Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
t.bat

Overview

General Information

Sample name:t.bat
Analysis ID:1560320
MD5:7d92162a87ab1596d06800472848f41e
SHA1:a67854e4e6ea2e2945a0b4469b3ca6c7c012e9bd
SHA256:5a2ec3d729251a6478500a0c1a4823156b4e59be91cfde9e88602a7c5e1abd8b
Tags:batBraodorouki555user-JAMESWT_MHT
Infos:

Detection

Braodo
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Braodo
Yara detected Powershell download and execute
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7420 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\t.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 7366FBEFE66BA0F1F5304F7D6FEF09FE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
t.batJoeSecurity_Braodo_1Yara detected BraodoJoe Security
    t.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: t.batString found in binary or memory: https://github.com/rouki555/dcm/raw/main/Document.zip
      Source: t.batString found in binary or memory: https://github.com/rouki555/lnk/raw/main/ud.bat
      Source: classification engineClassification label: mal56.troj.evad.winBAT@2/0@0/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\t.bat" "
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\t.bat" "
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell download and execute
      Source: Yara matchFile source: t.bat, type: SAMPLE

      Stealing of Sensitive Information

      barindex
      Yara detected Braodo
      Source: Yara matchFile source: t.bat, type: SAMPLE

      Remote Access Functionality

      barindex
      Yara detected Braodo
      Source: Yara matchFile source: t.bat, type: SAMPLE

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid AccountsWindows Management Instrumentation1
      Scripting      		1
      Process Injection      		1
      Process Injection      		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1560320 Sample: t.bat Startdate: 21/11/2024 Architecture: WINDOWS Score: 56 10 Yara detected Braodo 2->10 12 Yara detected Powershell download and execute 2->12 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      t.bat8%ReversingLabsText.Trojan.Generic

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0035.t-0009.t-msedge.net
      		13.107.246.63
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://github.com/rouki555/lnk/raw/main/ud.batt.batfalse
          		high
          https://github.com/rouki555/dcm/raw/main/Document.zipt.batfalse
            		high

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1560320
            Start date and time:2024-11-21 17:00:06 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 1m 38s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:3
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:t.bat
            Detection:MAL
            Classification:mal56.troj.evad.winBAT@2/0@0/0
            Cookbook Comments:
            • Found application associated with file extension: .bat
            • Stop behavior analysis, all processes terminated

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe
            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: t.bat

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.63
            payments.exeGet hashmaliciousFormBookBrowse
            • 13.107.246.63
            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
            • 13.107.246.63
            S0FTWARE.exeGet hashmaliciousStealc, VidarBrowse
            • 13.107.246.63
            Rte_PRPay.docxGet hashmaliciousUnknownBrowse
            • 13.107.246.63
            https://floreslaherradura.com/?uid=a2FuZGVyc29uQGJxbGF3LmNvbQ==Get hashmaliciousHTMLPhisherBrowse
            • 13.107.246.63
            file.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.63
            Fax-494885 Boswell Automotive Group.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.246.63
            Fax-494885 Boswell Automotive Group.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.246.63
            Y7Zv23yKfb.exeGet hashmaliciousMicroClipBrowse
            • 13.107.246.63

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:DOS batch file, ASCII text, with very long lines (65536), with no line terminators
            Entropy (8bit):4.704309137111206
            TrID:
              File name:t.bat
              File size:328'896 bytes
              MD5:7d92162a87ab1596d06800472848f41e
              SHA1:a67854e4e6ea2e2945a0b4469b3ca6c7c012e9bd
              SHA256:5a2ec3d729251a6478500a0c1a4823156b4e59be91cfde9e88602a7c5e1abd8b
              SHA512:5a15787cb2d35b199187f15e73ad5775e1cfe7529b002025abfa346713764fb01872a3df383f4dc1214c78a8c8e0440e0b61e9d8daaa976de6c69a6c91591616
              SSDEEP:384:kOCWjeJKOCWjeJ4OCWjeJ4OCWjeJ4OCWjeJ4OCWjeJ4OCWjeJ4OCWjeJ4OCWjeJi:J
              TLSH:0A640C45C39487872C6A0D870D49B42ECCAADE116563C7BEC0F9095B8B2D686D2B9F73
              File Content Preview:@REM Encoded text: rqhatenzgwzolsgnldcysrtepdcisrckjcqgzeqcrjdccfjmugotehtosritdhcivgtdnwvfhcihzilihbpmzoyfiadpyntjsairtofvndykctdrtowxyikjsqiiwtmjhhzcxwlaegijpignagpzoqgrqtfguvpggntknuzxkmkhotgtvskdwbnknuzbkqbmhvarxcocrtowqixnyfiigkrtpwrzhwipioyvnvwocuah

              File Icon

              Icon Hash:9686878b929a9886

              Network Behavior

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Nov 21, 2024 17:00:55.847749949 CET1.1.1.1192.168.2.30x49e6No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
              Nov 21, 2024 17:00:55.847749949 CET1.1.1.1192.168.2.30x49e6No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:11:00:57
              Start date:21/11/2024
              Path:C:\Windows\System32\cmd.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\t.bat" "
              Imagebase:0x7ff686f60000
              File size:289'792 bytes
              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:1
              Start time:11:00:57
              Start date:21/11/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff720030000
              File size:873'472 bytes
              MD5 hash:7366FBEFE66BA0F1F5304F7D6FEF09FE
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate
              Has exited:true

              Disassembly

              No disassembly