9235d2676794ff9cc054258ec08e894647ed0112a94f078c9b901d8f1aa049ce

Sharing

Copy URL

Twitter E-mail

General

Target

SchooisMultitool_v2.2.zip
Size

234KB
Sample

240908-n7f1zsvdmq
MD5

9424b2cacd9f0fb76a0fe4f202e4d614
SHA1

77bca369a07a8cc4815d0897d897bed758453bff
SHA256

9235d2676794ff9cc054258ec08e894647ed0112a94f078c9b901d8f1aa049ce
SHA512

9ba6531994986a636e7e7143c929248149ebddc580cd42ae9f6b21512d22d3d3a7c745248af3e55877ab0983575f51786927399092093aad26f6ffb927ac0f13
SSDEEP

6144:c6z9pUmgmH9ozNAYmNGqgYSY1zSRFV1MuH1Y+sC0j:cK9pvgQlYmNYYXzSRFV1MuVzsb

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/SchooiCodes/file_hosting/main/7z.ps1

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://go.microsoft.com/fwlink/?linkid=839516

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://community.chocolatey.org/install.ps1

Targets

- Target
  
  Files/Apps/7z.bat
- Size
  
  839B
- MD5
  
  baf3616b558a8160895bb9c31461d927
- SHA1
  
  af5f159645fec5df4aafc1a750c3384fe3763dbb
- SHA256
  
  bee39c3a45d5b37932654aaf12345292b570f292b6385e29eaa3f8dc9985cd1c
- SHA512
  
  10e754aabc91ed4cb007ddbeac840289b8d5db728e4f0ebe59cee7dedf546f073d8a9148fdd7c216d266977dade9dcda2ee75ce174c8c1dc2fd888ebe9597db0
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1
- Target
  
  Files/Apps/SuperF4.bat
- Size
  
  534B
- MD5
  
  561400dc8a63d4b4cc87cabac9e8422a
- SHA1
  
  69502ed43cf6e495c060fac70a5ef37f4f15ca53
- SHA256
  
  767bccd41110d92c69bba5aaceea296f7e0b61fd1f9e09a3fa1ed08e8a8b8282
- SHA512
  
  8c3efaedb0c9d7bc9de04dbe0d9c2b7a33b2b40a2f0836e719aabdf6197d2c4cdeece3b5eb0276f3484236dc99b797d63324ababa5dd1d4220af693910f12046
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
behavioral2
- Target
  
  Files/Apps/bts.bat
- Size
  
  227B
- MD5
  
  0cfdb01d34041f9e16ddd9f17e3f4789
- SHA1
  
  393afcbc7fb973b5c2893b8085092f0c2c45311e
- SHA256
  
  528ed4942a647ee78a31aaa788ef27b7fe747fcf9fc0e97192ad9a0aaf97c0c2
- SHA512
  
  19e96f69fe9b335941b2ae107ca5eeb366825a399428df4af86faabc9f858e09b5bdb4080cff0db89c3a49dd26b77aa25b0e857572a4c39afddc112b113adcd0
Score

3^/10

execution
behavioral3
- Target
  
  Files/Apps/chrome.bat
- Size
  
  545B
- MD5
  
  764f5846cdf195f465ca8c4e9fdd0875
- SHA1
  
  6344062077c919850aec7f86e0350cb2b663dd18
- SHA256
  
  fca1ea11d5fdb18df21be4b007ce750e271f442845d9dfe772b01837b218f289
- SHA512
  
  0925c46fe7ae006b84cefc102cbd424abe0cd609d04673f68ef469397073ddda8a1eaaf79b3646487874eb5122f9496fe03588917f144429e8dabdce55215c8d
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
behavioral4
- Target
  
  Files/Apps/ctt.bat
- Size
  
  200B
- MD5
  
  1fb0778bf377299cf424b77cca45371b
- SHA1
  
  21685d0e425d04192f122c94ccd209bfeab45e43
- SHA256
  
  2a50f18aaa195155987ef3eb808c9b70e88c515ac49314ac22eceecbb790d86f
- SHA512
  
  bfb48f3502bf32f5c21c0830df7de33c2772618fd0953ecede9106c921ce8df0acb62182b4a64dc961f2e07e940e39e189180b3c979e9f818c7a8d3acd4a87bb
Score

