SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bat_loader (Back to overview)

BATLOADER

According to PCrisk, BATLOADER is part of the infection chain where it is used to perform the initial compromise. This malware is used to execute payloads like Ursnif. Our team has discovered BATLOADER after executing installers for legitimate software (such as Zoom, TeamViewer Visual Studio) bundled with this malware. We have found those installers on compromised websites.

References
2023-08-07Trend MicroJunestherry Dela Cruz
@online{cruz:20230807:latest:064e40e, author = {Junestherry Dela Cruz}, title = {{Latest Batloader Campaigns Use Pyarmor Pro for Evasion}}, date = {2023-08-07}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html}, language = {English}, urldate = {2023-08-09} } Latest Batloader Campaigns Use Pyarmor Pro for Evasion
BATLOADER
2023-08-01eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230801:batloader:4398798, author = {eSentire Threat Response Unit (TRU)}, title = {{BatLoader Continues Signed MSIX App Package Abuse}}, date = {2023-08-01}, organization = {eSentire}, url = {https://www.esentire.com/blog/batloader-continues-signed-msix-app-package-abuse}, language = {English}, urldate = {2023-08-15} } BatLoader Continues Signed MSIX App Package Abuse
BATLOADER
2023-03-30eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230330:esentire:e789d22, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: BatLoader}}, date = {2023-03-30}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-batloader}, language = {English}, urldate = {2023-07-31} } eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-03-09eSentireeSentire Threat Response Unit (TRU)
@online{tru:20230309:batloader:db50046, author = {eSentire Threat Response Unit (TRU)}, title = {{BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif}}, date = {2023-03-09}, organization = {eSentire}, url = {https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif}, language = {English}, urldate = {2023-04-25} } BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
BATLOADER ISFB Vidar
2023-02-28Intel 471Intel 471
@online{471:20230228:malvertising:268d961, author = {Intel 471}, title = {{Malvertising Surges to Distribute Malware}}, date = {2023-02-28}, organization = {Intel 471}, url = {https://intel471.com/blog/malvertising-surges-to-distribute-malware}, language = {English}, urldate = {2023-03-13} } Malvertising Surges to Distribute Malware
BATLOADER IcedID
2023-02-08NTT SecurityRyu Hiyoshi
@online{hiyoshi:20230208:steelclover:0f3b85a, author = {Ryu Hiyoshi}, title = {{SteelClover Attacks Distributing Malware Via Google Ads Increased}}, date = {2023-02-08}, organization = {NTT Security}, url = {https://insight-jp.nttsecurity.com/post/102i7af/steelclovergoogle}, language = {English}, urldate = {2023-02-13} } SteelClover Attacks Distributing Malware Via Google Ads Increased
BATLOADER ISFB RedLine Stealer
2023-02-02KrollStephen Green, Elio Biasiotto
@online{green:20230202:hive:4624808, author = {Stephen Green and Elio Biasiotto}, title = {{Hive Ransomware Technical Analysis and Initial Access Discovery}}, date = {2023-02-02}, organization = {Kroll}, url = {https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery}, language = {English}, urldate = {2023-04-22} } Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive
2023-01-17TrendmicroJunestherry Dela Cruz
@online{cruz:20230117:batloader:594298e, author = {Junestherry Dela Cruz}, title = {{Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks}}, date = {2023-01-17}, organization = {Trendmicro}, url = {https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html}, language = {English}, urldate = {2023-01-19} } Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks
BATLOADER
2022-11-14vmwareBethany Hardin, Lavine Oluoch, Tatiana Vollbrecht, Deborah Snyder, Nikki Benoit
@online{hardin:20221114:batloader:879d974, author = {Bethany Hardin and Lavine Oluoch and Tatiana Vollbrecht and Deborah Snyder and Nikki Benoit}, title = {{BATLOADER: The Evasive Downloader Malware}}, date = {2022-11-14}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html}, language = {English}, urldate = {2022-11-28} } BATLOADER: The Evasive Downloader Malware
BATLOADER
2022-04-15Medium walmartglobaltechJason Reaves
@online{reaves:20220415:revisiting:94c149c, author = {Jason Reaves}, title = {{Revisiting BatLoader C2 structure}}, date = {2022-04-15}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/revisiting-batloader-c2-structure-52f46ff9893a}, language = {English}, urldate = {2023-01-31} } Revisiting BatLoader C2 structure
BATLOADER
2022-02-01MandiantNg Choon Kiat, Angelo Del Rosario, Martin Co
@online{kiat:20220201:zoom:c13e3eb, author = {Ng Choon Kiat and Angelo Del Rosario and Martin Co}, title = {{Zoom For You — SEO Poisoning to Distribute BATLOADER and Atera Agent}}, date = {2022-02-01}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/seo-poisoning-batloader-atera}, language = {English}, urldate = {2022-12-08} } Zoom For You — SEO Poisoning to Distribute BATLOADER and Atera Agent
BATLOADER
2022-01-11Medium walmartglobaltechJason Reaves, Joshua Platt
@online{reaves:20220111:signed:0f32583, author = {Jason Reaves and Joshua Platt}, title = {{Signed DLL campaigns as a service}}, date = {2022-01-11}, organization = {Medium walmartglobaltech}, url = {https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489}, language = {English}, urldate = {2023-01-31} } Signed DLL campaigns as a service
BATLOADER Cobalt Strike ISFB Zloader

There is no Yara-Signature yet.