a4974426e3db704306253727e47dd47894da3ee3c923b25b78264b4b709b0733

Sharing

Copy URL

Twitter E-mail

General

Target

HaxV3.bat
Size

19KB
Sample

240930-bdb4qatdmd
MD5

080455e109268953c1afe9d20d7c22fb
SHA1

801e47820fa9d0ed0e1e04d243714db5b399fd3f
SHA256

a4974426e3db704306253727e47dd47894da3ee3c923b25b78264b4b709b0733
SHA512

5f69712f8e938e535dcee63a04291c209ba356e221148512bf21d40908103988d37af28c249f59db99964455dee60f90b9c2badbe5c778af44e6d651fb4f3b6f
SSDEEP

384:ZAYOoDZUf9AXdmybtPuAPV7NGKbUD5tf6LEcUzggF:ZAYOoDZUf9AXdmybpuYV7NGKbUD5tf6M

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/Button.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/Button2.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/GetInput.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/batbox.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/injector.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/autofix.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/HaxMultiTool/Buttonws/main/admin.bat

Targets

- Target
  
  HaxV3.bat
- Size
  
  19KB
- MD5
  
  080455e109268953c1afe9d20d7c22fb
- SHA1
  
  801e47820fa9d0ed0e1e04d243714db5b399fd3f
- SHA256
  
  a4974426e3db704306253727e47dd47894da3ee3c923b25b78264b4b709b0733
- SHA512
  
  5f69712f8e938e535dcee63a04291c209ba356e221148512bf21d40908103988d37af28c249f59db99964455dee60f90b9c2badbe5c778af44e6d651fb4f3b6f
- SSDEEP
  
  384:ZAYOoDZUf9AXdmybtPuAPV7NGKbUD5tf6LEcUzggF:ZAYOoDZUf9AXdmybpuYV7NGKbUD5tf6M
Score

10^/10

execution discovery pyinstaller
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2