3^/10

execution
behavioral5
- Target
  
  Files/Apps/fastfetch.bat
- Size
  
  300B
- MD5
  
  c6217cbda600f1e677678d6aa64d30d4
- SHA1
  
  dda86d62ec1c6dea38d967d72e2cf2557d8707f5
- SHA256
  
  c0fdcdf351b3e1660254b073f448c21c9ab9b36da4d480cfef7e05c4ed589619
- SHA512
  
  470b2322425caeb48de5066c51221f3ec87c6b6e84dcfc3de705496d9e426c37add0cd2d54ba02006259035b37273f518d9cd512c14e875eee8a2627d4c346f8
Score

6^/10

execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral6
- Target
  
  Files/Apps/firefox.bat
- Size
  
  1KB
- MD5
  
  a5156c813e4a7c45fc2f26a66b2cf813
- SHA1
  
  4bb3f9d20be7bb87dc00aa652e84c9d56c196b4c
- SHA256
  
  a15290fb079d46fbb859d1260de44df5d71a4072379a7eb2634a5c317684b7ac
- SHA512
  
  ac0f5565ebfb93084ca58fdceeaabbfcff29f90f088a2286c5c48eaba7717e00662ac23442e9502ed3a0256a4385d81d7d0edfcafa6948176b2c3e538196223c
Score

1^/10
behavioral7
- Target
  
  Files/Apps/flux.bat
- Size
  
  290B
- MD5
  
  629667380059fb33d4933a722c139be3
- SHA1
  
  a52944fdceef5368eaf140558066df825b35ea28
- SHA256
  
  86d43de03fd141ad2180804577f817534f27cced767a8451b4804f47cc6037ee
- SHA512
  
  ad474e7582751447067b002f2af3ab473d40087a3ce850551dbf2636887c3279aa58b57b930892585419e0df10e31deb42503bc787cb394df9dcea4ce1abed92
Score

3^/10

execution
behavioral8
- Target
  
  Files/Apps/geek.bat
- Size
  
  1KB
- MD5
  
  7ab38d80aa19a44d6a1c792400a44d15
- SHA1
  
  9cb921a2a61a9e1e42ef93c2a4d6f505c244a03e
- SHA256
  
  1c36c6df5dcc675f2f27b95503aadb92b6657f6c130be829605e55ca9b7dafda
- SHA512
  
  d7740258e28a3e468c33bfb0b47373a364c4fbff432dfe01322bd5b928c45a19fa2e50388aaa8e55d0b72b14b71ff783e9e3348ffdcc084c854b9d0288d694da
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral9
- Target
  
  Files/Apps/git.bat
- Size
  
  597B
- MD5
  
  43d5796a824ec36fce4aa2e358d33175
- SHA1
  
  3b1578ace3db4dfdfd2cc8ba208c6a6cda0dbe5c
- SHA256
  
  7940a2e053dfe8ff1afe7ce49f806b821d7063cbae8c6e3f467dc1b8603d3759
- SHA512
  
  38829c87431fa81cfa0b6cb411f8bdfc8d03841fe539713ad0ae27991a9bf669d32f9f3c0416d9439a53075a9cd481100e3795cac0180ec0ce6e66990064bf54
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
behavioral10
- Target
  
  Files/Apps/logo.bat
- Size
  
  2KB
- MD5
  
  42127e263ca943e0979f8ef85faa395f
- SHA1
  
  157ac10d97a73f63988dfcb52b90c09863bdea7f
- SHA256
  
  8af758c87e62e072dac84d818f963b084d5f8a6293f37d6fda88ca0327ddd283
- SHA512
  
  8c7276bfdf1f2158586a2ee3a179098cfd9c50e3fead3e80369a74e00c7953b0f29dc7ca1cd9d71614e11736170c1ffdf3b1a809a78b3144927efaebf786808d
Score

3^/10

discovery
behavioral11
- Target
  
  Files/Apps/pcm.bat
- Size
  
  474B
- MD5
  
  bd94097bc383679f0b5e46c9e1a599ac
- SHA1
  
  d362cf3a09e38cdb2f542ae5e3093475dae49b76
- SHA256
  
  2dc448b242e53ae269bc700c03276ef2e523b01a0b91b6690ed3074b8133e376
- SHA512
  
  95aa276c74491a00334ed5a33c808f19c200883a9f4caac559728a86334bc01865eacde01a302d587dfc20096c3667f9ccd00c618fbb2e04380460ca985cd3c0
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
behavioral12
- Target
  
