Malware Analysis Signed Sample(WISE CLEANER CERT) Bypassed ASR Rule

Status
Not open for further replies.
Sandbox Breaker - DFIR

Sandbox Breaker - DFIR

Level 12
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
538
1,723
1,069
Inside a sandbox.
Signed Sample of SectopRat that passed ASR Rule (Block exe until file meets trust criteria)
The file is not signed properly and is using fake wise cleaner CERT.
I am worried how this file at the time was only was seen on 2 machine globally was allowed to run.


SHA 1: a15f053b71cda0497efdec08b4680267b936024d
Microsoft Claims file is SIgned by Lespeed (MAKER OF WISE CLEANER)
1717639397281.png

1717639677239.png


Xcitium at the time was able to block and contain it. File was deemed unknown at the time. So this signed trick did not work with xcitium
1717639808827.png
 
  • Like
  • +Reputation
Reactions: Zartarra, struppigel, [correlate] and 8 others
It's indeed alarming that this file managed to bypass the ASR Rule. This could potentially be due to a flaw in the trust criteria or an advanced evasion technique used by the malware. I suggest reporting this to Microsoft for further investigation. In the meantime, consider manually blocking the SHA-1 hash on your systems.
 
  • Like
Reactions: [correlate]
If I recall correctly, the EXE files known in Microsoft Defender's ISG can be blocked by that ASR rule only in 24 hours.
After 24 hours, in almost all cases the malware is already detected by Microsoft Defender or dead in the wild (disappeared from the malicious servers or infected websites ). Of course, one can find such malware on Malware Bazaar or other repositories, but the chances of the in-the-wild infection are close to 0.
The method used by Microsoft is not perfect, but very efficient in practice.
Is this file still alive in the wild?

Edit.
A few years ago I made a funny thread about similar protection (for EXE and other malware)::)
malwaretips.com

Advice Request - Windows Defender Delay Protection.

Windows Defender Delay Protection is probably stronger than any antivirus Advanced Threat Protection (also that used in Microsoft Defender ATP in Enterprises). WDDP has an advantage that it can be easily understood and applied in a few minutes by most of the average users. So, let's forget...
malwaretips.com malwaretips.com
 
Last edited:
  • +Reputation
  • Applause
  • Like
Reactions: [correlate], kylprq, oldschool and 1 other person
Andy Ful said:
If I recall correctly, the EXE files known in Microsoft Defender's ISG can be blocked by that ASR rule only in 24 hours.
After 24 hours, in almost all cases the malware is already detected by Microsoft Defender or dead in the wild (disappeared from the malicious servers or infected websites ). Of course, one can find such malware on Malware Bazaar or other repositories, but the chances of the in-the-wild infection are close to 0.
The method used by Microsoft is not perfect, but very efficient in practice.
Is this file still alive in the wild?

Edit.
A few years ago I made a funny thread about similar protection (for EXE and other malware)::)
malwaretips.com

Advice Request - Windows Defender Delay Protection.

Windows Defender Delay Protection is probably stronger than any antivirus Advanced Threat Protection (also that used in Microsoft Defender ATP in Enterprises). WDDP has an advantage that it can be easily understood and applied in a few minutes by most of the average users. So, let's forget...
malwaretips.com malwaretips.com
Click to expand...
Yes @Andy Ful

Even another payload that loaded yesterday in our test env from same sample.
 
  • Like
Reactions: [correlate], Andy Ful, oldschool and 1 other person
Sandbox Breaker said:
Yes @Andy Ful

Even another payload that loaded yesterday in our test env from same sample.
Click to expand...

Interesting.
Did you mean that the sample from the OP dropped a new payload? This would suggest that the initial malware is still alive in the wild (even if it is currently detected by MD). (y)
 
  • +Reputation
  • Like
Reactions: [correlate] and simmerskool
The sample from the OP is probably the payload delivered by another malware (parent malware), like:
https://www.virustotal.com/gui/file/78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

It is interesting if that sample was blocked by the ASR rule. :unsure:

I think that although the sample from the OP was initially undetected by Microsoft Defender after 24 hours (false negative), it is probable that the parent malware was blocked by the ASR rule by low prevalence (if it was not detected by Microsoft Defender). Next, someone submitted the payload to Microsoft, so it is currently detected.
 
Last edited:
  • Like
  • +Reputation
Reactions: [correlate] and simmerskool
Andy Ful said:
The sample from the OP is probably the payload delivered by another malware (parent malware), like:
https://www.virustotal.com/gui/file/78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

It is interesting if that sample was blocked by the ASR rule. :unsure:

I think that although the sample from the OP was initially undetected by Microsoft Defender after 24 hours (false negative), it is probable that the parent malware was blocked by the ASR rule by low prevalence. Next, someone submitted the payload to Microsoft, so it is currently detected.
Click to expand...
Original sample. Was a fake chrome update page on a user.

5487cd6f476b90b544754f017329d9894d6513e3​

 
  • Like
Reactions: [correlate], simmerskool and Andy Ful
Status
Not open for further replies.

You may also like...