[SANS ISC] Deobfuscation of Malware Delivered Through a .bat File

Today, I published the following diary on isc.sans.edu: “Deobfuscation of Malware Delivered Through a .bat File“:

I found a phishing email that delivered a RAR archive (password protected). Inside the archive, there was a simple .bat file (SHA256: 57ebd5a707eb69dd719d461e1fbd14f98a42c6c3dcb8505e4669c55762810e70) with the following name: “SRI DISTRITAL – DPTO DE COBRO -SRI Informa-Deuda pendiente.bat”. Its current VT score is only 1/59!

Let’s have a look at this file! After the classic “@echo off”, there is a very long line that looks like a payload, it starts with “::”, a comment in .bat files (a common alternative to the REM command)… [Read more]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.