  Files/Apps/ps7.bat
- Size
  
  1KB
- MD5
  
  836e111b6dfc84c70ef6fe21b9ebccc0
- SHA1
  
  0c7b272f348cdb6358d29cbeba9a851dfa525c18
- SHA256
  
  3195d2cf69059001b92914d3c0495fbdce875cdc8c5b4c9357206fb8c658b53c
- SHA512
  
  53c82a6d8725b92dc411dd4bc8d4001a70acf088538af84c686dbbda0f40159fbb8cb8122bd906537e542e12b8b7b649c686dcaf5b25425ca123c97048ca2cee
Score

10^/10

dropper execution
- Blocklisted process makes network request
- Download via BitsAdmin
  dropper
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral13
- Target
  
  Files/Apps/pswin7.bat
- Size
  
  840B
- MD5
  
  3768f6911878047cf06c7fdf0b5e08b7
- SHA1
  
  39f52e4858f12c42a54fde38f7ba6386148bf081
- SHA256
  
  fcb69e2e4d36737a17381f1a522962a77471f0cb1bb196a3aeac5d967eb81dfc
- SHA512
  
  2e19e1e4c8f85f254c2f56e6272c24a1479a7c6b68c0df82ce33da4d5a028a8fb9cec0b10231529f16b077bfa607a760ea86844db8c94fe0471905db953112aa
Score

10^/10

execution
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral14
- Target
  
  Files/Apps/winget.bat
- Size
  
  213B
- MD5
  
  5b9a5da7b871353090b62739e4c899fe
- SHA1
  
  ae6d5bc03b0859d0f242f0925587446673bbac5f
- SHA256
  
  5acfc06a96565e3d5a9ed53dac1fb5824d4777cb133e933bbad8afd5330dad26
- SHA512
  
  5dc3ff9d6d61f85dec70b965f78059b74ce54968ac7cb00702408e907542dd3bdf657f49f8f796cb1053b8d8def3ed516dda4ea4691f3b62e3474bd46df855a0
Score

3^/10

execution
behavioral15
- Target
  
  Files/Apps/wintoys.bat
- Size
  
  390B
- MD5
  
  d5016ae4c15bb205d355421b8fd075ba
- SHA1
  
  2c6d9166db06f42fb23d4e0a47963db59c261a52
- SHA256
  
  40278511ca853a1c24e9115cfdfd0f1a8d057f78350614887fab1cb2b42a02b0
- SHA512
  
  6e23ad627de549bc000ede135bd53895037593db5d0850fbee1d8e78b8eff9ad23330ad96a19b415ce84fd27d598d5f578d0bc3efb36baaf3700c8c763602869
Score

3^/10

execution
behavioral16
- Target
  
  Files/BackupRegistry.bat
- Size
  
  777B
- MD5
  
  4017211c6557001aaf377c59ecee083d
- SHA1
  
  136dd376f582cd0191d87580819881c6a636c271
- SHA256
  
  1da84dbf28ed8a7db5f8bb12f3a3541fe3fae630c7caefa113210d5f273ddf9e
- SHA512
  
  0a76f2e9f8eefd416174cda713c30e1ab62a60783f2df4aeb402a48a80f3051c0fcb6061f8e12501f796a3e12f80df54d1db5f7b467f07849682e7fa1319b262
Score

1^/10
behavioral17
- Target
  
  Files/CommandLineGame.bat
- Size
  
  699B
- MD5
  
  0861e44ff6053f1fdab9b1ee87f08adc
- SHA1
  
  4d53ada9eba854ce09e68872baa8fd378647b634
- SHA256
  
  f24bf29f3c41ed17ba3177794558223c03897659c699ce427f4916a23bdf9f30
- SHA512
  
  b0e593aebf2e76581b2346deaccb0a2bb1361e4b978ac243876b9a846f4cdec9a0bfe2f58670b4adcad69d63e63708e89854aab4b4753cafd1d5ccbc9d21fac7
Score

1^/10
behavioral18
- Target
  
  Files/Components/Import Backups.bat
- Size
  
  616B
- MD5
  
  44c6d8b490d9c29e521b024375629476
- SHA1
  
  fa1a20b56f9139d46b3fea176620c494d54ce721
- SHA256
  
  5d3aa94c00cc35e2517a478777cefcec82c55a9039afdc388c8832d9a0cd189d
- SHA512
  
  b071df4478f3071ce8ac68199dfe8030ae4401cfac713d9d93fb67f4ba9ed1dae92adb5be1163685a43555e5ef3e5d8d72b2fe6c3917e4ac2aa8a7ddfc8d938d
Score

