BatLoader is a batch-based loader used to deliver payloads across multiple malware families, notably AgentTesla, QuasarRAT, AsyncRAT, Mallox Ransomware, and Cryptojacker campaigns, often via phishing. It loads payloads into memory through obfuscated PowerShell, base64-encoded data, and gzip decompression before dropping a .NET executable that may contact a CnC server. #BatLoader #AgentTesla #QuasarRAT #AsyncRAT #MalloxRansomware #Cryptojacker
Keypoints
- The batloader is described as a standard method for delivering the final payload of AgentTesla and has been observed distributing other malware families (RATs, Ransomware, Cryptojackers).
- The infection chain begins with users being tricked into running a malicious batch file, often delivered via phishing or exploit of system vulnerabilities.
- Obfuscated batch scripts drop and invoke a PowerShell script that uses a Base64-encoded string as input for dynamic code execution.
- Decoded payloads are decompressed (gzip) and reversed as part of the final loading process before execution in memory.
- The final payload is typically a .NET executable that may either connect to a CnC server to fetch additional payloads or infect the host directly.
- Historically, this batloader appeared in OneNote attachments to propagate QuasarRAT and AsyncRAT and has since been used with Mallox, AgentTesla, and Cryptojacker.
- IOCs are provided as multiple SHA-256 hashes associated with BatLoader variants and related families.
MITRE Techniques
- [T1566.001] Phishing – The initial stage often relies on various phishing techniques to trick victims into downloading either a loader or a downloader. [‘The initial stage often relies on various phishing techniques to trick victims into downloading either a loader or a downloader.’]
- [T1059.003] Windows Command Shell – The bat loader executes via batch script and uses Windows shell commands. [‘The bat file is the malicious sample that needs to be executed by the user by any of the above-mentioned means.’]
- [T1059.001] PowerShell – Execution of obfuscated PowerShell scripts loaded from the bat script. [‘This command instructs PowerShell to execute a script or command with a custom parameter -win, and it expects a Base64-encoded string as an argument.’]
- [T1027] Obfuscated/Compressed Files and Information – The batch and PowerShell scripts use Base64 encoding and gzip decompression before loading payload. [‘Let’s decode the base64 encoded string.’ ‘base64 decoded’ ‘GZIP decompressed’ ‘Reversing of the output.’]
- [T1105] Ingress Tool Transfer – The final payload is retrieved from a CnC server after establishing a connection. [‘…to retrieve another payload.’]
- [T1071.001] Web Protocols – The dot net executable connects with the CnC server to retrieve payloads. [‘connects with the Command and Control (CnC) server to retrieve another payload.’]
- [T1055] Process Injection – A .NET executable is injected into a process and may move forward to infect the device. [‘This file is injected into a process, and depending on the specific malware family, it moves forward to infect the device.’]
Indicators of Compromise
- [File Hash] context – SHA-256 hashes used by BatLoader variants: 764250ddf94b90441193fe1c29754f231e0868d1878fdf3150e5744dd8d8c378, d71cdb791f3f58bd064fb840488f7e708d707b1d39e70fbe5c597f7fbcc0699e, and other 6 hashes