT&CK Indicators:

MITRE TacticMITRE Technique
Defense EvasionHidden Window Process Injection Software Packing
DiscoverySecurity Software Discovery
PersistenceRegistry Run Keys / Startup Folder
Privilege EscalationProcess Injection

Selection from The Report:

See Full Detailed Report:

Malware Of The Week is sourced by DeepView Sandbox using SecondWrite’s patented techniques of Forced Code Execution, Program Level Indicators, and Automatic Sequence Detection.