1^/10
behavioral19
- Target
  
  Files/Components/Registry Backup.bat
- Size
  
  729B
- MD5
  
  61cf455c174e64c84c526c57d80fc26a
- SHA1
  
  35add3e0f35636c84fcc48f9fa8fae94ff461465
- SHA256
  
  5e1f365f82618f8efd83fbc91935fd01aea55fe92c374689b9b2641a7163c287
- SHA512
  
  5f45a7d0569fc479fcd037dfb4661d069f8b4185d42797622b480d619163d30f07e672ab098219a64ad974a4ea39fbd3d14956e944b4c180467cb6dc0b6f1c2a
Score

1^/10
behavioral20
- Target
  
  Files/GPEE.bat
- Size
  
  801B
- MD5
  
  462499abd2275776b3e6c6beeb86b0c9
- SHA1
  
  ba3e380c5d1d24f7c1eacdb1c4a82d1a14f2dbae
- SHA256
  
  50082e6e1f85c84a4ae2e34502f3103d82510223f90599d329c90835fda99439
- SHA512
  
  586b34eb38d380a1c03a01bd8c477eaddaf99a9a22cc9b0a3b57965ee5b203d46497d510292e401da909fc0a3811a1f7fccc69a387936d4a9b5fd3c2f9d2120b
Score

1^/10
behavioral21
- Target
  
  Files/IPGeolocator.exe
- Size
  
  10KB
- MD5
  
  04c3d654166ae0f29d5e11ac3d53f117
- SHA1
  
  dfba6ffb5891b6074fbd2073f389dbf30a00ce00
- SHA256
  
  9e3695b3062bdc56a4d95ed022826aa3489141227a036700e7e98777371f3181
- SHA512
  
  173790cc03a50748929d337d5ef3dc7a115b7888ce2d366034159fb6b3315d67bfab6e6942264bc41ba98dd0f4b571552891362baa453ee260ef4e07a5d70570
- SSDEEP
  
  96:wpsQc0uvL0Pk+c22MU5mWNBEsFWg3/V+N+QcG+/emr3XEhvtL/ejgVZiZcPHV9jd:jUk57MdWjqYG+Wmr3OlKEVZL3
Score

3^/10

discovery
behavioral22
- Target
  
  Files/IPStealer.bat
- Size
  
  458B
- MD5
  
  092dc441f3b3fde90f7ea6867a37c188
- SHA1
  
  83661112a066b04ae8499c1aef72f361a885becc
- SHA256
  
  8ca505c91cd3bff8e240a89b2844b03b7b2e90f94a6f8318826dbf0ea3ac3f63
- SHA512
  
  7270d327bb3364786cb5d74da987b9d43d95bbe01448f7547b73e2ec1cf48a2d25fb307706109ace17c91835595d711ad6f0a4ca03130cc5153e75e24cfe6f32
Score

1^/10
behavioral23
- Target
  
  Files/ImportBackups.bat
- Size
  
  616B
- MD5
  
  44c6d8b490d9c29e521b024375629476
- SHA1
  
  fa1a20b56f9139d46b3fea176620c494d54ce721
- SHA256
  
  5d3aa94c00cc35e2517a478777cefcec82c55a9039afdc388c8832d9a0cd189d
- SHA512
  
  b071df4478f3071ce8ac68199dfe8030ae4401cfac713d9d93fb67f4ba9ed1dae92adb5be1163685a43555e5ef3e5d8d72b2fe6c3917e4ac2aa8a7ddfc8d938d
Score

1^/10
behavioral24
- Target
  
  Files/InfoFinder.bat
- Size
  
  1KB
- MD5
  
  a00d0a78ea0ce615829c0308a44c010a
- SHA1
  
  9892bb77869aacdab7bbbdb6c7d910b310228872
- SHA256
  
  3542c65e592024bccd7cd196bf4ba7127aff636a15c530911e7af2d0712ea4ba
- SHA512
  
  39a7bb4adc0f3ad4321ded6c2b8c9f073d298e78a6a528a84936898c2694a21eb5f96c00cab88941647f70c7d855cd25fabc6b0f012756f9d87a797d98613d11
Score

1^/10
behavioral25
- Target
  
  Files/Malwarebytes-Premium-Reset.bat
- Size
  
  1KB
- MD5
  
  a5f28326d7555d81f8c22e5b46693571
- SHA1
  
  c235bc7b6202c6e5c112a635365dc92bc3bf4d9a
- SHA256
  
  6c0430a7504cb0aaa7328a1ce8100c3f890b158924d7f5905688930632715b60
- SHA512
  
  028f737501eecffa6f6656bdc4943a71867cbeff9d7bc7e66fc046e584e8129aa0025fb9f73a449c12b4e215746a0698a315330bc5247473cf585cc49d36c317
Score

