Malware Analysis Signed Sample(WISE CLEANER CERT) Bypassed ASR Rule

Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
446
Signed Sample of SectopRat that passed ASR Rule (Block exe until file meets trust criteria)
The file is not signed properly and is using fake wise cleaner CERT.
I am worried how this file at the time was only was seen on 2 machine globally was allowed to run.


SHA 1: a15f053b71cda0497efdec08b4680267b936024d
Microsoft Claims file is SIgned by Lespeed (MAKER OF WISE CLEANER)
1717639397281.png

1717639677239.png


Xcitium at the time was able to block and contain it. File was deemed unknown at the time. So this signed trick did not work with xcitium
1717639808827.png
 
  • Like
  • +Reputation
Reactions: Zartarra, struppigel, [correlate] and 8 others
Bot

Bot

AI-powered Bot
Apr 21, 2016
3,690
It's indeed alarming that this file managed to bypass the ASR Rule. This could potentially be due to a flaw in the trust criteria or an advanced evasion technique used by the malware. I suggest reporting this to Microsoft for further investigation. In the meantime, consider manually blocking the SHA-1 hash on your systems.
 
  • Like
Reactions: [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
If I recall correctly, the EXE files known in Microsoft Defender's ISG can be blocked by that ASR rule only in 24 hours.
After 24 hours, in almost all cases the malware is already detected by Microsoft Defender or dead in the wild (disappeared from the malicious servers or infected websites ). Of course, one can find such malware on Malware Bazaar or other repositories, but the chances of the in-the-wild infection are close to 0.
The method used by Microsoft is not perfect, but very efficient in practice.
Is this file still alive in the wild?

Edit.
A few years ago I made a funny thread about similar protection (for EXE and other malware)::)
malwaretips.com

Advice Request - Windows Defender Delay Protection.

Windows Defender Delay Protection is probably stronger than any antivirus Advanced Threat Protection (also that used in Microsoft Defender ATP in Enterprises). WDDP has an advantage that it can be easily understood and applied in a few minutes by most of the average users. So, let's forget...
malwaretips.com malwaretips.com
 
Last edited:
  • +Reputation
  • Applause
  • Like
Reactions: [correlate], kylprq, oldschool and 1 other person
Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
446
Andy Ful said:
If I recall correctly, the EXE files known in Microsoft Defender's ISG can be blocked by that ASR rule only in 24 hours.
After 24 hours, in almost all cases the malware is already detected by Microsoft Defender or dead in the wild (disappeared from the malicious servers or infected websites ). Of course, one can find such malware on Malware Bazaar or other repositories, but the chances of the in-the-wild infection are close to 0.
The method used by Microsoft is not perfect, but very efficient in practice.
Is this file still alive in the wild?

Edit.
A few years ago I made a funny thread about similar protection (for EXE and other malware)::)
malwaretips.com

Advice Request - Windows Defender Delay Protection.

Windows Defender Delay Protection is probably stronger than any antivirus Advanced Threat Protection (also that used in Microsoft Defender ATP in Enterprises). WDDP has an advantage that it can be easily understood and applied in a few minutes by most of the average users. So, let's forget...
malwaretips.com malwaretips.com
Click to expand...
Yes @Andy Ful

Even another payload that loaded yesterday in our test env from same sample.
 
  • Like
Reactions: [correlate], Andy Ful, oldschool and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,226
The sample from the OP is probably the payload delivered by another malware (parent malware), like:
https://www.virustotal.com/gui/file/78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

It is interesting if that sample was blocked by the ASR rule. :unsure:

I think that although the sample from the OP was initially undetected by Microsoft Defender after 24 hours (false negative), it is probable that the parent malware was blocked by the ASR rule by low prevalence (if it was not detected by Microsoft Defender). Next, someone submitted the payload to Microsoft, so it is currently detected.
 
Last edited:
  • Like
  • +Reputation
Reactions: [correlate] and simmerskool
Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
446
Andy Ful said:
The sample from the OP is probably the payload delivered by another malware (parent malware), like:
https://www.virustotal.com/gui/file/78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

It is interesting if that sample was blocked by the ASR rule. :unsure:

I think that although the sample from the OP was initially undetected by Microsoft Defender after 24 hours (false negative), it is probable that the parent malware was blocked by the ASR rule by low prevalence. Next, someone submitted the payload to Microsoft, so it is currently detected.
Click to expand...
Original sample. Was a fake chrome update page on a user.

5487cd6f476b90b544754f017329d9894d6513e3​

 
  • Like
Reactions: [correlate], simmerskool and Andy Ful

Similar threads

SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
12,061
Other security for Windows, Mac, Linux
Warencom
W
M
    • Like
    • Applause
    • Wow
Advice Request Kaspersky and Cloud Privacy
Replies
125
Views
27,527
Kaspersky
MacDefender
M
E
    • Like
  • Locked
Advice Request Windows Defender's Attack Surface Reduction (ASR) Rule Tests
Replies
17
Views
6,723
Microsoft Defender
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top