Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BPL_1000572_007.bat.exe

Overview

General Information

Sample Name:BPL_1000572_007.bat.exe
Analysis ID:708242
MD5:4ff4a281a08a0681597794a3024fb584
SHA1:d3a70362b238b82db1ef1aefef920afedf717880
SHA256:a6db7e8c70adc90b74c0f08503f49cf041d79afed3b916676892725ce2dbcce0
Tags:exe
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Generic Dropper
Yara detected DarkCloud
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Creates multiple autostart registry keys
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Encrypted powershell cmdline option found
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Machine Learning detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • BPL_1000572_007.bat.exe (PID: 5820 cmdline: "C:\Users\user\Desktop\BPL_1000572_007.bat.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
    • powershell.exe (PID: 5248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Wthdlxoyqvnqsfcfiinf.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Local\Temp\Wthdlxoyqvnqsfcfiinf.exe" MD5: 386FB639720C77FC29E68682D264423F)
      • WerFault.exe (PID: 5744 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 1352 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • BPL_1000572_007.bat.exe (PID: 1952 cmdline: C:\Users\user\Desktop\BPL_1000572_007.bat.exe MD5: 4FF4A281A08A0681597794A3024FB584)
  • pdf.exe (PID: 3712 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • pdf.exe (PID: 3536 cmdline: "C:\Users\user\AppData\Roaming\note\pdf.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • fireless.exe (PID: 1420 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\fireless.exe" MD5: 4FF4A281A08A0681597794A3024FB584)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.571147253.000000000CCE0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000014.00000002.590614103.0000000002A7E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.448721724.000000000298E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000016.00000002.597986476.00000000035FF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000016.00000002.590549636.0000000003428000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 26 entries
            SourceRuleDescriptionAuthorStrings
            0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              0.2.BPL_1000572_007.bat.exe.2a9d9dc.0.raw.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
              • 0x7b98:$s1: Temporary Directory * for
              • 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
              • 0xe1d8:$s4: ExecQuery
              • 0x7b70:$s7: CopyHere
              • 0x7b2c:$s9: Shell.Application
              • 0x8224:$s9: shell.application
              • 0x69c8:$s12: @TITLE Removing
              • 0x7c68:$s13: @RD /S /Q "
              • 0xda9c:$v1_2: AddAttachment
              0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                0.2.BPL_1000572_007.bat.exe.39dddd0.1.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
                • 0x7b98:$s1: Temporary Directory * for
                • 0x2fbb8:$s1: Temporary Directory * for
                • 0x7bd4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
                • 0x2fbf4:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
                • 0xe1d8:$s4: ExecQuery
                • 0x361f8:$s4: ExecQuery
                • 0x7b70:$s7: CopyHere
                • 0x2fb90:$s7: CopyHere
                • 0x7b2c:$s9: Shell.Application
                • 0x8224:$s9: shell.application
                • 0x2fb4c:$s9: Shell.Application
                • 0x30244:$s9: shell.application
                • 0x69c8:$s12: @TITLE Removing
                • 0x2e9e8:$s12: @TITLE Removing
                • 0x7c68:$s13: @RD /S /Q "
                • 0x2fc88:$s13: @RD /S /Q "
                • 0xda9c:$v1_2: AddAttachment
                • 0x35abc:$v1_2: AddAttachment
                0.2.BPL_1000572_007.bat.exe.3a05df0.2.raw.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  Click to see the 17 entries
                  No Sigma rule has matched
                  Timestamp:192.168.2.6185.252.178.6349707802034631 09/23/22-07:59:51.380310
                  SID:2034631
                  Source Port:49707
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:192.168.2.6185.252.178.6349712802034631 09/23/22-08:01:54.005892
                  SID:2034631
                  Source Port:49712
                  Destination Port:80
                  Protocol:TCP
                  Classtype:A Network Trojan was detected