BatLoader Malware Execution Detection

April 1, 2026 ยท View on GitHub

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1059.001Command and Scripting Interpreter: PowerShellPowerShell
T1105Ingress Tool TransferIngress Tool Transfer

Description

Detects BatLoader malware execution patterns including suspicious PowerShell execution from AppData with web request patterns and Gpg4Win tool abuse used by BatLoader for payload delivery.

Risk

BatLoader is an evasive downloader malware that uses legitimate tools like Gpg4Win to evade defenses. It is often used as a first-stage loader delivering banking trojans, information stealers, and ransomware.

Author

References

Defender For Endpoint

//Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline)
//https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
DeviceProcessEvents 
| where FileName endswith @'powershell.exe' and ProcessCommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')
//Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline)
//https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
SecurityEvent 
| where EventID == 4688 
| where NewProcessName endswith @'\powershell.exe' and CommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')
// Possible Batloader Malware Execution by Gpg4Win Tool (via process creation)
// https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
SecurityEvent 
| where EventID == 4688 
| where NewProcessName endswith @'gpg2.exe' and CommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')
// Possible Batloader Malware Execution by Gpg4Win Tool (via process creation)
// https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
DeviceProcessEvents 
| where FileName endswith @'gpg2.exe' and ProcessCommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')

Sentinel

//Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline)
//https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
DeviceProcessEvents 
| where FileName endswith @'powershell.exe' and ProcessCommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')
//Suspicious BatLoader Malware Execution by Use of Powershell (via cmdline)
//https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
SecurityEvent 
| where EventID == 4688 
| where NewProcessName endswith @'\powershell.exe' and CommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')
// Possible Batloader Malware Execution by Gpg4Win Tool (via process creation)
// https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
SecurityEvent 
| where EventID == 4688 
| where NewProcessName endswith @'gpg2.exe' and CommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')
// Possible Batloader Malware Execution by Gpg4Win Tool (via process creation)
// https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
DeviceProcessEvents 
| where FileName endswith @'gpg2.exe' and ProcessCommandLine has_all (@'\AppData\Roaming',@'Invoke-WebRequest','OutFile','update.bat','Start-Process')