Saw these two things in the wild while looking at some samples.
Batch Obfuscation
Malicious batch file was found and when opened in notepad/visual studio code, the code/text was not readable. The text was in another language.
When opening the file with hex editor or doing strings, batch commands were seen clearly. When the batch file was ran in command prompt, it worked just fine. The commands seen setting variables worked correctly. Only issue was that you couldn't easily read the file with visual studio.
When reviewing the obfuscated batch file in hex editor and comparing it to normal text file, the following bytes were seen in the front: fffe0d0a before normal ascii.
Turns out this isn't brand new. There is a blog by OneConsult discussing this technique:
https://www.oneconsult.com/en/blogs/dfir-analysts-diary/batch-file-obfuscation-incident/
Blog also points to https://github.com/SkyEmie/batch-obfuscator, which provides a tool.
Personally, I took the obfuscated batch file into hex editor and removed fffe0d0a from the front and opened it again in visual studio code and worked just fine.
I don't have a sample/hash I can link here right now. :-(
Loading powershell code in a weird way
Another sample I was looking at ran powershell code with Get-Content and SubString.
Sample is here: https://tria.ge/240307-fj3k3see34/behavioral1
This is the interesting part:
"powershell" -windowstyle hidden "$Undgaaelsers=Get-Content 'C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Befingringernes\Souchie\indlsninger\Casement.Sub';$Inferably=$Undgaaelsers.SubString(55257,3);.$Inferably($Undgaaelsers)"
