The Python script exhibits malicious behavior by leveraging native Windows libraries (ctypes, windll, wintypes) and reflection (System.Reflection) to interact with the operating system at a low level, likely for the purpose of executing malicious payloads or manipulating system processes.
It interacts with the operating system at the API level, and to evade detection, it employs live patching techniques, which include patching common security functions like `AmsiScanBuffer()` to bypass malware analysis and `EtwEventWrite()` to prevent the creation of event logs, which can be used to track its activities.
The code modifies the `EtwEventWrite` function in the `ntdll.dll` library to return an expected value by overwriting the first few bytes of its assembly code, which is performed differently based on the system architecture (64-bit or 32-bit).
It decodes a Base64 encoded payload, uses it to load an assembly, creates an instance of the entry point class within the assembly, and finally invokes the entry point method.
The first bytes of the payload being a DOS stub followed by the PE signature (MZ\ followed by “PE\0\0”) indicate that the file is a Portable Executable (PE) file, which is the common file format for executables and DLLs on Windows systems.
The .Net binary evades sandbox analysis by copying itself to the “%LOCALAPPDATA%\Microsoft\_OneDrive.exe” path and then verifying its execution location, exploiting the common sandbox behavior of executing samples from a fixed directory.
It creates a persistence mechanism for a program using a registry key and a startup shortcut, which writes the path of the executable to a registry key under the current user’s Software hive and creates a shortcut in the Startup folder that retrieves the path from the registry and executes PowerShell to launch the program.
According to Internet Storm Center, the decoded payload creates a new web client, decodes a hex string into a byte array using the BA function, sleeps for 1.5 seconds, and then executes aspnet_compiler.exe with the decoded byte array as arguments.
SwaetRAT malware, identified by the SHA256 hash f8ff16829e8fe1d06126c42c76b2bf48c62a02d1c6426e448e723168ecdf19fc, is a .Net binary that replicates itself into the “%APPDATA%\CCleaner.exe” directory, which reveals its Remote Access Trojan (RAT) capabilities are readily extractable due to the lack of obfuscation.
The malware sample previously observed in another campaign and analyzed by eSentire in 2023 is identified as the “Swaetrat” RAT. The extracted C2 server, 144.126.149.221:7777, provides a crucial piece of intelligence for further investigation and potential disruption of the threat actor’s operations.
