Trojan:Script/Sabsik.fl.A!ml Analysis & Removal Guide

Trojan:Script/Sabsik.fl.A!ml Removal guide
Sabsik is a generic name used by Microsoft Defender for stealer malware with some advanced functionality

Trojan:Script/Sabsik.fl.A!ml is a generic detection name used by Microsoft Defender. This name is particularly used to denote stealer malware that also possesses dropper capabilities. It can perform various activities of the attacker’s choice on the victim’s computer, such as spying, data theft, remote control, and installation of other viruses. In this article, we will tell you how to analyze, detect, and remove this trojan from your computer.

What is Trojan:Script/Sabsik.fl.A!ml?

Trojan:Script/Sabsik.fl.A!ml is a trojan detected by Windows Defender. This detection particularly refers to stealer malware that is also capable of other activities, for instance – deploying other malware.

Move MS Office file Emotet
Request to move a lure file to the MS Office root directory

Typically, Sabsik Trojans are distributed through email spam. The email attachments contain a hidden script that triggers the malware to download and run when macros are activated. As a result, users who accidentally open these files download and run the virus without realizing it. Some Sabsik samples can self-distribute through vulnerabilities in the Windows network, such as EternalBlue.

Trojan Sabsik Threat Analysis

Probably, the best-known malware sample that was detected as Trojan:Script/Sabsik.fl.A!ml is Emotet Trojan. Even though it now borders its extinction, the fact of this signature relation to this malware gives us an excellent clue on what you can expect when Sabsik is running in the system.

Launch and Detection Evasion

Emotet a.k.a Sabsik uses a variety of techniques to avoid detection by antivirus software and ensure it runs successfully on target systems. The malware typically employs deep packing, obfuscation, and other detection evasion techniques, making it difficult for traditional antivirus solutions to detect its presence. When arranging its launch, this malware typically performs a trick known as DLL sideloading.

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dllto register the malware DLL.

C:\Windows\SysWOW64\rundll32.exe "C:\Users\Admin\AppData\Local\Temp\007852768570c1d9528259e7e52aecf5e4ae97dadd75a459cc53f9acca65054d.dll",DllRegisterServerto launch the latter.

Modules

Emotet is modular malware, meaning it can extend its functionality by loading additional modules. Not all Sabsik samples possess modularity, but it has become a more and more widespread feature in modern malware. Some of the common modules associated with this threat include:

  • Stealer Module – used for stealing banking credentials and other sensitive information.
  • Hardware Module – collects detailed information about the infected system.
  • XMRig Module – utilized for cryptocurrency mining purposes.
  • Advanced Email Stealer Module – steals email credentials and contact lists.
  • SMB Lateral Movement Module – enables lateral movement within a network by exploiting SMB vulnerabilities.
  • Traffic Proxying (UPnP) Module – facilitates the redirection of traffic to C2 servers through compromised servers.

Establishing Persistence & Data Stealing

After infecting the system, Sabsik creates a registry key in the infected system’s registry, ensuring that it is launched every time the system boots up. This persistence mechanism allows Sabsik to maintain a foothold on the infected system, even after reboots. Malware creates a DWORD key with the following contents in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry hive:

C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Tzusqvzhnftw\gwwfpucmcdt.ruj

Data Collection & Other Functionality

Despite focusing on banking info, Emotet/Sabsik is capable of collecting various types of sensitive information from infected systems. This may include usernames, passwords, system information, and email credentials. Sabsik also possesses functionality for self-propagation through email spamming and lateral movement within networks, allowing it to rapidly spread and infect multiple systems.

Malware Delivery by Emotet

Despite originally being a banking stealer, Emotet is mostly known as dropper malware. In the prime days, vast networks controlled by Emotet were used to deploy various payloads to infected systems. Among them were ransomware, spyware, coin miners, and other types of malware. Emotet indiscriminately targets both individual users and organizations, spreading its malicious payloads according to the directives of its operators.

C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking --disable-features=OptimizationGuideModelDownloading,OptimizationHintsFetching,OptimizationTargetPrediction,OptimizationHints "https://brooklyn.blob.core.windows.net/pen-test/MaliciousDOC.doc

Trojan:Script/Sabsik.fl.A!ml – False Positive or Not?

In some cases, Sabsik Trojan may be mistakenly detected by antivirus software if you try to run a legitimate file such as a game, application, or driver. This can happen due to an incorrect signature, incompatibility, corruption, or file change. According to several user reports, popular games downloaded from legitimate sources may sometimes be mistakenly flagged as Trojan:Script/Sabsik.fl.A!ml.

One particular example comes from a BattleNET user who purchased Diablo II Resurrected and was warned about the Sabsik Trojan when trying to launch the game. It’s not hard to guess that a game released by a company as big as Blizzard would not contain malware. If you are 100% sure that the source of your download is safe, the Sabsik Trojan notification could easily be a false positive.

It is also important to note the presence of the “!ml” particle added to the detection name. This stands for the use of an AI detection system. While this method is highly effective, it can generate false positive detections without confirmation from other detection systems.

However, it is impossible to be 100% sure that the source of the downloads is safe. If after interacting with a shadow file of unknown origin you see a warning about the Sabsik Trojan program, you should quarantine/remove the source of the threat.

How to remove Trojan:Script/Sabsik.fl.A!ml?

If Sabsik Trojan was detected in an untrusted file, you should delete it. However, this is not enough to be sure of your security. We recommend performing a full system scan with a reliable anti-malware tool such as GridinSoft Anti-Malware. Last but not least, you may want to consider changing important passwords in case they are compromised, although this is unlikely to happen.

Download and install GridinSoft Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

GridinSoft Anti-Malware main screen

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click “Advanced mode” and see the options in the drop-down menus. You can also see extended information about each detection – malware type, effects and potential source of infection.

Scan results screen

Click “Clean Now” to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *