In December 2021, SafeGuard Cyber detected a Remote Access Trojan (RAT) being posted in a financial Telegram channel that we monitor as part of our work with digital currency financial services customers. We analyzed and identified the malware sample as a basic RAT and reviewed the messages surrounding the post.
SafeGuard Cyber believes that this was an isolated one-off incident meant to target new unsuspecting users of the channel.
When the file is executed, it runs consistently as a process with the description “Goodcsongvwaiting MFC Application”. While the malware is running, a TCP connection is opened up to 180.215.87.236 on a random high port. The activity seems to just be SYN send packets.
The sample immediately drops two PNG files and a copy of itself into the Appdata\Temp folder. The two PNG files are the same file as they have the same hash values. The PNG files do not have a valid file header and do not seem to have any interaction with the malware sample aside from being dropped from it. These two files may be used to quickly access and execute the parent file from the AppData directory. Additionally, the two files are filled with what appears to be random data, the files do not execute and no activity was seen.
The sample also creates two hidden folders, the parent folder being named C:\$MSIRecycle.Bin and a folder is created within named C:\$MSIRecycle.Bin\bnch. These folders are likely used as the main backdoor entry point by the attacker.
No further activity was found regarding this sample. The file is detected and deleted by Windows Defender as a Trojan:Win32/FarfliTI!MTB.
Filename:
M09image_2021-12-22_18png.bat
File Creation Date:
December 18, 2021
Hashes:
MD5: 4240255efcfb8432b22fea58156e8fa1
SHA1: 199e2406f2440862078a9cd1d61d47ed7e1c7c47
SHA256: 72e79ad4f9b879e09a7e893aebc11c698fcfe870c8294d7ed8ac64eb59a6702c
Malware Internal Name:
Goodcsongvwaiting
Disposition:
Malicious - Trojan Backdoor
Dropped Files:
C:\Users\Username\AppData\Local\Temp\changbanma.png
MD5: 5DB44DB23EF20C5E7052BA30B0402AE5
SHA1: 30BD24725E9FC1225A074E2E8A9E897A9865F7BC
C:\Users\Username\AppData\Local\Temp\M09image_2021-12-22_18png.bat
MD5: 4240255EFCFB8432B22FEA58156E8FA1
SHA1: 199E2406F2440862078A9CD1D61D47ED7E1C7C47
C:\Users\Username\AppData\Local\Temp\meifannao.png
MD5: 5db44db23ef20c5e7052ba30b0402ae5
SHA1: 30bd24725e9fc1225a074e2e8a9e897a9865f7bc
Folders Added:
C:\$MSIRecycle.Bin
C:\$MSIRecycle.Bin\bnch
Persistence
This sample does not establish persistence
Network Traffic:
180.215.87.236 Port: Random High
IOCs
Running Process
Dropped Files
Dropped Folder
Second Dropped Folder
Inside Dropped Folder
Defender Alert