Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BPL_1000572_007.bat.exe

Overview

General Information

Sample Name:	BPL_1000572_007.bat.exe
Analysis ID:	708242
MD5:	4ff4a281a08a0681597794a3024fb584
SHA1:	d3a70362b238b82db1ef1aefef920afedf717880
SHA256:	a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
Tags:	exe
Infos:

Detection

DarkCloud

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Generic Dropper

Yara detected DarkCloud

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Creates multiple autostart registry keys

Writes or reads registry keys via WMI

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Machine Learning detection for dropped file

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Drops PE files

Checks if the current process is being debugged

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Launches processes in debugging mode, may be used to hinder debugging

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

×

Process Tree

System is w10x64

BPL_1000572_007.bat.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\BPL_1000572_007.bat.exe" MD5: 4FF4A281A08A0681597794A3024FB584)

powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Wthdlxoyqvnqsfcfiinf.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe" MD5: 386FB639720C77FC29E68682D264423F)

WerFault.exe (PID: 5744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

BPL_1000572_007.bat.exe (PID: 1952 cmdline: C:\Users\user\Desktop\BPL_1000572_007.bat.exe MD5: 4FF4A281A08A0681597794A3024FB584)

pdf.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)

pdf.exe (PID: 3536 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)

fireless.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe" MD5: 4FF4A281A08A0681597794A3024FB584)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000D.00000000.435627430.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000016.00000002.591002736.0000000003454000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.539813510.000000000448F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.591295608.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.592125246.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1fae0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.476692694.0000000003969000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x5100:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.478754600.0000000003A55000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000016.00000002.591087529.000000000345D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x210c0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB 0x490e0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.477582382.00000000039C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000014.00000002.598264553.0000000002C65000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0xaccc:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.452043304.0000000002A97000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000011.00000002.598968323.00000000034A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000014.00000002.591358526.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.592176698.00000000032FD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.460105913.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: BPL_1000572_007.bat.exe PID: 5820	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: BPL_1000572_007.bat.exe PID: 5820	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: BPL_1000572_007.bat.exe PID: 5820	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: BPL_1000572_007.bat.exe PID: 1952	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: pdf.exe PID: 3712	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: pdf.exe PID: 3536	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: fireless.exe PID: 1420	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0xe1d8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment
0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x2fbb8:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RD_ 0x2fbf4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RD_ 0xe1d8:$s4: ExecQuery 0x361f8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x2fb90:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x2fb4c:$s9: Shell.Application 0x30244:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x2e9e8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0x2fc88:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment 0x35abc:$v1_2: AddAttachment
0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0xe1d8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment
13.0.BPL_1000572_007.bat.exe.400000.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
13.0.BPL_1000572_007.bat.exe.400000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0xe1d8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment
0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.3a05df0.2.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0xe1d8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment
0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0xe1d8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment
0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.3a55e10.3.raw.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_ 0xe1d8:$s4: ExecQuery 0x7b70:$s7: CopyHere 0x7b2c:$s9: Shell.Application 0x8224:$s9: shell.application 0x69c8:$s12: @TITLE Removing 0x7c68:$s13: @RD /S /Q " 0xda9c:$v1_2: AddAttachment
0.2.BPL_1000572_007.bat.exe.486cee0.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.BPL_1000572_007.bat.exe.39dddd0.1.raw.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x7b98:$s1: Temporary Directory * for 0x2fbb8:$s1: Temporary Directory * for 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RD_ 0x2fbf4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\RD_ 0xe1d8:$s4: ExecQuery