File name:	SAB4.0.bat
Full analysis:	https://app.any.run/tasks/ee64d723-f768-4305-9e2b-ff6259920d8f
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 09:15:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	discord exfiltration stealer auto-startup
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with CRLF line terminators
MD5:	067D0974EF9C8D1438A438F581488D08
SHA1:	E9C7584DCAF2F996ADE5E27E7DEB70335DE8AFE3
SHA256:	8AD3A45776DB19962CA4D29C3F0887C9801D5E6D68D2BF346609E448A8DFD27D
SSDEEP:	96:nQI8NniN8wDIH5E8+aWkBxtvxaNWHvEqJ0IEXvEgR:nQIa6IHvnWkBvYNWHvxuDXcgR


(PID) Process:	(3976) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(3976) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(1052) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(5628) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoDesktop
Value: 1
(PID) Process:	(3832) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(1356) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	EnableLUA
Value: 0
(PID) Process:	(6612) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters
Operation:	write	Name:	DisabledComponents
Value:
(PID) Process:	(2188) reg.exe	Key:	HKEY_CURRENT_USER\Control Panel\Mouse
Operation:	write	Name:	SwapMouseButtons
Value: 1
(PID) Process:	(1828) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SmartScreenEnabled
Value: Off
(PID) Process:	(7140) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	EnableFirewall
Value: 0

PID	Process	Filename		Type
3976	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d4poqr1x.iv5.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3572	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_siwdkwfo.flq.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3396	cmd.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat		text
		MD5:067D0974EF9C8D1438A438F581488D08	SHA256:8AD3A45776DB19962CA4D29C3F0887C9801D5E6D68D2BF346609E448A8DFD27D
3396	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_businessesclassic.png		image
		MD5:BECC1E63A55E4A1559DCC0DA06F33099	SHA256:03D7D4E53AD65C1B94F90E060DD744F03945E2717C79CA016DAF7EDCA0153CD7
3396	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_pricedaily.jpg		image
		MD5:1D5030E628B22F43EBAFD0E0B106C2F0	SHA256:9C8824CF0693D338866AF41BDA1CF099CF88ED690223973DF3082C1BB62BAF73
3572	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oetiavtp.ceo.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3396	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_frontaug.png		image
		MD5:516CFD75BCD6EB7C8465BEFAFE31C084	SHA256:D72DD65AB2AB85CF309D5132FB8BA707F4B902FCD84D2C7DCCA50781D3BCBB84
3396	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_keepflash.png		image
		MD5:6555DCED209520B6256B78697818E1CC	SHA256:AC82A1E0F662D2C933D10B15016CED01C879F651B9E7B28D11AA8AA0E3EB2717
3396	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_endingpapers.png		image
		MD5:D22377BF15D0F3347FDA7010F57C57F4	SHA256:E7029071979F899931496A80A9CB8AB30817FC5C180CB6469323C5FB3A5D0211
3396	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_itemoverall.png		image
		MD5:BF1FDEB5AD75E230208B3988F69B0494	SHA256:70F6378FE9BCEECD1BF923763A05D7DEE50C5DB2E2EEAFE76ABAA527996512A1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5896	RUXIMICS.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.41:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5896	RUXIMICS.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	405	162.159.136.232:443	https://discord.com/api/webhooks/your_webhook_here	unknown	binary	49 b	whitelisted
—	—	POST	405	162.159.135.232:443	https://discord.com/api/webhooks/your_webhook_here	unknown	binary	49 b	whitelisted
—	—	POST	405	162.159.137.232:443	https://discord.com/api/webhooks/your_webhook_here	unknown	binary	49 b	whitelisted
—	—	POST	405	162.159.138.232:443	https://discord.com/api/webhooks/your_webhook_here	unknown	binary	49 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5896	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	184.24.77.41:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.41:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5896	RUXIMICS.exe	184.24.77.41:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	2.23.181.156:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158 51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	184.24.77.41 184.24.77.28 184.24.77.36 184.24.77.24 184.24.77.27 184.24.77.29 184.24.77.38 184.24.77.30 184.24.77.42	whitelisted
www.microsoft.com	2.23.181.156	whitelisted
discord.com	162.159.136.232 162.159.138.232 162.159.128.233 162.159.137.232 162.159.135.232	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
self.events.data.microsoft.com	13.70.79.200	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
3572	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
3572	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
3572	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
7840	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7840	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7840	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

SAB4.0.bat

067D0974EF9C8D1438A438F581488D08

E9C7584DCAF2F996ADE5E27E7DEB70335DE8AFE3

8AD3A45776DB19962CA4D29C3F0887C9801D5E6D68D2BF346609E448A8DFD27D

96:nQI8NniN8wDIH5E8+aWkBxtvxaNWHvEqJ0IEXvEgR:nQIa6IHvnWkBvYNWHvxuDXcgR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables task manager

Disables Windows firewall

Changes firewall settings

Disables Windows Defender

UAC/LUA settings modification

Starts NET.EXE for service management

Uses NET.EXE to stop Windows Update service

Create files in the Startup directory

Stealers network behavior

Attempting to use instant messaging service

Task Manager has been disabled (taskmgr)

SUSPICIOUS

Uses ICACLS.EXE to modify access control lists

Starts process via Powershell

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Executing commands from a ".bat" file

Suspicious use of NETSH.EXE

Reads security settings of Internet Explorer

The process connected to a server suspected of theft

Starts SC.EXE for service management

Windows service management via SC.EXE

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

INFO

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Reads mouse settings

Reads the computer name

Launching a file from the Startup directory

Checks supported languages

Manual execution by a user

Attempting to use instant messaging service

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity