MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
SHA3-384 hash: 042648da719654d094cc26d81f82ea7a6e7928c1d1518c50492da1f799060e05f6bece743c058a21b643b4781f37b7c2
SHA1 hash: cbb811467a778fa329687a1afd2243fdc2c78e5a
MD5 hash: 7b05eb7fc87326bd6bb95aca0089150d
humanhash: red-eight-skylark-paris
File name:skf7iF4.bat
Download: download sample
File size:6'302'909 bytes
First seen:2025-03-07 15:55:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:wyx7UF5XKIxugHaxSGTPsGgeLMwYz+/fGaaPOQb/dbLMKuvWGLv48H8rmI7iuKHL:Z
TLSH T1625633A514491F7E0AFBA3B6A4FEB45D23AFC709C26776EF87C01060874E76E1060979
Magika txt
Reporter aachum
Tags:bat


Avatar
iamaachum
http://176.113.115.7/files/7563570503/skf7iF4.bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
skf7iF4.bat
Verdict:
No threats detected
Analysis date:
2025-03-07 12:19:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6d09e185-4138-489c-ab56-bb8e066ed4ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cae453c8d04e92a4bfac6a
Tags:
obfuscate shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67cb172225afd13301327bc7/reports/44f8bd9a-1b29-44a7-9afd-0db542ac804e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
Result
Verdict:
SUSPICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631966
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Powershell decrypt and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1631966 Sample: skf7iF4.bat Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Yara detected Powershell decrypt and execute 2->74 76 6 other signatures 2->76 11 cmd.exe 1 2->11         started        process3 signatures4 92 Suspicious powershell command line found 11->92 14 powershell.exe 3 12 11->14         started        17 conhost.exe 11->17         started        process5 signatures6 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->94 19 cmd.exe 1 14->19         started        process7 signatures8 78 Suspicious powershell command line found 19->78 22 powershell.exe 31 30 19->22         started        26 powershell.exe 15 19->26         started        28 more.com 1 19->28         started        30 2 other processes 19->30 process9 dnsIp10 50 176.65.144.14, 4567, 49687 PALTEL-ASPALTELAutonomousSystemPS Germany 22->50 52 ipwho.is 195.201.57.90, 443, 49690 HETZNER-ASDE Germany 22->52 84 Writes to foreign memory regions 22->84 86 Modifies the context of a thread in another process (thread injection) 22->86 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->88 90 3 other signatures 22->90 32 winlogon.exe 22->32 injected 35 findstr.exe 1 26->35         started        signatures11 process12 signatures13 62 Injects code into the Windows Explorer (explorer.exe) 32->62 64 Writes to foreign memory regions 32->64 66 Allocates memory in foreign processes 32->66 68 2 other signatures 32->68 37 lsass.exe 32->37 injected 40 svchost.exe 32->40 injected 42 svchost.exe 32->42 injected 45 26 other processes 32->45 process14 dnsIp15 80 Writes to foreign memory regions 37->80 47 svchost.exe 37->47 injected 82 System process connects to network (likely due to code injection or exploit) 40->82 54 ipwho.is 42->54 56 c.pki.goog 42->56 58 pki-goog.l.google.com 42->58 signatures16 process17 dnsIp18 60 pki-goog.l.google.com 172.217.16.131, 49691, 80 GOOGLEUS United States 47->60
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycyifoxhb2ezabyvp76aez6udn6ybvwef3tpogumauwnsul4xbcq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250307-tdgcjssxgw/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0b082bae70e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat c0b082bae70e899007157ffc0267d41b7d80d6c42ee6f71a8c052cd9517cb845

(this sample)

  
Link
https://tria.ge/250307-s1teyssves/behavioral1
  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470601/

Comments