MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
SHA3-384 hash: af95816033815ab564bd2592711c25aff5e22c6ac1f1c7f3dd3123d6f022d52c85388259be50c0f2ae726756c19b0d91
SHA1 hash: 185a35a99a20422843725342c374ebae76b76fdc
MD5 hash: 3839596a3f33711abce263e7d890b2e9
humanhash: sierra-stream-red-undress
File name:x.bat
Download: download sample
File size:7'312'129 bytes
First seen:2024-12-13 12:30:19 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:wDYqqQ9PgglFCYjq3HsyU+CwUp7B+Li23ovqJ+dwvnP/SRqRIEIS1x3KMb/ASHc0:h
TLSH T1867633613BD82EDF491EC62ED016BD2E23D74FA1989DA4C2C7D136830B5EB639A15C13
Magika powershell
Reporter lontze7
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x.bat
Verdict:
No threats detected
Analysis date:
2024-12-13 14:21:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fea8b0f8-8e7f-4f54-801f-818e608247d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.BZC.ONG.Pantera.183.38159F53.625.23723.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675c2aa289dbe216235119d8
Tags:
obfuscate shell sage
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1574678
Signature
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574678 Sample: x.bat Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 .NET source code references suspicious native API functions 2->80 82 Found large BAT file 2->82 84 9 other signatures 2->84 10 cmd.exe 1 2->10         started        13 IfMUlU.exe 2->13         started        process3 signatures4 118 Suspicious powershell command line found 10->118 120 Suspicious command line found 10->120 15 powershell.exe 3 30 10->15         started        18 WMIC.exe 1 10->18         started        20 conhost.exe 10->20         started        22 2 other processes 10->22 122 Machine Learning detection for dropped file 13->122 process5 signatures6 124 Uses schtasks.exe or at.exe to add and modify task schedules 15->124 126 Deletes itself after installation 15->126 128 Writes to foreign memory regions 15->128 132 3 other signatures 15->132 24 dllhost.exe 1 15->24         started        27 cmd.exe 1 15->27         started        29 cmd.exe 2 15->29         started        32 conhost.exe 15->32         started        130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->130 process7 file8 106 Contains functionality to inject code into remote processes 24->106 108 Writes to foreign memory regions 24->108 110 Creates a thread in another existing process (thread injection) 24->110 116 2 other signatures 24->116 34 winlogon.exe 24->34 injected 36 lsass.exe 24->36 injected 39 svchost.exe 24->39 injected 51 23 other processes 24->51 112 Suspicious powershell command line found 27->112 114 Suspicious command line found 27->114 41 powershell.exe 2 31 27->41         started        45 WMIC.exe 1 27->45         started        47 conhost.exe 27->47         started        53 2 other processes 27->53 72 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 29->72 dropped 49 conhost.exe 29->49         started        signatures9 process10 dnsIp11 55 dllhost.exe 34->55         started        86 Installs new ROOT certificates 36->86 88 System process connects to network (likely due to code injection or exploit) 39->88 74 iam.nigga.dad 103.230.121.81, 4782, 49736 VPSQUANUS Hong Kong 41->74 70 C:\Windows\$nya-onimai2\IfMUlU.exe, PE32+ 41->70 dropped 90 Writes to foreign memory regions 41->90 92 Modifies the context of a thread in another process (thread injection) 41->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->94 96 2 other signatures 41->96 58 schtasks.exe 41->58         started        76 iam.nigga.dad 51->76 file12 signatures13 process14 signatures15 98 Protects its processes via BreakOnTermination flag 55->98 100 Injects code into the Windows Explorer (explorer.exe) 55->100 102 Writes to foreign memory regions 55->102 104 2 other signatures 55->104 60 svchost.exe 55->60 injected 62 spoolsv.exe 55->62 injected 64 svchost.exe 55->64 injected 66 svchost.exe 55->66 injected 68 conhost.exe 58->68         started        process16
Score:
64%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqgjvuuxlzjlnedi2my6exappynkuklwmulzjmpovx22guu3zlya._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/241213-pp216sylbv/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3347934/

Comments