File name:	SAB4.0.bat
Full analysis:	https://app.any.run/tasks/55f913d9-160c-42c1-a7a1-b3a768c19753
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 09:19:31
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	discord exfiltration stealer auto-startup ims-api generic
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with very long lines (305), with CRLF line terminators
MD5:	5AFC9939492724F69A4F6B36BBB5A096
SHA1:	CDA1D147D0A5E2EAB0EE62067FD77CE6AD42050A
SHA256:	53A126B2C232707DA87DF2E6D970D3A2F29D3D1C1DCB9C2DB500528041AA2964
SSDEEP:	96:nQI80iN8wDIH5E8+a/kBxtvqEqJKIEXvEgMaNqf1:nQIt6IHvn/kBvyxUDXcgbNqd


(PID) Process:	(4380) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(4380) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(6408) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SmartScreenEnabled
Value: Off
(PID) Process:	(1380) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(1068) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(6776) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(5532) reg.exe	Key:	HKEY_CURRENT_USER\Control Panel\Mouse
Operation:	write	Name:	SwapMouseButtons
Value: 1
(PID) Process:	(6756) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoDesktop
Value: 1
(PID) Process:	(6936) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(2368) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1

PID	Process	Filename		Type
4380	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qu5sto2z.ihc.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1296	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_mrblog.png		image
		MD5:4450AF8C6AF66505DBDD7F6F7BEDF27A	SHA256:1022B01414B9C20C971572F8B8DB399BA40C7769F4CDC06B91A1D25E7C5DA82F
4380	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gwwthb2j.ysl.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1296	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_photosprocessing.jpg		image
		MD5:2BD720DDD568B4EC5DFFF235E9883C3D	SHA256:98E667111C362551491215491974F35A50C3965D92CCB6C3E593C2EBCA5CF0F6
1296	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_xmlfun.jpg		image
		MD5:21E545AE6CEF2F8F39F7CD240A2C2395	SHA256:A1258FA29A55FDB4D2889F44B4A30F2B659C9AAFF60ABB1636B1F5F838986362
1296	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_eurcustomer.jpg		image
		MD5:09F17CEAE721732C26A720AB0389D8BD	SHA256:584F8FC42FD52C9BB292468BB030D6CB6C54C88E8A9E8DF6E85FB6FDAE369AE8
1296	cmd.exe	C:\Users\admin\Desktop\VARIETY_WOLFED.txt		text
		MD5:F99B0AED3B460ACF03DDA056CD810D56	SHA256:38FC00D1CD36AAA358EF1F54982A239EF29E8315008260B1E41353C72F641740
1296	cmd.exe	C:\Users\admin\Downloads\copy_23441.bat		text
		MD5:5AFC9939492724F69A4F6B36BBB5A096	SHA256:53A126B2C232707DA87DF2E6D970D3A2F29D3D1C1DCB9C2DB500528041AA2964
1296	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_earthid.png		image
		MD5:91305F77C86EDC748D3EB6C1236339F3	SHA256:10D9B5AC8D678628CDA0DE645BB96E82F2FCAB68F38096A25B78417C6646BE2A
1296	cmd.exe	C:\Users\admin\Downloads\copy_30247.bat		text
		MD5:5AFC9939492724F69A4F6B36BBB5A096	SHA256:53A126B2C232707DA87DF2E6D970D3A2F29D3D1C1DCB9C2DB500528041AA2964

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.17:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	404	162.159.136.232:443	https://discord.com/api/webhooks/1385868669640249445/Q17D8iUpsArIQJrAro8T08nI82gc0Sw80YRePyPmoMMnpHeerZnE_vRliWcYQZ5lzRGx	unknown	binary	45 b	whitelisted
—	—	POST	200	20.190.160.17:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.67:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	20.190.160.22:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	POST	200	40.126.32.134:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	whitelisted
—	—	POST	404	162.159.136.232:443	https://discord.com/api/webhooks/1385868669640249445/Q17D8iUpsArIQJrAro8T08nI82gc0Sw80YRePyPmoMMnpHeerZnE_vRliWcYQZ5lzRGx	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.135.232:443	https://discord.com/api/webhooks/1385868669640249445/Q17D8iUpsArIQJrAro8T08nI82gc0Sw80YRePyPmoMMnpHeerZnE_vRliWcYQZ5lzRGx	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.138.232:443	https://discord.com/api/webhooks/1385868669640249445/Q17D8iUpsArIQJrAro8T08nI82gc0Sw80YRePyPmoMMnpHeerZnE_vRliWcYQZ5lzRGx	unknown	binary	45 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
472	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
1268	svchost.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
472	RUXIMICS.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5944	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
1268	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 51.124.78.146	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	2.19.11.120 2.19.11.105 184.25.50.10 184.25.50.8	whitelisted
www.microsoft.com	2.23.246.101 95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.160.14 20.190.160.64 20.190.160.66 40.126.32.134 40.126.32.138 20.190.160.67 20.190.160.65 20.190.160.4	whitelisted
discord.com	162.159.136.232 162.159.137.232 162.159.138.232 162.159.135.232 162.159.128.233	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted
slscr.update.microsoft.com	4.175.87.197 172.202.163.200	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1128	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
1128	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
1128	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
7796	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7796	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
7796	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI

General Info

SAB4.0.bat

5AFC9939492724F69A4F6B36BBB5A096

CDA1D147D0A5E2EAB0EE62067FD77CE6AD42050A

53A126B2C232707DA87DF2E6D970D3A2F29D3D1C1DCB9C2DB500528041AA2964

96:nQI80iN8wDIH5E8+a/kBxtvqEqJKIEXvEgMaNqf1:nQIt6IHvn/kBvyxUDXcgbNqd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables Windows firewall

Changes firewall settings

UAC/LUA settings modification

Disables Windows Defender

Starts NET.EXE for service management

Uses NET.EXE to stop Windows Update service

Create files in the Startup directory

Disables task manager

Attempting to use instant messaging service

Stealers network behavior

Task Manager has been disabled (taskmgr)

SUSPICIOUS

Starts process via Powershell

Starts POWERSHELL.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

The process bypasses the loading of PowerShell profile settings

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Executes JavaScript directly as a command

Reads security settings of Internet Explorer

Suspicious use of NETSH.EXE

Windows service management via SC.EXE

Starts SC.EXE for service management

The process connected to a server suspected of theft

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Checks proxy server information

Disables trace logs

Script raised an exception (POWERSHELL)

Checks supported languages

Reads Internet Explorer settings

Reads the computer name

Launching a file from the Startup directory

Reads security settings of Internet Explorer

Reads mouse settings

Manual execution by a user

Application launched itself

Attempting to use instant messaging service

Reads Environment values

Reads the software policy settings

Malware configuration

ims-api

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules