Malware Analysis Trusted File is actually TA505 Threat Actor (Found by Human)

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
We found this out in the wild. One of our analysts noted that the file is listed as trusted but further down the execution chain... a malicious DLL is loaded. TA505 is the threat actor behind this threat. This goes to show that not even automatic analyses are perfect. Human + AI is the way.



File Listed As Trusted By Intezer and VT ✅👺


DLL loaded from Encoded PS Script spawned from the MSI suspect file☣️👨‍🔬
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,927

1674494615627.png
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,927
Just tried with KES11.11:
Event: Blocked
Application: File that launches another file
User: HARLAN4096-KES-\HARLAN4096-PC
User type: Initiator
Component: Exploit Prevention
Result description: Blocked
Type: Trojan
Name: PDM:Exploit.Win32.Generic
Threat level: High
Object type: Process
Object path: C:\Windows\Installer
Object name: MSI8765.tmp
Reason: Dangerous action
Databases release date: Today, 23/01/2023 1:37:00
SHA256: 9DBAF4E4632E70652FF72BB7890C35E3B9CD7A6939B29B5EEEC0C636D098C64E
MD5: 6AAC525CFCDD6D3978C451BBA2BB9CB3

1674496117807.png
 

Sandbox Breaker

Level 11
Thread author
Verified
Top Poster
Well-known
Jan 6, 2022
530
We found this out in the wild. One of our analysts noted that the file is listed as trusted but further down the execution chain... a malicious DLL is loaded. TA505 is the threat actor behind this threat. This goes to show that not even automatic analyses are perfect. Human + AI is the way.



File Listed As Trusted By Intezer and VT ✅👺


DLL loaded from Encoded PS Script spawned from the MSI suspect file☣️👨‍🔬
6 months later and Intezer still lists the file as trusted! Wow
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top