Our newWorld researcher spotted a malicious URL during the threat hunting activity. So they started to inspect the host which contacting the malicious domain. While inspecting the spotted an executable which connecting to the malicious site. Our researcher collected the suspected file and copied that for analysis.
File type: PE (Exe)
Hash (SHA 256): 092d20f9d0c805802da89a801ca11db56d1a31727cfd7b040b7ced5037ded18b
File Size: 133 KB
This sample was loaded in the debugger to understand its functionality. We spotted the ‘DragAcceptFiles’ function, this identifier of the window that is registering whether it will accept dropped files.
The sample does process injection by injecting into explorer.exe, winver.exe, and other remote processes. We observed the network packet:
This is the malicious URL we spotted during our threat hunting. Many vendors are blocking this as a malicious site. We checked the hash of our specimen in VT search and it found to be banker- Tinba detection.
Maintaining best security practice is the key for fighting this sort of malware. Keeping all the security patches up to date is highly recommended.