Windows Analysis Report
1.bat

Overview

General Information

Sample name:	1.bat
Analysis ID:	1560840
MD5:	d8a72a9431d01f555ed3ed8806d16fd4
SHA1:	b84a16cc240ec55e5c4d59f3b448261262ddd98c
SHA256:	ead16c58358f83fa2f637ef0ffd426f133671f239d3faedad19fdaa5c4445c2a
Tags:	batHUNuser-smica83
Infos:

Detection

CobaltStrike, MetasploitPSPayload

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Yara detected CobaltStrike

Yara detected Metasploit powershell Payload

Program does not show much activity (idle)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.bat

Avira: detected

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.bat, type: SAMPLE

Matched rule: Metasploit Payloads - file msf.psh Author: Florian Roth

Yara signature match

Source: 1.bat, type: SAMPLE

Matched rule: Msfpayloads_msf_3 date = 2017-02-09, hash1 = 335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054, author = Florian Roth, description = Metasploit Payloads - file msf.psh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal72.troj.winBAT@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.bat" "

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\cmd.exe

Section loaded: cmdext.dll

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match

File source: 1.bat, type: SAMPLE

Yara detected Metasploit powershell Payload

Source: Yara match

File source: 1.bat, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1560840
Product:	CloudBasic
Start time:	11:57:07
Start date:	22.11.2024
Sample:	1.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d8a72a9431d01f555ed3ed8806d16fd4
SHA1:	b84a16cc240ec55e5c4d59f3b448261262ddd98c
SHA256:	ead16c58358f83fa2f637ef0ffd426f133671f239d3faedad19fdaa5c4445c2a

Windows Analysis Report
1.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 1.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
1.bat

Malware Threat Intel
Provided by