Bind_shell RAT Analysis
Sample Information
Malware used- RAT.Unknown.exe.malz
Type - Remote Access Trojan
Static Analysis
Floss-
command used-
floss.exe .\RAT.Unknown.exe.malz > RAT_floss.txt
Initial Detonation
The malware detects the sandbox and stops running giving out an error.
Dynamic Analysis
Network Analysis-
We see a bunch of http requests made by the malicious exe file. Navigating to the topmost request we get,
The malware is requesting for this web URI.
Then the server responds with an executable namely - msdcorelib.exe. Now following that http-stream, we get-
Inetsim responded to the request with a default executable.
Host signature Analysis-
Adding a filter in procmon for the malware executable name-
Then run the exe.
We get a load of processes.Now to track down the downloaded executable,we add another filter to only show file processes.
There's a lot of information. Now we had a file location in strings output.
Adding a filter with that location-
We get some results.
The downloaded executable is saved as mscordll.exe.
This "suspicious" executable has been created in the startup folder. Thus whenever the system starts,the executable is also run.
Another set of signatures-
Internal network signatures on the host
In order to analyse the connections made by the malware internally, TCPview is used. It is a part of the sysinternals suite.
We need to look out for TCP artifacts such as open sockets or tcp connections.
We see that the malware has opened up a listening port on TCP : 5555. Thus we use netcat to connect to the port using the command-
nc -nv 10.0.0.4 5555
We get a base64 encoded response.Decoding it we get-
So the malware is waiting upon an attacker to run a command.
So Command injection capability using bind shells is confirmed.
Last updated