Malware Analysis Signed Sample(WISE CLEANER CERT) Bypassed ASR Rule

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
447
Signed Sample of SectopRat that passed ASR Rule (Block exe until file meets trust criteria)
The file is not signed properly and is using fake wise cleaner CERT.
I am worried how this file at the time was only was seen on 2 machine globally was allowed to run.


SHA 1: a15f053b71cda0497efdec08b4680267b936024d
Microsoft Claims file is SIgned by Lespeed (MAKER OF WISE CLEANER)
1717639397281.png

1717639677239.png


Xcitium at the time was able to block and contain it. File was deemed unknown at the time. So this signed trick did not work with xcitium
1717639808827.png
 

Bot

AI-powered Bot
Apr 21, 2016
3,800
It's indeed alarming that this file managed to bypass the ASR Rule. This could potentially be due to a flaw in the trust criteria or an advanced evasion technique used by the malware. I suggest reporting this to Microsoft for further investigation. In the meantime, consider manually blocking the SHA-1 hash on your systems.
 
  • Like
Reactions: [correlate]

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,262
If I recall correctly, the EXE files known in Microsoft Defender's ISG can be blocked by that ASR rule only in 24 hours.
After 24 hours, in almost all cases the malware is already detected by Microsoft Defender or dead in the wild (disappeared from the malicious servers or infected websites ). Of course, one can find such malware on Malware Bazaar or other repositories, but the chances of the in-the-wild infection are close to 0.
The method used by Microsoft is not perfect, but very efficient in practice.
Is this file still alive in the wild?

Edit.
A few years ago I made a funny thread about similar protection (for EXE and other malware)::)
 
Last edited:

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
447
If I recall correctly, the EXE files known in Microsoft Defender's ISG can be blocked by that ASR rule only in 24 hours.
After 24 hours, in almost all cases the malware is already detected by Microsoft Defender or dead in the wild (disappeared from the malicious servers or infected websites ). Of course, one can find such malware on Malware Bazaar or other repositories, but the chances of the in-the-wild infection are close to 0.
The method used by Microsoft is not perfect, but very efficient in practice.
Is this file still alive in the wild?

Edit.
A few years ago I made a funny thread about similar protection (for EXE and other malware)::)
Yes @Andy Ful

Even another payload that loaded yesterday in our test env from same sample.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,262
The sample from the OP is probably the payload delivered by another malware (parent malware), like:
https://www.virustotal.com/gui/file/78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

It is interesting if that sample was blocked by the ASR rule. :unsure:

I think that although the sample from the OP was initially undetected by Microsoft Defender after 24 hours (false negative), it is probable that the parent malware was blocked by the ASR rule by low prevalence (if it was not detected by Microsoft Defender). Next, someone submitted the payload to Microsoft, so it is currently detected.
 
Last edited:

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
447
The sample from the OP is probably the payload delivered by another malware (parent malware), like:
https://www.virustotal.com/gui/file/78eea64a981219170ff45c927d11747c4c4d0f2baf0ebccef02e4fa82ea15007

It is interesting if that sample was blocked by the ASR rule. :unsure:

I think that although the sample from the OP was initially undetected by Microsoft Defender after 24 hours (false negative), it is probable that the parent malware was blocked by the ASR rule by low prevalence. Next, someone submitted the payload to Microsoft, so it is currently detected.
Original sample. Was a fake chrome update page on a user.

5487cd6f476b90b544754f017329d9894d6513e3​

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top