Can't detect hollow process created by ursnif trojan

[shelovemee]

Hi hasherezade,

Thanks for your great tool. I tested hollows_hunter, it can detect hollow process created by Agenttesla, fareit, formbook. However, it can't detect iexplore.exe created by ursnif trojan.
You can download the sample below,

http://www.mediafire.com/file/qr9yd9m4ef53nap/wqooz7_ursnif_iexplore.zip/file
78e76bab450a3794449e7673c2f4096c44e47587ae77b1987cab1a13cbb842b8

Another question. Is there a way to use hollows hunter to detect hollow process in Real-time?

[hasherezade]

Hi!
First of all, thank you in your interest in Hollows Hunter!
Regarding the sample that you provided - I checked it, and indeed this Ursnif runs iexplore.exe. However, I am not sure if it injects any payloads there. I checked manually, by suspending both iexplore processes created (the parent and the child) and it didn't have anything injected. If I scanned iexpore.exe with the option /hooks it detected some hooked DLLs and the shellcode with detours (they could be legitimate hooks).
Are you sure that there is any payload that is supposed to be implanted in iexplore? Please provide more details.

And regarding your other question - detecting in real time: can you explain more precisely what do you mean? Do you mean that you would like Hollows Hunter to detect the injection at the moment that it is made? The thing is, PE-sieve (that is the Hollows Hunter's engine) makes only a passive scan, and do not hook the target process. So, it is not aware of the moment of injections. However, if you run Hollows Hunter with options: /pname <process name> /loop it will keep scanning the target process in a loop, till it find it infected. It is not exactly the same as real time injection detection, but can give the results that are pretty close.

[shelovemee]

Hi hasherezade,

Thanks for your reply.

Iexplore.exe is created after running the Ursnif malware sample. After a few minutes it tried to connect the C&C server. So i guess it may be hollowed.

I don't want to detect the injection at the moment the API (CreateRemoteThread, WriteProcessMemory, etc.) is being called. I want to detect the moment the process is being hollowed. Keep scanning all processes in a loop is not performance friendly. :)
Does Hollows Hunter have some caching mechanism so it can skip processes that have been checked?

[hasherezade]

Iexplore.exe is created after running the Ursnif malware sample. After a few minutes it tried to connect the C&C server. So i guess it may be hollowed.

ok, I will check it in more details when I get some free time. it is also possible, that rather than being hollowed (a full PE replaced/injected), the iexplore has a shellcode injected (it can be detected with an additional parameter /shellc).

You said

"I don't want to detect the injection at the moment the API (CreateRemoteThread, WriteProcessMemory, etc.) is being called. I want to detect the moment the process is being hollowed."

But in practice it means exactly the same what I mentioned. To detect the exact moment when the process is hollowed, there is no other way but detecting when the particular APIs responsible for hollowing are being called. The only other way is a passive scan - what I am doing right now, but then it is not "the exact moment" when the hollowing happened.
Another way of detecting "the exact moment" of hollowing is just by using a debugger.

Regarding skipping the process that was already scanned - no, I did not implement it, because the idea is to re-scan the same process over and over again, till the injection was detected.

Keep scanning all processes in a loop is not performance friendly. :)

The loop is best to use when we want to monitor one particular process, i.e.
hollows_hunter.exe /pname iexlplore.exe /loop
You can of course use it on all processes too, but sure it is not gonna be performance friendly.

In general a passive scan has some limitations, it is convenient for some things, but not for the other. For example, if you need to find the moment of the hollowing with big accuracy, it is better to use alternative methods.