File name:	SAB4.0.bat
Full analysis:	https://app.any.run/tasks/17e05e0a-eeb6-4fd3-a7da-0224812ba6b6
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 08:59:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	discord exfiltration stealer auto-startup ims-api generic
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with CRLF line terminators
MD5:	3BD308E6323FAE028E5EAD4AC2DB9B87
SHA1:	A434403503219114E5B3A2607F23713D1C18C0DD
SHA256:	E4B92757DD9267E07F228888D1B5D425CEDF99D6837D70B129AF69E615C52156
SSDEEP:	96:nQI8rib8wDIH5E8+aWkBxtvxaNWHvEqJ0IEXvEgR:nQIqCIHvnWkBvYNWHvxuDXcgR


(PID) Process:	(5772) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(5772) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(1128) reg.exe	Key:	HKEY_CURRENT_USER\Control Panel\Mouse
Operation:	write	Name:	SwapMouseButtons
Value: 1
(PID) Process:	(2612) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoDesktop
Value: 1
(PID) Process:	(5124) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SmartScreenEnabled
Value: Off
(PID) Process:	(1896) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(1932) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(5416) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(1472) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(5628) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters
Operation:	write	Name:	DisabledComponents
Value:

PID	Process	Filename		Type
2876	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5bm0k5jd.rke.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5772	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_azjewv2n.kli.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5772	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e0m2e1ui.o2i.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
472	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_doubleaddition.jpg		image
		MD5:219B8CD0670E7C28EE93B8B2A7D1B58F	SHA256:E761F94568C9334517D7030F72DD4367252DE713BD47D5EB81BCD340BFEFEE03
472	cmd.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat		text
		MD5:3BD308E6323FAE028E5EAD4AC2DB9B87	SHA256:E4B92757DD9267E07F228888D1B5D425CEDF99D6837D70B129AF69E615C52156
5772	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:5152302EB5DF17894E9382679A7F36D4	SHA256:1FB7295E12F9F324CA6B63FCE514B2AF5B6A034D45318A507A49409CDE87A6FD
472	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_effortdate.png		image
		MD5:27FE925E9CA708F52FB63CFEFFFB9C70	SHA256:AFE8B170E74DC3AFB74860D0D6633A1B0BCDE4C58F829E794A85A537A498F881
472	cmd.exe	C:\Users\admin\Downloads\copy_18482.bat		text
		MD5:3BD308E6323FAE028E5EAD4AC2DB9B87	SHA256:E4B92757DD9267E07F228888D1B5D425CEDF99D6837D70B129AF69E615C52156
472	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_memberproposed.png		image
		MD5:AC5263D4DB25DAB3CD3A621F6E63FF6C	SHA256:4E97B00B5A9A9858C789AEFE5CF917B17CB87EC2CC2B4760B2C12094DB611BFD
472	cmd.exe	C:\Users\admin\Downloads\copy_8658.bat		text
		MD5:3BD308E6323FAE028E5EAD4AC2DB9B87	SHA256:E4B92757DD9267E07F228888D1B5D425CEDF99D6837D70B129AF69E615C52156

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.64:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	POST	400	20.190.159.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	404	162.159.137.232:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.137.232:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	404	162.159.137.232:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.136.232:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.138.232:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted
—	—	POST	404	162.159.135.232:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2336	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
3100	svchost.exe	40.126.32.76:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2876	powershell.exe	162.159.128.233:443	discord.com	CLOUDFLARENET	—	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2 20.73.194.208	whitelisted
crl.microsoft.com	23.55.104.172 23.55.104.190	whitelisted
google.com	172.217.18.14	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.250	whitelisted
login.live.com	40.126.32.76 40.126.32.138 20.190.160.64 40.126.32.72 20.190.160.132 20.190.160.130 40.126.32.74 20.190.160.2	whitelisted
discord.com	162.159.128.233 162.159.136.232 162.159.135.232 162.159.137.232 162.159.138.232	whitelisted
nexusrules.officeapps.live.com	52.111.227.13	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2876	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2876	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
2876	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
7856	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7856	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
7856	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

SAB4.0.bat

3BD308E6323FAE028E5EAD4AC2DB9B87

A434403503219114E5B3A2607F23713D1C18C0DD

E4B92757DD9267E07F228888D1B5D425CEDF99D6837D70B129AF69E615C52156

96:nQI8rib8wDIH5E8+aWkBxtvxaNWHvEqJ0IEXvEgR:nQIqCIHvnWkBvYNWHvxuDXcgR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes firewall settings

Disables Windows firewall

UAC/LUA settings modification

Disables task manager

Disables Windows Defender

Starts NET.EXE for service management

Create files in the Startup directory

Uses NET.EXE to stop Windows Update service

Stealers network behavior

Attempting to use instant messaging service

Task Manager has been disabled (taskmgr)

SUSPICIOUS

Uses ICACLS.EXE to modify access control lists

Executing commands from a ".bat" file

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Starts CMD.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Suspicious use of NETSH.EXE

Reads security settings of Internet Explorer

Uses REG/REGEDIT.EXE to modify registry

Windows service management via SC.EXE

Starts SC.EXE for service management

The process connected to a server suspected of theft

Application launched itself

Possible usage of Discord/Telegram API has been detected (YARA)

INFO

Disables trace logs

Checks proxy server information

Script raised an exception (POWERSHELL)

Remote server returned an error (POWERSHELL)

Reads the computer name

Checks supported languages

Reads mouse settings

Launching a file from the Startup directory

Manual execution by a user

Attempting to use instant messaging service

Reads the software policy settings

Malware configuration

ims-api

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events