Threat Research

Decoding BATLOADER 2.X: Unmasking the Threat of Stealthy Malware Tactics – Blogs on Information Technology, Network & Cybersecurity | Seqrite

Securonix

Batloader is an evolving loader capable of delivering various threats (including stealers and ransomware) via a multi-stage infection chain with strong evasion techniques. The blog breaks down how Batloader loads payloads, obfuscates components, bypasses AMSI/ETW, and establishes persistence and C2 with AsyncRAT.
#Batloader #AsyncRAT #AMSIBypass #ETWBypass #jzx100.myddns.me

Keypoints

  • Batloader is an emerging loader that can deploy different malware types (stealers, ransomware) and act as an initial access gainer.
  • The infection chain involves a cabinet file dropping a bat file, which is executed, then drops a PowerShell-based loader.
  • Obfuscated components start as a base64-encoded, AES-encrypted gzip stream that is decrypted to a dotnet file.
  • A PowerShell script copies and executes legitimate powershell.exe, then loads and runs Asyncrat from the temp folder.
  • AsyncRAT is initialized by decrypting configuration data (AES-CBC with Base64 encoding) and loaded from the dropped file.
  • The sample includes anti-analysis checks (for debugger/sandbox) and anti-AV/anti-ETW techniques, plus AMSI/ETW bypasses and registry/scheduled task persistence.

MITRE Techniques

  • [T1566] Phishing – “phishing emails, masquerading documents, or downloading cracked software.”
  • [T1027] Obfuscated/Compressed Files and Information – “The starting comment for the obfuscated bat file is a base64 encoded, AES-encrypted gZip stream.”
  • [T1059.001] PowerShell – “The deobfuscated bat file contains a PowerShell script that copies the genuine powershell.exe to the current folder and executes it.”
  • [T1562.001] Impair Defenses – AMSI Bypass – “To bypass AMSI/event tracing it identifies the system architecture based on which corresponding functions are called.”; “patches amsi.dll’s amsiscanbuffer() function.”
  • [T1562.003] Impair Defenses – ETW Bypass – “It patches the EtwEventWrite() function of ntdll.”
  • [T1547.001] Persistence – Registry Run Keys/Startup Folder – “It creates a run entry if it has admin rights.”
  • [T1053.005] Persistence – Scheduled Task – “Otherwise it creates a scheduled task for timely execution.”
  • [T1105] Ingress Tool Transfer – “The cabinet file contains a bat file dropped at a temporary location” (loading/downloading payload as part of the chain).

Indicators of Compromise

  • [Hash] MD5 – 96B07F8951F4BDEB95856D9477071865 – used as an IOC related to the dropped payload stages of the chain.
  • [Hash] MD5 – 1528F443777A42B09AE19D7E6F5F508A – another IOC associated with the staged components.
  • [Domain] jzx100.myddns.me – used as a possible C2/initial connection point when Pastebin details are unavailable.

Read more: https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint