Today, I published the following diary on isc.sans.edu: “Deobfuscation of Malware Delivered Through a .bat File“:
I found a phishing email that delivered a RAR archive (password protected). Inside the archive, there was a simple .bat file (SHA256: 57ebd5a707eb69dd719d461e1fbd14f98a42c6c3dcb8505e4669c55762810e70) with the following name: “SRI DISTRITAL – DPTO DE COBRO -SRI Informa-Deuda pendiente.bat”. Its current VT score is only 1/59!
Let’s have a look at this file! After the classic “@echo off”, there is a very long line that looks like a payload, it starts with “::”, a comment in .bat files (a common alternative to the REM command)… [Read more]