Windows Analysis Report
t.bat

Overview

General Information

Sample name: t.bat
Analysis ID: 1560320
MD5: 7d92162a87ab1596d06800472848f41e
SHA1: a67854e4e6ea2e2945a0b4469b3ca6c7c012e9bd
SHA256: 5a2ec3d729251a6478500a0c1a4823156b4e59be91cfde9e88602a7c5e1abd8b
Tags: batBraodorouki555user-JAMESWT_MHT
Infos:

Detection

Braodo
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Braodo
Yara detected Powershell download and execute
Program does not show much activity (idle)

Classification

Source: t.bat String found in binary or memory: https://github.com/rouki555/dcm/raw/main/Document.zip
Source: t.bat String found in binary or memory: https://github.com/rouki555/lnk/raw/main/ud.bat
Source: classification engine Classification label: mal56.troj.evad.winBAT@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\t.bat" "
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\t.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: t.bat, type: SAMPLE

Stealing of Sensitive Information
barindex
Yara detected Braodo
Source: Yara match File source: t.bat, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Braodo
Source: Yara match File source: t.bat, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560320 Sample: t.bat Startdate: 21/11/2024 Architecture: WINDOWS Score: 56 10 Yara detected Braodo 2->10 12 Yara detected Powershell download and execute 2->12 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true