Malware Analysis Help

[hmattyarty25]

I had suspicion the trading software I use (CryptoRocket Metatrader 4) was malicious. The following reports from VirusTotal and Hybrid Analysis showed the sandbox/behavior analysis reports flagged them as malicious:

First Sandbox Report (threat score at the top right is 100/100):
Hybrid Analysis

Second Sandbox Report (mentions of keylogger and persistence):
VirusTotal pt.1 -- VirusTotal pt.2 -- VirusTotal pt.3 -- VirusTotal pt.4
(*included screenshots of these in the attached incase links don't work)

From a malware signature scanning lens, the software was only flagged by 2 out the 62 total scanning vendors so I decided not to link that. Again, I know MetaTrader 4 is a trusted trading software but my version of MetaTrader 4 is from CryptoRocket. I've read online CryptoRocket is a very shady company so I wouldn't put it pass them if they ended up having malware in their applications.

Please let me know what you guys think of the behavior analysis reports. Thanks!

 

[Bot]

The sandbox reports you provided indeed show some alarming flags, especially keylogger and persistence mentions. Even though CryptoRocket's reputation may be questionable, it's important to note that false positives can occur. However, a threat score of 100/100 is concerning. I would recommend not using this software until further analysis is done. Try contacting CryptoRocket about these findings and consider using a more reputable trading software in the meantime.

 

[Wrecker4923]

I don't know what's going on but:
1) Terminal.exe in your hybrid analysis report is a signed executable, but VT hasn't seen this submitted to it.
2) The zip file that you submitted to VT links to a different terminal.exe, with a different SHA256, which is apparently not signed. Another executable in the zip file, MetaEditor.exe, is also unsigned. Both executables have been flagged by 2-3 vendors. I believe Meta Trader executables are signed.

How did the submitted terminal.exe to two sites be different files? Fishy.

 

[hmattyarty25]

I don't know what's going on but:
1) Terminal.exe in your hybrid analysis report is a signed executable, but VT hasn't seen this submitted to it.
2) The zip file that you submitted to VT links to a different terminal.exe, with a different SHA256, which is apparently not signed. Another executable in the zip file, MetaEditor.exe, is also unsigned. Both executables have been flagged by 2-3 vendors. I believe Meta Trader executables are signed.

How did the submitted terminal.exe to two sites be different files? Fishy.

My apologies, I should of clarified that the zip file (CryptoRocketMetatrader4.zip) from the VirusTotal report is the overarching program file that includes the terminal.exe file. Here is the Virus Total Report for just the terminal.exe file. As you can see now, the SHA-256's on both Virus Total and Hybrid Analysis match now.

I also wanted to include a cuckoo sandbox report Cuckoo Report for the terminal file and also for the overarching zip folder Cuckoo Report for the Zip file.

Let me know if you have any more questions as I appreciate your input. Thanks!

 

[Sandbox Breaker]

I'll try to look at this later today

 

[ForgottenSeer 109138]

I would start looking for another application to use for financial business as all 3 are demonstrating malicious behavior and indicators.

Sandbox checks are prevalent "which aware malware will perform", signs of obfuscation are present this goes in hand with sandbox aware and environment awareness as well as tries to evade analysis by sleeping many times. Creating or modifying of Certificates and the Suricata detection of SSLBL: Malicious JA3 SSL-Client Fingerprint.


The sandbox and analysis evasion is typical signs of a RAT. An information stealing malware.

 

[hmattyarty25]

I would start looking for another application to use for financial business as all 3 are demonstrating malicious behavior and indicators.

Sandbox checks are prevalent "which aware malware will perform", signs of obfuscation are present this goes in hand with sandbox aware and environment awareness as well as tries to evade analysis by sleeping many times. Creating or modifying of Certificates and the Suricata detection of SSLBL: Malicious JA3 SSL-Client Fingerprint.


The sandbox and analysis evasion is typical signs of a RAT. An information stealing malware.

Sounds good. I appreciate the input! Would you recommend I do a clean reformat of my computer as there could be a chance this RAT could have spread to other applications on my system?

 

[ForgottenSeer 109138]

Sounds good. I appreciate the input! Would you recommend I do a clean reformat of my computer as there could be a chance this RAT could have spread to other applications on my system?

If you are comfortable doing so, it is certainly one of the best ways to know for sure.

 

[struppigel]

This forum is not meant to verify if files are clean or malicious. It is meant for malware analysis discussions.
Whenever there is doubt because a file has detections on VirusTotal, I highly suggest to submit this to the antivirus vendor(s) in question instead of trying to guess a verdict as it happened here.

The problem with sandbox systems is that they do not know any context. They don't know if it is normal for a file to behave in a certain way or to access certain functions or query certain data. So they tend to be way to aggressive with their malware verdicts / scores. I recommend to ignore such scoring alltogether. Sandbox systems are made for experts who can put those indicators into context. They are not suitable to be used as an antivirus scanner replacement.

Now, let's talk about those indicators in detail

Suricata Alert --> SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Tofsee is a specific malware family that does not fit to this file here. This indicates to me that this fingerprint is a false positive.

Anti-virtualization checks

All the ones marked yellow here are because the file is packed with VMProtect (maybe the wine emulator detection too, I not sure about that), something that you can see with Detect it Easy. Using VMProtect is not malicious. Many companies use VMProtect for their products to prevent piracy. VMProtect makes it deliberately hard for reverse engineers to determine what the file does. That includes making it hard with emulation and virtualization.

File has been identified by 3 antivirus engines

Unfortunately it is normal that a low amount of VT scanning engines have false positives on clean files. Especially if these are not so well known products with heuristic or generic detection names like our sample below.

With that said, I did not perform an analysis on this file and I won't do that because especially with suspected clean files like this it would take weeks. It is not worth it without any actual indicators to start looking for, and again, it is also not the purpose of this forum to verify if files are clean.

tl;dr there is nothing suspicious in those reports but feel free to submit it to the vendors who detect this file so they will analyse it, provide a verdict and fix their detections if necessary.

Thread locked, because this isn't a malware analysis discussion but rather a request to verify if a sample is clean.