MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f
SHA3-384 hash: ed412a9f0260916ac8189a1d3a3c088d1aa981f882b4085cd9ff5121df7c607ccd6cd0f99bf23cdfd04829e6938504f3
SHA1 hash: 6bd967409c612466686e60dd409183a014171bf4
MD5 hash: e9da2dbc0577f419fcafa37a6b5a3faa
humanhash: montana-massachusetts-hot-queen
File name:update_SC.bat
Download: download sample
File size:14'913'495 bytes
First seen:2023-08-02 23:42:31 UTC
Last seen:2023-08-03 14:20:49 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 49152:NU1C+qSrvDLzzJmTXjAHJOazfuaAjc5lq+C1uFwMGAb/juArG6kFtAR0aUYLm7YF:o
Threatray 2'287 similar samples on MalwareBazaar
TLSH T17DE633115F697DBD0EAC833A70AF5E1E0EE06F814448A2D753E7A4CB264EF82454B87D
Reporter byte
Tags:bat github-readme-com

Intelligence

File Origin
# of uploads :
3
# of downloads :
96
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
update_SC.bat
Verdict:
Malicious activity
Analysis date:
2023-08-02 23:45:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/429ae250-0333-468f-8683-de3d830e656b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Running batch commands
Launching the process to interact with network services
Adding an exclusion to Microsoft Defender
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/64caea08539838c2be51f3d2/reports/fbbd256b-fce3-4613-92eb-c029d86146ef/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1284745
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found suspicious powershell code related to unpacking or dynamic code loading
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Powershell connects to network
Renames powershell.exe to bypass HIPS
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1284745 Sample: update_SC.bat Startdate: 03/08/2023 Architecture: WINDOWS Score: 100 134 ipwho.is 2->134 136 168.98.4.0.in-addr.arpa 2->136 138 github-readme.com 2->138 158 Snort IDS alert for network traffic 2->158 160 Multi AV Scanner detection for domain / URL 2->160 162 Malicious sample detected (through community Yara rule) 2->162 164 3 other signatures 2->164 13 cmd.exe 1 2->13         started        16 $sxr-mshta.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 process4 signatures5 194 Very long command line found 13->194 196 Drops PE files with a suspicious file extension 13->196 20 cmd.exe 2 13->20         started        24 conhost.exe 13->24         started        198 Drops executables to the windows directory (C:\Windows) and starts them 16->198 26 $sxr-cmd.exe 16->26         started        200 Wscript starts Powershell (via cmd or directly) 18->200 process6 file7 122 C:\Users\user\Desktop\update_SC.bat.scr, PE32+ 20->122 dropped 180 Very long command line found 20->180 182 Renames powershell.exe to bypass HIPS 20->182 28 update_SC.bat.scr 3 21 20->28         started        32 conhost.exe 20->32         started        184 Suspicious powershell command line found 26->184 186 Wscript starts Powershell (via cmd or directly) 26->186 188 Drops executables to the windows directory (C:\Windows) and starts them 26->188 34 conhost.exe 26->34         started        36 $sxr-powershell.exe 26->36         started        signatures8 process9 file10 130 C:\Users\user\Desktop\a.bat, DOS 28->130 dropped 132 C:\Users\user\AppData\...\kzZETZckmk.cmd, DOS 28->132 dropped 202 Potential malicious VBS script found (suspicious strings) 28->202 204 Adds a directory exclusion to Windows Defender 28->204 38 cmd.exe 28->38         started        42 wscript.exe 28->42         started        44 powershell.exe 27 28->44         started        46 4 other processes 28->46 signatures11 process12 file13 124 C:\Users\user\Desktop\a.bat.exe, PE32+ 38->124 dropped 190 Renames powershell.exe to bypass HIPS 38->190 48 a.bat.exe 38->48         started        52 net.exe 38->52         started        54 conhost.exe 38->54         started        192 Wscript starts Powershell (via cmd or directly) 42->192 56 cmd.exe 42->56         