1^/10
behavioral26
- Target
  
  Files/Newtonsoft.Json.dll
- Size
  
  514KB
- MD5
  
  c53737821b861d454d5248034c3c097c
- SHA1
  
  6b0da75617a2269493dc1a685d7a0b07f2e48c75
- SHA256
  
  575e30f98e4ea42c9e516edc8bbb29ad8b50b173a3e6b36b5ba39e133cce9406
- SHA512
  
  289543f5eea472e9027030e24011bea1e49e91059241fe6eb732e78f51822313e47d1e4769fa1c9c7d6139f6a97dcfef2946836b3383e8643988bf8908162fb9
- SSDEEP
  
  6144:ZeC37wbJmJ5bd4m15M+S50cK7q2UGu7WEYEaWdDBLH5WHxJ16Wi/h4aBTBFFu4JD:p37Ogr2VAHx7JijBZdPfP
Score

1^/10
behavioral27
- Target
  
  Files/PasswordGenerator.bat
- Size
  
  1KB
- MD5
  
  429a368979fe64bc74a57ec0645db610
- SHA1
  
  4df46e4adba31ab3b179414cb6b50443e5a4cc3f
- SHA256
  
  d6963f1894f13b232f94944f56c4032dbbc8586bd0b6fb6a9d4b6ca401f8379a
- SHA512
  
  7b17ead6a1995794a14e913ca963ee3d9193db7396067cd24a6ef9de23e4851f3de881d353ee92bdb5d831bcaca4f636e5774553664d60e5647abc29c8b5c976
Score

1^/10
behavioral28
- Target
  
  Files/RAUP.bat
- Size
  
  764B
- MD5
  
  993165efd56994356ee3ba7a0c4b8d1c
- SHA1
  
  7decbe7dab117eb28070a1bbe44691fa953a4f1a
- SHA256
  
  7a0c9f8d9f66a2332dc6f012e75ef83d181cd1ba4214fe498b6a65dbdac557e0
- SHA512
  
  b734c58b8a577b33e75f4d5203514b07590a002ed424f8e5f159a5f4820e0e328893e2b049c61ddb1fffd4d30d3d8160a851c8dab32b833250e62756615b05cc
Score

1^/10
behavioral29
- Target
  
  Files/SMBBruteforcer.bat
- Size
  
  747B
- MD5
  
  5ee669dcde3786a20dcb3c85075bc200
- SHA1
  
  110554c9bbd8a996e2cda1815cc53f66f2548372
- SHA256
  
  079e7f161d7717bf40f5904ad64806e3ee8708e0e90b03d3acec7299eceb27da
- SHA512
  
  71c78206d2261defeb89a8345fe0b82a415f3e0bfc7b9c27da420bad0964e7a97e1575b58ffcfaa188eea1b90dbe53ef7a1b5a21cae326a2825f06d38ded37d0
Score

1^/10
behavioral30
- Target
  
  Files/SSAMBYO.bat
- Size
  
  1KB
- MD5
  
  cdfd34dae8056336ee01477edb3e3870
- SHA1
  
  d241fa7c0769e65bfd50b370e444b895b499595d
- SHA256
  
  6cd8db62b821ac9ba208194a5a10da0b28661bdea600c6a7adbb0c1acb744f5e
- SHA512
  
  9dc12bcd9cfc5de24c4000f2e3fa9ae77a56b8d8b38fe0ce3e1a499be0e62b3b47f2d972a38e4f915dd7c71281c79799295c747b2f5e47e33a50f4df2b3b364f
Score

8^/10
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
behavioral31
- Target
  
  Files/Schnuker/Files/Run Me (Instructions).bat
- Size
  
  475B
- MD5
  
  107cfa2b2187c0cac05e4a52f5c7d870
- SHA1
  
  48e726b794e97cb44cac7d0e3b43b4dfb23d5ac5
- SHA256
  
  fe480312168a6532d8ec242bc457d43fac893cc9504928e2dd065d5241369b18
- SHA512
  
  5365747c78b5c7aa90d381bcb262ceffb08dfd65174f1416329006e054279ca7d464463313a5232e1b71ddc5e946654e4e91a79247ed3ac7a956304994f8043d
Score

1^/10
behavioral32