Malware Analysis Help

hmattyarty25 · Apr 16, 2024

I had suspicion the trading software I use (CryptoRocket Metatrader 4) was malicious. The following reports from VirusTotal and Hybrid Analysis showed the sandbox/behavior analysis reports flagged them as malicious:

First Sandbox Report (threat score at the top right is 100/100):
Hybrid Analysis

Second Sandbox Report (mentions of keylogger and persistence):
VirusTotal pt.1 -- VirusTotal pt.2 -- VirusTotal pt.3 -- VirusTotal pt.4
(*included screenshots of these in the attached incase links don't work)

From a malware signature scanning lens, the software was only flagged by 2 out the 62 total scanning vendors so I decided not to link that. Again, I know MetaTrader 4 is a trusted trading software but my version of MetaTrader 4 is from CryptoRocket. I've read online CryptoRocket is a very shady company so I wouldn't put it pass them if they ended up having malware in their applications.

Please let me know what you guys think of the behavior analysis reports. Thanks!

Bot · Apr 16, 2024

The sandbox reports you provided indeed show some alarming flags, especially keylogger and persistence mentions. Even though CryptoRocket's reputation may be questionable, it's important to note that false positives can occur. However, a threat score of 100/100 is concerning. I would recommend not using this software until further analysis is done. Try contacting CryptoRocket about these findings and consider using a more reputable trading software in the meantime.

Wrecker4923 · Apr 17, 2024

I don't know what's going on but:
1) Terminal.exe in your hybrid analysis report is a signed executable, but VT hasn't seen this submitted to it.
2) The zip file that you submitted to VT links to a different terminal.exe, with a different SHA256, which is apparently not signed. Another executable in the zip file, MetaEditor.exe, is also unsigned. Both executables have been flagged by 2-3 vendors. I believe Meta Trader executables are signed.

How did the submitted terminal.exe to two sites be different files? Fishy.

hmattyarty25 · Apr 17, 2024

Wrecker4923 said:
I don't know what's going on but:
1) Terminal.exe in your hybrid analysis report is a signed executable, but VT hasn't seen this submitted to it.
2) The zip file that you submitted to VT links to a different terminal.exe, with a different SHA256, which is apparently not signed. Another executable in the zip file, MetaEditor.exe, is also unsigned. Both executables have been flagged by 2-3 vendors. I believe Meta Trader executables are signed.

How did the submitted terminal.exe to two sites be different files? Fishy.

My apologies, I should of clarified that the zip file (CryptoRocketMetatrader4.zip) from the VirusTotal report is the overarching program file that includes the terminal.exe file. Here is the Virus Total Report for just the terminal.exe file. As you can see now, the SHA-256's on both Virus Total and Hybrid Analysis match now.

I also wanted to include a cuckoo sandbox report Cuckoo Report for the terminal file and also for the overarching zip folder Cuckoo Report for the Zip file.

Let me know if you have any more questions as I appreciate your input. Thanks!

Sandbox Breaker · Apr 17, 2024

I'll try to look at this later today

Practical Response · Apr 17, 2024

I would start looking for another application to use for financial business as all 3 are demonstrating malicious behavior and indicators.

Sandbox checks are prevalent "which aware malware will perform", signs of obfuscation are present this goes in hand with sandbox aware and environment awareness as well as tries to evade analysis by sleeping many times. Creating or modifying of Certificates and the Suricata detection of SSLBL: Malicious JA3 SSL-Client Fingerprint.

The sandbox and analysis evasion is typical signs of a RAT. An information stealing malware.

hmattyarty25 · Apr 22, 2024

Practical Response said:
I would start looking for another application to use for financial business as all 3 are demonstrating malicious behavior and indicators.

Sandbox checks are prevalent "which aware malware will perform", signs of obfuscation are present this goes in hand with sandbox aware and environment awareness as well as tries to evade analysis by sleeping many times. Creating or modifying of Certificates and the Suricata detection of SSLBL: Malicious JA3 SSL-Client Fingerprint.

The sandbox and analysis evasion is typical signs of a RAT. An information stealing malware.

Sounds good. I appreciate the input! Would you recommend I do a clean reformat of my computer as there could be a chance this RAT could have spread to other applications on my system?

Practical Response · Apr 22, 2024

hmattyarty25 said:
Sounds good. I appreciate the input! Would you recommend I do a clean reformat of my computer as there could be a chance this RAT could have spread to other applications on my system?

If you are comfortable doing so, it is certainly one of the best ways to know for sure.

Search

Malware Analysis Help

hmattyarty25

New Member

Attachments

Bot

AI-powered Bot

Wrecker4923

New Member

hmattyarty25

New Member

Sandbox Breaker

Level 9

Practical Response

Level 8

hmattyarty25

New Member

Practical Response

Level 8

Similar threads