File name:	SAB4.0.bat
Full analysis:	https://app.any.run/tasks/a0099dd4-a9de-4441-ac02-7af889f72a07
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 09:39:14
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	discord exfiltration stealer auto-startup
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with very long lines (305), with CRLF line terminators
MD5:	E4AB94335AF99D8FC6FAE1BBBA9DE40F
SHA1:	A72B7A95A7DB7CF88C8149E0CE098AB19E2FC497
SHA256:	8EC795E7FAA2202E156878D689667514B4CB35D4190303DFF3276D73AAFF00CA
SSDEEP:	96:nQI80iN8wDIH5E8+aWkKxtvqEqJKIEXvEgtrEWR:nQIt6IHvnWkKvyxUDXcg3


(PID) Process:	(2404) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(2404) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(432) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(2880) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoDesktop
Value: 1
(PID) Process:	(2996) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SmartScreenEnabled
Value: Off
(PID) Process:	(2580) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(516) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(5444) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(4648) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(4664) reg.exe	Key:	HKEY_CURRENT_USER\Control Panel\Mouse
Operation:	write	Name:	SwapMouseButtons
Value: 1

PID	Process	Filename		Type
3720	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5gmdfeqk.o5y.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2404	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:8B01ADAFA3609A3CE67C85622BA0B9C8	SHA256:C1428F3DE74BE07AB3DFA5C97CBF1D4E38DC97115908D56531948D3229767A65
2952	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_veoeaej4.gs2.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_chatmortgage.png		image
		MD5:2F97D430A42317DE94BA389C17F1574B	SHA256:BF141F5728145BA13811468512D064A78B8799E50D7A0BAEA20462888D9C55E9
6796	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1ie3rjek.joz.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6508	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zoghmibk.ri3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6800	cmd.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat		text
		MD5:E4AB94335AF99D8FC6FAE1BBBA9DE40F	SHA256:8EC795E7FAA2202E156878D689667514B4CB35D4190303DFF3276D73AAFF00CA
6508	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s5dnj41z.evb.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6796	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dgcdr11q.nzj.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_courtunion.png		image
		MD5:8AFE053BE0517184CCA65CBA86F5A912	SHA256:C521EF8927E2C74F914FC772A87715C2D6308BC71AFD711C346B099B3EB37005

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	184.24.77.27:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	184.24.77.27:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4236	RUXIMICS.exe	GET	200	184.24.77.27:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4236	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.31.1:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	40.126.31.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	200	40.126.31.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	40.126.31.67:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4236	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	184.24.77.27:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	184.24.77.27:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4236	RUXIMICS.exe	184.24.77.27:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.185.78	whitelisted
crl.microsoft.com	184.24.77.27 184.24.77.22 184.24.77.38 184.24.77.30 184.24.77.34 184.24.77.29 184.24.77.25 184.24.77.23 184.24.77.35 184.24.77.11 184.24.77.43 184.24.77.13 184.24.77.9 184.24.77.36 184.24.77.8 184.24.77.6 184.24.77.42	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.31.1 20.190.159.75 20.190.159.73 20.190.159.131 20.190.159.4 40.126.31.67 40.126.31.2 40.126.31.0	whitelisted
discord.com	162.159.137.232 162.159.136.232 162.159.135.232 162.159.128.233 162.159.138.232	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
3720	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
3720	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
3720	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2952	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2952	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
2952	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

SAB4.0.bat

E4AB94335AF99D8FC6FAE1BBBA9DE40F

A72B7A95A7DB7CF88C8149E0CE098AB19E2FC497

8EC795E7FAA2202E156878D689667514B4CB35D4190303DFF3276D73AAFF00CA

96:nQI80iN8wDIH5E8+aWkKxtvqEqJKIEXvEgtrEWR:nQIt6IHvnWkKvyxUDXcg3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables task manager

Disables Windows firewall

Changes firewall settings

UAC/LUA settings modification

Disables Windows Defender

Uses NET.EXE to stop Windows Update service

Starts NET.EXE for service management

Create files in the Startup directory

Task Manager has been disabled (taskmgr)

Stealers network behavior

Attempting to use instant messaging service

SUSPICIOUS

Uses ICACLS.EXE to modify access control lists

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Uses REG/REGEDIT.EXE to modify registry

The process connected to a server suspected of theft

Suspicious use of NETSH.EXE

Starts SC.EXE for service management

Reads security settings of Internet Explorer

Application launched itself

Windows service management via SC.EXE

Uses TIMEOUT.EXE to delay execution

INFO

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Reads mouse settings

Reads the computer name

Checks supported languages

Reads security settings of Internet Explorer

Manual execution by a user

Launching a file from the Startup directory

Application launched itself

Reads Microsoft Office registry keys

Attempting to use instant messaging service

Reads the software policy settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity