{
	"id": "11b991c8-409a-4d92-aff2-a018ea2bd678",
	"created_at": "2026-04-06T00:10:13.879473Z",
	"updated_at": "2026-04-10T03:21:10.324627Z",
	"deleted_at": null,
	"sha1_hash": "1f961e0575b44edb04f9c3869e0b8ffcc83be7ab",
	"title": "Decoding BATLOADER 2.X: Unmasking the Threat of Stealthy Malware Tactics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1127012,
	"plain_text": "Decoding BATLOADER 2.X: Unmasking the Threat of Stealthy\r\nMalware Tactics\r\nBy Rumana Siddiqui\r\nPublished: 2023-12-18 · Archived: 2026-04-05 18:22:32 UTC\r\nOverview:\r\nBatloader is not a new malware in the series – it is an emerging one. In our previous blogs, we discussed how\r\nBatloader can deploy different types of malware, including stealers and ransomware. We also delved into its role\r\nas an initial access gainer, and highlighted its highly evasive nature, along with its ability to continuously upgrade\r\nitself over time.\r\nVarious techniques are employed in delivering malware to the user’s system. Such methods include phishing\r\nemails, masquerading documents, or downloading cracked software. Amongst these, downloading cracked\r\nsoftware may seem harmless to regular users since malware often utilizes genuine file names and conducts most\r\nof the malicious activities in the background, or injects a clean file with malicious code.\r\nIn this blog, we will analyze how Batloader loads the payload, which in this case, is a stealer.\r\nTechnical Analysis:\r\nFigure 1: Infection Chain\r\nThe cabinet file contains a bat file, which is dropped at a temporary location, executed, and later deleted.\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 1 of 9\n\nFigure 2: Cabinet File\r\nFigure 3: Bat File Extracted\r\nThe starting comment for the obfuscated bat file is a base64 encoded, AES-encrypted gZip stream. This is later\r\ndecrypted to a dotnet file and then dropped at a temp location.\r\nFigure 4: Obfuscated Bat File\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 2 of 9\n\nFigure 5: Obfuscated Bat File\r\nThe deobfuscated bat file contains a PowerShell script that copies the genuine powershell.exe to the current folder\r\nand executes it. The PowerShell script then takes the starting comment in the bat file to perform the below actions\r\n–\r\n1. Remove specific keywords.\r\n2. Convert it from Base64 encoding.\r\n3. AES decryption with CBC mode.\r\n4. Decompressed the GZipStream received from 3rd\r\n5. Load the Assembly from EntryPoint.\r\nFigure 6: PowerShell Script\r\nThe powershell script drops the Asyncrat malware dotnet exe under the temp folder and starts its execution.\r\nStage 3: AsyncRat\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 3 of 9\n\nThe dropped file is unprotected and deobfuscated.\r\nFigure 7: Dropped Exe File\r\nExecution of asyncrat starts with Initializing the configurations by decrypting the values, which are AES\r\nencrypted in CBC mode with base64 encoding.\r\nFigure 8: Configuration Initialization\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 4 of 9\n\nFigure 9: AES Decryption\r\nAnti Analysis Module\r\nIt examines the environment to find out if the sample is under analysis by checking for the presence of a debugger,\r\nsandbox, and other indicators. If any are detected, it terminates its execution.\r\nFigure 10: Anti-Analysis Module\r\nIf any amongst the list of processes like Taskmgr, ProcessHacker, ProcExp, etc., are detected during execution,\r\nresults in the processes being terminated.\r\nFigure 11: Terminating Process\r\nAMSI and Event Tracing Bypass\r\nTo bypass AMSI/event tracing it identifies the system architecture based on which corresponding functions are\r\ncalled.\r\nFigure 12: ByPass\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 5 of 9\n\nAMSI is a windows Anti Malware Scan Interface that allows applications and services to integrate with anti-malware product.