0/64 detections on VirusTotal
as of 05.08.2024
The VMRay Labs team has uncovered a malware that goes completely undetected for weeks by hiding malicious p-code in MS Access’ uncommon ACCDE format.
Microsoft Access allows users to export their databases to a “protected” format (ACCDE), promising to keep macros hidden and unmodifiable. This sample abuses that feature to hide its malicious backdoor: a compiled VBA macro designed to drop and execute a malicious PE file stored in the database.
No detections on VirusTotal
0 of 63
In a nutshell:
Â
The ACCDE format is rarely abused by attackers: not a single ACCDE file uploaded to VirusTotal in the last 90 days has a malicious verdict.
Â
VBA macros were compiled to p-code and execodes, complicating static analysis, but dynamic analysis still reveals malicious behavior
Â
Dropped PE file (“MW-Black-Shell”, only 5/75 on VirusTotal) connects to C2 and keeps waiting for commands to execute
Â
The PE file is not stored in the macros but in a table in the database
Â
Schedules itself to be executed at specific times (e.g., daily at 9:30)
Â
Â
Sample SHA256: 615727e8ed031ca82ae1799893d7b42831f3ed86a1dbc5b4f654d2b5646808b5
See why we think this is malicious in plain language.
See the whole path of the sample’s execution
Map the malicious activities on the MITRE ATT&CK Framework
Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams
Download the IOCs and artifacts to have a clear picture of the threat.
Download the files that the malware downloads, drops or modifies.
Explore how you can use these insights
