MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7
SHA3-384 hash: 489287102aef08c5dc66acab0f9ea5a1dc6b1a852905cf82fd8d6295f832a6096f507597fa20ab362d87f87d419173a9
SHA1 hash: a1b420d05406e5a05d9d6d38fb08c9ebb1c1ebc1
MD5 hash: 2cbe5778c0bf6035056adb44a7e9447f
humanhash: sweet-green-red-mountain
File name:svchost.bat.bin
Download: download sample
File size:6'334'783 bytes
First seen:2025-03-16 11:49:17 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:U9EwvmDo9JiiIQuLco4LtgrMI/Q78505SowfwdFxCCo16h4oaVFrQXRecL+/VEqi:s
Threatray 30 similar samples on MalwareBazaar
TLSH T17F562361EDE17D1A493BC26E6481291E9F8E9D61105EF4DBB3DC215F03EB7801FAB818
Magika txt
Reporter KatzenTech
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
svchost.bat
Verdict:
Malicious activity
Analysis date:
2025-03-15 22:46:50 UTC
Tags:
omani rat evasion quasar remote stealer
Link:
https://app.any.run/tasks/16d803e2-0afc-4ab2-9110-4e5e205a2608

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d6eb3808116ce425717e30
Tags:
obfuscate shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated stealer
Link:
https://www.filescan.io/uploads/67d6baf5d2c4beeae9262416/reports/dca11cf6-675e-48a5-9fe1-e48baaf86bb3/overview
Verdict:
Suspicious
Labled as:
BAT/Kryptik.AD trojan
Link:
https://www.hybrid-analysis.com/sample/b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639915
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Writes to foreign memory regions
Yara detected Emotet
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1639915 Sample: svchost.bat.bin.bat Startdate: 16/03/2025 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected Powershell decrypt and execute 2->51 53 7 other signatures 2->53 10 cmd.exe 1 2->10         started        process3 signatures4 67 Suspicious powershell command line found 10->67 13 powershell.exe 12 10->13         started        16 conhost.exe 10->16         started        process5 signatures6 69 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->69 18 cmd.exe 1 13->18         started        process7 signatures8 55 Suspicious powershell command line found 18->55 21 powershell.exe 16 30 18->21         started        25 powershell.exe 15 18->25         started        27 more.com 1 18->27         started        29 2 other processes 18->29 process9 dnsIp10 45 149.50.97.147, 4782, 49729, 62583 COGENT-174US United States 21->45 59 Writes to foreign memory regions 21->59 61 Modifies the context of a thread in another process (thread injection) 21->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->63 65 3 other signatures 21->65 31 winlogon.exe 21->31 injected 34 findstr.exe 1 25->34         started        signatures11 process12 signatures13 71 Injects code into the Windows Explorer (explorer.exe) 31->71 73 Writes to foreign memory regions 31->73 75 Allocates memory in foreign processes 31->75 77 2 other signatures 31->77 36 lsass.exe 31->36 injected 39 svchost.exe 31->39 injected 41 dwm.exe 31->41 injected 43 26 other processes 31->43 process14 signatures15 57 Writes to foreign memory regions 36->57
Score:
84%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-16 02:06:46 UTC
File Type:
Text (Batch)
AV detection:
8 of 22 (36.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqnbcatpyfdygfi4gmzngtsztip5tamy576qs7ezcbtjzjrtuxlq._file
Verdict:
malicious
Label(s):
r77
Create hunting rule
Similar samples:
199dfc21f65c5b4fba080e25c274a0635a715d45edd78ce6b246a1a9ac20a415
33aac84b649e5475245a4f58fd01eba93596780e78a5577ff951de815fee696e
82fc4d9ffed1c41c3ed7794561360c11a5cf19ba252db21cd417e7c504686824
a8e3e0adfc106f2c3a3907c2b45718ba347af190a157c26c5b8af88f5c82a7ae
c45628b9f65c92571bcd7f3b3799ae4215a006b5893d4879a279676007f9f141
d92fd1f359ea6cee13109181468106e381b66479c650dafcce8e3bde4e109e6c
dce7213526e308a4decd939c5caa83de1f67b7a9f82fd6cee0e6a8bfc008b430
dd0396754df3aca8a482242eebfa92db7433781ebdd679507e329e34d4065c98
efc09d4380483145573ac4f1a2b4fe308e9bd4378bffbc44efd00739d2e055a7
error
fca0a09f36e3113cb76d31db06e30dc531a59556e237965ed0a7ebf33ffce11f
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250316-rpl13aszax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b41a11026fc14783151c3332d34e599a1fd98198effd097c9910669ca633a5d7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments