Bind_shell RAT Analysis

Sample Information

---

Malware used- RAT.Unknown.exe.malz

Type - Remote Access Trojan

Static Analysis

---

Floss-

command used-

	floss.exe .\RAT.Unknown.exe.malz > RAT_floss.txt

Initial Detonation

---

The malware detects the sandbox and stops running giving out an error.

Dynamic Analysis

---

Network Analysis-

We see a bunch of http requests made by the malicious exe file. Navigating to the topmost request we get,

The malware is requesting for this web URI.

Then the server responds with an executable namely - msdcorelib.exe. Now following that http-stream, we get-

Inetsim responded to the request with a default executable.

The binary may not be stored on the system under the same name it is requested. This process is commonly used by red-teamers and malware developers and is known as Decoupling.

Host signature Analysis-

Adding a filter in procmon for the malware executable name-

Then run the exe.

We get a load of processes.Now to track down the downloaded executable,we add another filter to only show file processes.

There's a lot of information. Now we had a file location in strings output.

Adding a filter with that location-

We get some results.

The downloaded executable is saved as mscordll.exe.

This "suspicious" executable has been created in the startup folder. Thus whenever the system starts,the executable is also run.

Another set of signatures-

Internal network signatures on the host

In order to analyse the connections made by the malware internally, TCPview is used. It is a part of the sysinternals suite.

We need to look out for TCP artifacts such as open sockets or tcp connections.

We see that the malware has opened up a listening port on TCP : 5555. Thus we use netcat to connect to the port using the command-

	nc -nv 10.0.0.4 5555

We get a base64 encoded response.Decoding it we get-

So the malware is waiting upon an attacker to run a command.

So Command injection capability using bind shells is confirmed.