Analysis of SamoRAT

Analysis of SamoRAT


We recently came across a .NET malware sample known as SamoRAT whose main purpose is to receive and execute different commands on the infected device. Also, it can download and execute other malicious programs. In this blog, we will take you through the analysis of SamoRAT Sample.

Static Analysis

Main Function:

The Program once executed checks for some Anti-Analysis features on the host machine. It then checks if only single instance of the program is running on the machine and if an instance is already running, new instance will exit automatically.

Fig 1. Main Function
Fig 1. Main Function

Finally, after passing the malicious program starts and registers itself to the C&C server and starts receiving remote commands.

Anti-Analysis and Anti-VM Check:

SamoRAT employs the use of anti-analysis check for detecting when it is being analyzed by AV systems, allowing it to change its behavior so that no alarms are triggered by the antivirus software’s.

Fig 2. Anti-Analysis
Fig 2. Anti-Analysis

It checks for following things,

  1. Detects the Manufacturer Name for VMware and VirtualBox.
  2. Checks if the program is not attached with debugger.
  3. Checks OS of the Host System whether it is Windows XP.
  4. Checks for SbieDll.dll to detect if the program is executed with sandboxie.
  5. Checks the disk size of the host machine whether it is small.

If any of the condition is detected the program will exit itself to avoid the detection. This code snippet is reused from the open source Async RAT.

Mutex Generation:

After passing the anti-analysis check, the program checks if only single instance is running on the machine by checking mutex named SamoRAT

Fig 3. Mutex
Fig 3. Mutex

If the mutex is not found, the program generates a mutex indicating that a instance is created.

Bypass AV Systems:

SamoRAT has the functionality to stop Windows Defender process and disable it’s features by editing registries to avoid detection in run-time.

Fig 4. Windows Defender Bypass
Fig 4. Windows Defender Bypass

It also runs some PowerShell commands to disable additional features of windows defender.

Fig 5. Disable Additional Features
Fig 5. Disable Additional Features

SamoRAT copies the main executable to the Microsoft Network folder and renames itself to WinServices.exe.

Fig 6. WinServices.exe
Fig 6. WinServices.exe

To achieve persistence, it creates scheduled tasks or modifies windows registries depending on administrator privileges for running at start-up.

Fig 7. Persistence

Once the program is installed it registers itself to the C&C server by sending a POST request to

Fig 8. Registration Request

A request with method=registerClient is made to inform attacker that the program is successfully installed. Also, if the program crashes in the process of execution a crash report is uploaded in an image format as CrashReport.png

Command Handler:

Once the program is registered again a POST request is made to the same address to indicate that it is online and ready to receive commands

SamoRAT can receive 4 types of command which are as followed,

  1. DOEX: This command is used for downloading and installing other malicious programs on the infected host.
  2. UNINSTALL: This command instructs the program to uninstall itself and retrieve the changes made to the system.
  3. DISABLEUAC: This command is used for bypassing the windows defender features.
  4. STARTCAPTURE: This command captures the screenshots of infected host.

When the program recieves DOEX commands it downloads the program from link received and executes it as GoogleCrashHandler.exe

Fig 9. DOEX command
Fig 9. DOEX command

On receiving the UNINSTALL command, program deletes registries and schedules tasks it had created during the stage of persistence.

Fig 10. UNINSTALL command
Fig 10. UNINSTALL command

It also creates and executes a .bat file with random name to delete all the files associated with the program.

Fig 11. Delete Files.
Fig 11. Delete Files.

Network Analysis:

SamoRAT enumerates basic information related to the host machine configuration and sends it to C&C Server.

Here is the snapshot of the pcap file generated while monitoring the network traffic,

Fig 12. Network Traffic for Registration
Fig 12. Network Traffic for Registration
Fig 13. Network Traffic for Crash Report
Fig 13. Network Traffic for Crash Report
Fig 14. Network Traffic for online indication
Fig 14. Network Traffic for online indication

The system enemuration code is shown below,

Fig 15. System Enumeration
Fig 15. System Enumeration

Xunison Protection:

Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.

Xunison Signature:




Malware Hashes:










We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at

Author: Mitesh Wani


Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on pinterest
Share on email