started        58 conhost.exe 44->58         started        60 conhost.exe 46->60         started        62 conhost.exe 46->62         started        64 conhost.exe 46->64         started        signatures14 process15 file16 112 C:\Windows\System32\vcruntime140d.dll, PE32+ 48->112 dropped 114 C:\Windows\System32\vcruntime140_1d.dll, PE32+ 48->114 dropped 116 C:\Windows\System32\ucrtbased.dll, PE32+ 48->116 dropped 120 3 other files (none is malicious) 48->120 dropped 148 Suspicious powershell command line found 48->148 150 Very long command line found 48->150 152 Bypasses PowerShell execution policy 48->152 156 3 other signatures 48->156 66 $sxr-powershell.exe 48->66         started        70 dllhost.exe 48->70         started        72 net1.exe 52->72         started        118 C:\Users\user\AppData\...\kzZETZckmk.cmd.scr, PE32+ 56->118 dropped 154 Renames powershell.exe to bypass HIPS 56->154 74 kzZETZckmk.cmd.scr 56->74         started        77 conhost.exe 56->77         started        signatures17 process18 dnsIp19 140 37.139.129.107, 4782, 50306 LVLT-10753US Germany 66->140 142 ipwho.is 195.201.57.90, 443, 50307 HETZNER-ASDE Germany 66->142 166 Suspicious powershell command line found 66->166 168 Very long command line found 66->168 170 Writes to foreign memory regions 66->170 178 6 other signatures 66->178 79 dllhost.exe 66->79         started        82 dllhost.exe 66->82         started        84 $sxr-powershell.exe 66->84         started        144 github-readme.com 188.114.96.3, 443, 50310 CLOUDFLARENETUS European Union 74->144 146 144.172.67.172, 50308, 50309, 7702 ASN-QUADRANET-GLOBALUS United States 74->146 128 C:\Users\user\AppData\Roaming\a.bat, DOS 74->128 dropped 172 Tries to steal Mail credentials (via file / registry access) 74->172 174 Tries to harvest and steal browser information (history, passwords, etc) 74->174 176 Adds a directory exclusion to Windows Defender 74->176 86 cmd.exe 74->86         started        89 powershell.exe 74->89         started        91 powershell.exe 74->91         started        93 2 other processes 74->93 file20 signatures21 process22 file23 206 Injects code into the Windows Explorer (explorer.exe) 79->206 208 Writes to foreign memory regions 79->208 210 Creates a thread in another existing process (thread injection) 79->210 212 Injects a PE file into a foreign processes 79->212 95 lsass.exe 79->95 injected 98 winlogon.exe 79->98 injected 100 svchost.exe 79->100 injected 110 4 other processes 79->110 126 C:\Users\user\AppData\Roaming\a.bat.exe, PE32+ 86->126 dropped 214 Renames powershell.exe to bypass HIPS 86->214 102 conhost.exe 86->102         started        104 conhost.exe 89->104         started        106 conhost.exe 91->106         started        108 conhost.exe 93->108         started        signatures24 process25 signatures26 216 Writes to foreign memory regions 95->216
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jnchvfunxepzpnsgpdms245ioadhs5a7qiekl677zu6xl675khq._file
Verdict:
malicious
Similar samples:
0a2a3e6eb5d920e00c424039f54ad1b9f66ecf1c7f854c544e9b2e22d153c9ed
5259f147e8dee58a3e88aa1edf3521ab687bb28d52c1087c97b8a979d9d3c2c8
6e059d359fcd623cce0d823966aa04458ab5581d65bdf9d85f077c7ed52dff9f
826e1858858d3ea6add4809370586c488cdebc4f810ae88cc28ee2b71adea8d5
9587ef7ba7dfe745e4c98f724110382b7b53f5f7781d1d3fcfc910abacb3fbb8
a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5
b4143fce4060eba3eab24f5f99a445dfa3efafa0739fad9fe7119d200fc29903
bb1b201537a114b5de2bc8a8fe53564cd1962caa319b67015a43b27439184572
f3e6d297f48b8b6405ba1ca91b427044ccea48a2b3de50566eed45b25052f0cb
+ 2'277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230802-3qkeeaac98/
Behaviour
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat d25a23d4b46dc8fcbdb233c6c96b9d438033cba0fc10452fdffe69ebafdfea8f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2696850/
  
Delivery method
Distributed via web download

Comments