Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample Name:BPL_1000572_007.bat.exe
Analysis ID:708242


Range:0 - 100


Yara detected Generic Dropper
Yara detected DarkCloud
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates multiple autostart registry keys
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)


  • System is w10x64
  • BPL_1000572_007.bat.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\BPL_1000572_007.bat.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
    • powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Wthdlxoyqvnqsfcfiinf.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe" MD5: 386FB639720C77FC29E68682D264423F)
      • WerFault.exe (PID: 5744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • BPL_1000572_007.bat.exe (PID: 1952 cmdline: C:\Users\user\Desktop\BPL_1000572_007.bat.exe MD5: 4FF4A281A08A0681597794A3024FB584)
  • pdf.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • pdf.exe (PID: 3536 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • fireless.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • cleanup
No configs have been found
00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 26 entries
            0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
              • 0x7b98:$s1: Temporary Directory * for
              • 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
              • 0xe1d8:$s4: ExecQuery
              • 0x7b70:$s7: CopyHere
              • 0x7b2c:$s9: Shell.Application
              • 0x8224:$s9: shell.application
              • 0x69c8:$s12: @TITLE Removing
              • 0x7c68:$s13: @RD /S /Q "
              • 0xda9c:$v1_2: AddAttachment
              0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
                • 0x7b98:$s1: Temporary Directory * for
                • 0x2fbb8:$s1: Temporary Directory * for
                • 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
                • 0x2fbf4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
                • 0xe1d8:$s4: ExecQuery
                • 0x361f8:$s4: ExecQuery
                • 0x7b70:$s7: CopyHere
                • 0x2fb90:$s7: CopyHere
                • 0x7b2c:$s9: Shell.Application
                • 0x8224:$s9: shell.application
                • 0x2fb4c:$s9: Shell.Application
                • 0x30244:$s9: shell.application
                • 0x69c8:$s12: @TITLE Removing
                • 0x2e9e8:$s12: @TITLE Removing
                • 0x7c68:$s13: @RD /S /Q "
                • 0x2fc88:$s13: @RD /S /Q "
                • 0xda9c:$v1_2: AddAttachment
                • 0x35abc:$v1_2: AddAttachment
                0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security