\r\nComponents that are integrated with AMSI are:\r\nUser Access Control\r\nPowershell\r\nWindows Script Host\r\nJavaScript and VBScript\r\nOffice VBA Macro\r\nTo bypass it patches amsi.dll’s amsiscanbuffer() function.\r\nFigure 13: AMSI ByPass\r\n To achieve this\r\nFirst it retrieves the address of the corresponding function – amsiscanbuffer\r\nThen, it changes the memory protection, using NtProtectVirtualMemory(), for the page to write the new\r\ninstructions.\r\nFurther, it patches the memory with corresponding new bytes:\r\nx86_am_si_patch = 0xB8, 0x57, 0x00, 0x07, 0x80, 0xc2, 0x18, 0x00;\r\nx64_am_si_patch = 0xB8, 0x57, 0x00, 0x07, 0x80, 0xc3;\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 6 of 9\n\nFigure 14: Patching Memory\r\nEvent tracing is a mechanism used to trace user and kernel level applications/drivers and is a part of the windows\r\noperating system. It is an important feature that helps security vendors to identify anomalous behavior in the\r\nrunning applications.\r\nTo bypass, it patches the EtwEventWrite() function of ntdll. To achieve this, the process is the same as mentioned\r\nabove for amsi bypass. Newly written bytes are:\r\nx64_etw_patch = 0x48, 0x33, 0xc0, 0xc3;\r\nx86_etw_patch = 0x33, 0xc0, 0xc2, 0x14, 0x00;\r\nFigure 15: Event Tracing ByPass\r\nPersistence\r\nIt creates a run entry if it has admin rights. Otherwise it creates a scheduled task for timely execution.\r\nFigure 16: Registry Entry\r\nFigure 17: Schedule Task\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 7 of 9\n\nIt creates a temporary bat file to copy itself to %temp% location and later deletes the bat file and starts execution\r\nof dropped file.\r\nFigure 18: Installation\r\nThen it checks for Pastebin details if that is set to null, it tries to connect with url “jzx100.myddns.me”. After that,\r\nit keeps on trying to connect in loop until it gets the connection.\r\nFigure 19: CnC Connection\r\nOnce the connection is successful it will send the below information username, OS, Camera, antivirus installed,\r\netc., as shown in the pic.\r\nFigure 20: Sending Info to CnC\r\nAt the time of our analysis the url was not active. Through code analysis it also looks like it will receive below\r\ncommands from CnC and it will work accordingly where it seems to invoke the plugin received in the packet and\r\nkeep the connection alive.\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 8 of 9\n\nFigure 21: CnC Commands\r\nConclusion:\r\nUsers should avoid downloading cracked software as they do more harm without users’ knowledge. Stealers\r\nsending sensitive data to the CnC could be used further to plan attacks or to gain profit. Moreover, these stealers\r\nhave features to download more payloads, which can lead to the deployment of ransomware onto the system.\r\nIOC’s:\r\n96B07F8951F4BDEB95856D9477071865\r\n1528F443777A42B09AE19D7E6F5F508A\r\nAuthor:\r\nRumana Siddiqui\r\nSource: https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nhttps://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/\r\nPage 9 of 9\n\ninstructions. Further, it patches the memory with corresponding new bytes: \nx86_am_si_patch = 0xB8, 0x57, 0x00, 0x07, 0x80, 0xc2, 0x18, 0x00;\nx64_am_si_patch = 0xB8, 0x57, 0x00, 0x07, 0x80, 0xc3;\n  Page 6 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics/"
	],
	"report_names": [
		"decoding-batloader-2-x-unmasking-the-threat-of-stealthy-malware-tactics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1f961e0575b44edb04f9c3869e0b8ffcc83be7ab.pdf",
		"text": "https://archive.orkl.eu/1f961e0575b44edb04f9c3869e0b8ffcc83be7ab.txt",
		"img": "https://archive.orkl.eu/1f961e0575b44edb04f9c3869e0b8ffcc83be7ab.jpg"
	}
}