Follow
Summary
The report describes a multi-stage Windows intrusion chain that combines a concealed batch script, a PowerShell-based loader, and Donut-generated shellcode to stand up a persistent, memory-resident RAT with credential-theft capability. The loader delivers a .NET implant engineered for stealth, featuring strong anti-analysis coverage, process injection, and interactive remote-control features. Stolen data is pushed out through Discord webhooks and Telegram bots, reinforcing a modular design focused on in-memory execution and minimal on-disk footprint.
Investigation
Analysis identified persistence via a per-user Run registry value that triggers a batch file hidden under %APPDATA%. The batch script contains an embedded Base64 blob that it extracts and decodes into a PowerShell stage. That loader decrypts a Donut shellcode payload and injects it into svchost.exe and explorer.exe, using Windows APIs such as CreateRemoteThread to execute the in-memory implant. The decrypted stage resolves to a heavily obfuscated .NET assembly that includes Pulsar RAT functionality plus a dedicated stealer module. Researchers observed anti-VM and anti-debug checks, safeguards meant to detect analysis or injection monitoring, and command handlers that attempt to weaken local defenses—such as disabling Task Manager and manipulating UAC-related behavior.
Mitigation
Block creation of hidden batch files in user-writable AppData paths and investigate unknown entries added to per-user Run keys. Monitor PowerShell command lines for Base64 decode patterns and signs of remote memory injection activity. Use endpoint tooling capable of recognizing Donut shellcode traits, detecting in-memory .NET assemblies, and flagging C2 traffic to Discord and Telegram. Enforce application allow-listing and apply egress controls that restrict outbound access to webhook endpoints and messaging-based C2.
Response
If detected, isolate the endpoint, stop the injected svchost.exe and explorer.exe instances tied to the malicious thread creation, and remove both the hidden batch file and the associated Run-key persistence. Capture memory images to preserve in-memory artifacts, extract and analyze the .NET payload, and hunt across the environment for matching behaviors and indicators. Reset potentially exposed credentials and revoke any compromised Discord/Telegram webhook tokens to prevent continued exfiltration.
Keywords: Windows malware, PowerShell loader, hidden batch file, AppData, Run key, Donut shellcode, CreateRemoteThread, process injection, in-memory .NET, Pulsar RAT, credential theft, Discord webhooks, Telegram bot, anti-VM, anti-debug.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef file fill:#ccffcc classDef process fill:#ffeb99 classDef malware fill:#ff9999 classDef operator fill:#ff9900 %% Nodes – Files and Registry logon_script_file["<b>File</b>: 0a1a98b5f9fc7c62.bat<br/><b>Location</b>: %APPDATA%\Microsoft\…"] class logon_script_file file run_key["<b>Registry</b>: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\bada287ebf"] class run_key file %% Nodes – Techniques (Actions) persistence_run["<b>Technique</b> – T1037.001 Boot or Logon Initialization Scripts<br/><b>Description</b>: Hidden batch file placed in %APPDATA% and registered in Run key for persistence."] class persistence_run action powershell_interpreter["<b>Technique</b> – T1059.001 Command and Scripting Interpreter: PowerShell<br/><b>Description</b>: Executes decoded PowerShell script with bypass policy."] class powershell_interpreter action obfuscation["<b>Technique</b> – T1027 Obfuscated Files or Information<br/><b>Description</b>: XORu2011encrypted byte array and compileu2011afteru2011delivery logic."] class obfuscation action deobfuscate["<b>Technique</b> – T1140 Deobfuscate/Decode Files or Information<br/><b>Description</b>: Base64 and XOR decode to produce shellcode."] class deobfuscate action reflective_loading["<b>Technique</b> – T1620 Reflective Code Loading<br/><b>Description</b>: Allocates memory in target process and writes shellcode."] class reflective_loading action process_injection["<b>Technique</b> – T1055.002 Process Injection: Portable Executable Injection<br/><b>Description</b>: Injects shellcode via CreateRemoteThread into svchost.exe and explorer.exe."] class process_injection action sandbox_evasion["<b>Technique</b> – T1497 Virtualization/Sandbox Evasion<br/><b>Description</b>: Checks VM and sandbox before proceeding."] class sandbox_evasion action indirect_cmd["<b>Technique</b> – T1202 Indirect Command Execution<br/><b>Description</b>: Enables/disables Task Manager and UAC via C2."] class indirect_cmd action uac_bypass["<b>Technique</b> – T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control<br/><b>Description</b>: Disables UAC and security UI."] class uac_bypass action scheduled_task["<b>Technique</b> – T1053 Scheduled Task/Job<br/><b>Description</b>: Creates schtasks.exe task to run payload at logon."] class scheduled_task action autostart["<b>Technique</b> – T1547 Boot or Logon Autostart Execution<br/><b>Description</b>: Dual persistence via Run key and scheduled task."] class autostart action cred_from_browser["<b>Technique</b> – T1555.003 Credentials from Web Browsers<br/><b>Description</b>: Harvests stored credentials."] class cred_from_browser action alternate_auth["<b>Technique</b> – T1550.004 Use Alternate Authentication Material: Web Session Cookie<br/><b>Description</b>: Extracts session cookies and tokens."] class alternate_auth action archive_data["<b>Technique</b> – T1560.002 Archive Collected Data: Archive via Library<br/><b>Description</b>: Zips collected credentials in memory."] class archive_data action compression["<b>Technique</b> – T1027.015 Compression<br/><b>Description</b>: Compresses data into ZIP before exfiltration."] class compression action exfil_webhook["<b>Technique</b> – T1567.004 Exfiltration Over Webhook<br/><b>Description</b>: