Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.BatRunner.A

PUP.BatRunner.A

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.BatRunner.A
Signature status: No Signature

Known Samples

MD5: 6f40a7430f5bb16d2f19a0a9a270f65f
SHA1: d1c6d2e531bc1e8b13bf9e31fa3c41a334919d8f
SHA256: D36335F2D70854BB91468814AB7F248E37D348989B33A2B0BBB562181E7364A8
File Size: 4.01 MB, 4013145 bytes
MD5: 1df25dba89943a24b1d9d55120bd9ad1
SHA1: 88fed2b248cafc14f6d2472e7d04a464f2066a6b
SHA256: 81D26D520C873056AA4EB6BB24C8959DCFEEB7DAA0EC762D54591816D05CC4E1
File Size: 7.17 MB, 7172391 bytes
MD5: 20ff117f316989767962916e65efc642
SHA1: 8ce71b3a03e1d171f6c671e0f315767793d5add2
SHA256: 07490F403C0B8115A73E37EE3AF82CD4C5073BF1AFBE43FC0DEEE9189E54B0F8
File Size: 531.29 KB, 531286 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name by Extra300
File Description VOATK Tools v2.5 - Stand Alone
File Version 2. 5. 0. 0
Product Version 0.0.0.0

File Traits

  • HighEntropy
  • x86

Block Information

Total Blocks: 564
Potentially Malicious Blocks: 15
Whitelisted Blocks: 549
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 x x 0 0 0 x 0 x x x 0 0 0 0 x x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.EDA
  • Agent.GFGE
  • Banload.AS
  • IEHelper.B
  • Kryptik.TZ
Show More
  • Lamer.CF
  • Stealer.BBA
  • Trojan.Injector.Gen.FDD
  • Wapomi.F

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2145734 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\aus.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\aus.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\boostspeed_install.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\boostspeed_install.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\hidcon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\hidcon.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\rarsfx0\icon.ico Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patches Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\patches Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patches\armaccess.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\patches\armaccess.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patches\boostspeed.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\patches\boostspeed.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\patches\madexcept_.bpl Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\patches\madexcept_.bpl Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\runme.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\runme.bat Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쏣趍ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess

Shell Command Execution

(NULL) C:\Users\Uocwulqi\AppData\Local\Temp\RarSFX0\hidcon.exe runme.bat
runme.bat
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: SET
Show More
WriteConsole: MyVar=AusLogics
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: SET
WriteConsole: Vold=
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: SET
WriteConsole: Vnew=
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: SET
WriteConsole: REG=
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: aus.exe
WriteConsole:
C:\Users\Uocwulqi\AppData\Local\Temp\RarSFX0\aus.exe aus.exe
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: IF
WriteConsole: NOT
WriteConsole: ! == !
WriteConsole: REGEDIT
WriteConsole: /S
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: DEL
WriteConsole: /Q "C:\ProgramD
WriteConsole:
WriteConsole: Could Not Find C
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: DEL
WriteConsole: /Q "C:\Users\Uo
WriteConsole:
WriteConsole: Could Not Find C
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: DEL
WriteConsole: /Q "C:\Users\Uo
WriteConsole:
WriteConsole: Could Not Find C
WriteConsole:
WriteConsole: C:\Users\Uocwulq
WriteConsole: IF
WriteConsole: ! == !
WriteConsole: goto
WriteConsole: END
WriteConsole:

Trending

Most Viewed

Loading...