Edit tour
Windows
Analysis Report
glimps.bat
Overview
General Information
| Sample name: | glimps.bat |
| Analysis ID: | 1671779 |
| MD5: | 77ad50449175d003558fb5b87d66340d |
| SHA1: | 5ed0f70708e374f1e87939137c334d931c1243e0 |
| SHA256: | 9e105ab27b861abfadb5e70187d40c98a7c360bdfe6b434ca78f1b6cb5452c4f |
| Infos: | |
 | |
Detection
| Score: | 0 |
| Range: | 0 - 100 |
| Confidence: | 80% |
Signatures
Program does not show much activity (idle)
Classification
- System is w11x64_office
cmd.exe (PID: 7364 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\glimp s.bat" " MD5: 428CEC6B0034E0F183EB5BAE887BE480) - conhost.exe (PID: 7372 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 9698384842DA735D80D278A427A229AB)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • System Summary
- • Malware Analysis System Evasion
- • Anti Debugging
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Classification label: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | 1 Scripting | Valid Accounts | Windows Management Instrumentation | 1 Scripting | 1 Process Injection | 1 Process Injection | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1671779 |
| Start date and time: | 2025-04-23 09:55:05 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 1m 49s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
| Number of analysed new started processes analysed: | 5 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | glimps.bat |
| Detection: | CLEAN |
| Classification: | clean0.winBAT@2/0@0/0 |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, ap pidcertstorecheck.exe, conhost .exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om - Not all processes where analyz
ed, report is missing behavior information
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 5.265504851758705 |
| TrID: |
|
| File name: | glimps.bat |
| File size: | 505 bytes |
| MD5: | 77ad50449175d003558fb5b87d66340d |
| SHA1: | 5ed0f70708e374f1e87939137c334d931c1243e0 |
| SHA256: | 9e105ab27b861abfadb5e70187d40c98a7c360bdfe6b434ca78f1b6cb5452c4f |
| SHA512: | 1623e2ea45f27edda2ed54a2d41623ccd9b05074dd404e5f319c42698a7f2c8d547d1cfbc79bc4c893b4f32b8824e77d113b819f1f7147f4cd65c10daeb815cf |
| SSDEEP: | 12:oT/HfApKGjxvHHvMp5F7Ylewhz6fYlewG4ZSK:ozfApKGjlHkp51+tUf+tGST |
| TLSH: | 22F08B42901292126453BB728AD3AA44B7DF91CE613B245069CEE20A48468328B0135F |
| File Content Preview: | Get-MpComputerStatus....Test-Path 'C:\Program Files (x86)\F5 VPN\f5fpclientW.exe'....Get-NetFirewallRule -PolicyStore ActiveStore -ErrorAction Stop....Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object { $_.Issuer -eq "CN=Microsoft Intune MDM Device |
 | |
| Icon Hash: | 90848e869e9a98a2 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 1 |
| Start time: | 03:56:07 |
| Start date: | 23/04/2025 |
| Path: | C:\Windows\System32\cmd.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff727bd0000 |
| File size: | 323'584 bytes |
| MD5 hash: | 428CEC6B0034E0F183EB5BAE887BE480 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 03:56:07 |
| Start date: | 23/04/2025 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff7bdef0000 |
| File size: | 1'040'384 bytes |
| MD5 hash: | 9698384842DA735D80D278A427A229AB |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
| Has exited: | true |
⊘No disassembly