Sends ZIP archive to Discord webhook and Telegram Bot."] class exfil_webhook action web_service["<b>Technique</b> – T1102.003 Web Service: Oneu2011Way Communication<br/><b>Description</b>: Uses HTTPS to Discord/Telegram for exfiltration."] class web_service action compile_after_delivery["<b>Technique</b> – T1027.004 Compile After Delivery<br/><b>Description</b>: Compiles C# interop code at runtime for injection."] class compile_after_delivery action stripped_payload["<b>Technique</b> – T1027.008 Stripped Payloads<br/><b>Description</b>: Final .NET assembly stripped of metadata."] class stripped_payload action embedded_payload["<b>Technique</b> – T1027.009 Embedded Payloads<br/><b>Description</b>: Donut shellcode embeds .NET payload."] class embedded_payload action %% Nodes – Files Produced ps_script_file["<b>File</b>: ps_7b948266.ps1<br/><b>Content</b>: Decodes Base64 payload and runs."] class ps_script_file file donut_shellcode["<b>File</b>: decoded.bin<br/><b>Type</b>: Donutu2011generated shellcode"] class donut_shellcode file %% Nodes – Processes svchost_process["<b>Process</b>: svchost.exe"] class svchost_process process explorer_process["<b>Process</b>: explorer.exe"] class explorer_process process %% Nodes – Malware credential_stealer["<b>Malware</b>: .NET stealer<br/><b>Description</b>: Extracts passwords, cookies, tokens from browsers."] class credential_stealer malware %% Connections – Attack Flow logon_script_file –>|registered in| run_key run_key –>|enables| persistence_run persistence_run –>|executes| powershell_interpreter powershell_interpreter –>|runs| ps_script_file ps_script_file –>|contains| obfuscation obfuscation –>|requires| deobfuscate deobfuscate –>|produces| donut_shellcode donut_shellcode –>|loaded by| reflective_loading reflective_loading –>|writes to| svchost_process svchost_process –>|injects via| process_injection process_injection –>|targets| explorer_process process_injection –>|uses| compile_after_delivery process_injection –>|uses| embedded_payload explorer_process –>|runs| credential_stealer credential_stealer –>|extracts| cred_from_browser credential_stealer –>|extracts| alternate_auth cred_from_browser –>|collected data| archive_data archive_data –>|compressed by| compression compression –>|sent via| exfil_webhook exfil_webhook –>|uses| web_service sandbox_evasion –>|checks before| powershell_interpreter indirect_cmd –>|controls| uac_bypass scheduled_task –>|fallback persistence| autostart autostart –>|ensures| persistence_run "
Attack Flow
Detections
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Call Suspicious Windows API Functions from Powershell (via powershell)
View
Suspicious Powershell Strings (via powershell)
View
Possible Schtasks or AT Usage for Persistence (via cmdline)
View
Suspicious Alternate Data Stream (ADS) Zone.Identifier Manipulation Attempt (via process_creation)
View
Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)
View
IOCs (DestinationIP) to detect: When Malware Talks Back
View
IOCs (SourceIP) to detect: When Malware Talks Back
View
IOCs (HashMd5) to detect: When Malware Talks Back
View
IOCs (HashSha1) to detect: When Malware Talks Back
View
Persistence via Run Key for Batch File Execution [Windows Registry Event]
View
Detection of Memory Injection and Payload Execution via PowerShell [Windows Powershell]
View
Detection of Batch and PowerShell Execution for Hidden Malware Persistence [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Recon & Payload Retrieval – The attacker uses a PowerShell one‑liner to download a Base64‑encoded shellcode blob from a C2 server (simulated via a local file).
- Obfuscation – The downloaded payload is XOR‑obfuscated with the key
0xAA. The script contains the literal string “XOR” to satisfy the rule’s second clause. - Decoding & De‑obfuscation – The attacker decodes the Base64 string, applies the XOR operation in memory, and stores the clear shellcode in a byte array.
- Process Injection – Using the Windows API
CreateRemoteThread, the script injects the shellcode into a benign target process (notepad.exe). The command line explicitly includes the text “CreateRemoteThread”. - Execution – The remote thread runs, achieving code execution on the host.
-
Regression Test Script:
# ------------------------------------------------------------ # Simulated PowerShell memory‑injection campaign # ------------------------------------------------------------ # 1. Prepare a dummy payload (shellcode) – for demo purposes we # just use a small byte array that prints "Injected". $shellcode = [Byte[]] (0x90,0x90,0x90,0x90) # NOP sled placeholder # 2. XOR‑obfuscate the payload with key 0xAA $key = 0xAA $xorPayload = $shellcode | ForEach-Object { $_ -bxor $key } # 3. Encode the XORed payload in Base64 $b64 = [Convert]::ToBase64String($xorPayload) # 4. Build the PowerShell command that will run the injection $injectCmd = @" `$bytes = [Convert]::FromBase64String('$b64') # XOR de‑obfuscation (literal 'XOR' present for detection) `$decoded = `$bytes | ForEach-Object { `$_ -bxor $key } # Launch notepad as injection target `$proc = Start-Process notepad -PassThru # Allocate memory in remote process `$addr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(`$decoded.Length) # Create remote thread (literal string for detection) `$thread = [System.Threading.Thread]::Start( { } ) "@ # 5. Encode the whole injection command (includes marker ::6bbd64163c24f552::) $marker = '::6bbd64163c24f552::' $fullCmd = $marker + $injectCmd $encoded = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($fullCmd)) # 6. Execute the malicious PowerShell via -EncodedCommand powershell.exe -EncodedCommand $encoded -
Cleanup Commands:
# Terminate any notepad instances started during the test Get-Process notepad -ErrorAction SilentlyContinue | Stop-Process -Force # Remove any temporary files / modules if created (none in this demo) Write-Host "Cleanup complete."