New #phishing campaign uses #DBatLoader to drop #Remcos RAT.
The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to #VirusTotal 
Execution chain:
#Phish
Archive
DBatLoader
CMD
SndVol.exe (Remcos injected)
#ANYRUN allows analysts to quickly uncover stealth techniques like LOLBAS abuse, injection, and UAC bypass, all within a single interactive analysis session. See analysis: https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice
Key techniques:
#Obfuscated with #BatCloak .cmd files are used to download and run #payload.
Remcos injects into trusted system processes (SndVol.exe, colorcpl.exe).
Scheduled tasks trigger a Cmwdnsyn.url file, which launches a .pif dropper to maintain persistence.
Esentutl.exe is abused via LOLBAS to copy cmd.exe into the alpha.pif file.
UAC bypass is achieved with fake directories like “C:\Windows “ (note the trailing space), exploiting how Windows handles folder names.
This threat uses multiple layers of stealth and abuse of built-in Windows tools. Behavioral detection and attention to unusual file paths or another activity are crucial to catching it early. #ANYRUN Sandbox provides the visibility needed to spot these techniques in real time 