MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
SHA3-384 hash: 1c60738a04fd6e6af3a558edbfc174435f9cf4b6363ba08e9ab8213db745eb52412023afed2695b3a110f057868bf86d
SHA1 hash: b5c564414d7c01334de373095dc77b400866fce9
MD5 hash: 4e37cb17a7683b385680719f2eb0db20
humanhash: network-double-solar-black
File name:kill.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:987'136 bytes
First seen:2022-03-03 05:37:58 UTC
Last seen:2022-03-03 07:52:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 24576:OcvkTOYa160874gky9k53Axm0LxmG4T/6m0LXv1MFMJ60:JvkTl8BPcm0LYGY0LXdjU0
Threatray 1'147 similar samples on MalwareBazaar
TLSH T182252340F6E70BF7F6A2057502AA22AFE6326225A37065CFC7CD7D0655A39C48C781ED
Reporter adm1n_usa32
Tags:Babadeda exe


Avatar
adm1n_usa32
some creepypasta malware jazz

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kill.exe
Verdict:
Malicious activity
Analysis date:
2022-03-03 05:36:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d43795cf-52c8-40f0-ae5c-e00ef04b4f23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246665/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39032343.15362.24962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
Searching for the window
Creating a file in the Windows directory
Changing a file
DNS request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7958/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lazagne packed shell32.dll
Link:
https://www.filescan.io/uploads/6220543eb94fb38cb43f6cc0/reports/5edaf3bb-b9fc-4f60-8602-87ff714503d3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c3504ee-2694-4664-8676-288c4fa386f1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949670
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionalty to change the wallpaper
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d/
Threat name:
Win32.Trojan.KillMbr
Create hunting rule
Status:
Malicious
First seen:
2022-02-20 14:03:00 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1f79ce7d7716512af2a93caf014f302846d5f41ff9850af71120c7fed2bf5845
Babadeda
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
Babadeda
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
Babadeda
605412b4ceaf25fc66306e96a347662161925ba372383ad39a28703d4ef65caa
Babadeda
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
Babadeda
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
Babadeda
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
Babadeda
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3
Babadeda
f1df707bab0fc04a78d1131d2739f54c351073d1dac04ea700573368feb5d18a
Babadeda
f68cf2d7540359cd27bae6aaa15274efd2444f148e1632a9d4bf90facfe5c927
Babadeda
+ 1'137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence ransomware
Link:
https://tria.ge/reports/220303-gbqrzsbbcl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Control Panel
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Sets desktop wallpaper using registry
autoit_exe
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
7e3a119031579802b6cd3fdd09629c035869bc6477261032c7c6580c8ebc47fd
MD5 hash:
a6d4ca4ddb21800c58c18c42c7b08667
SHA1 hash:
1e865b70fe81e5fcb2e78008b516cb945ee4145c
Link:
https://www.unpac.me/results/38441e81-e496-4962-9897-0feabbf86265/
SH256 hash:
dcdd2ec04f9e4f2ef127b76872d2c1beb2a1799fd1917a8676fb5b148457227b
MD5 hash:
cee251c4ef3b3a65e032b57c5e2ef595
SHA1 hash:
d795580552bfa4e93387218d5400fb8b1d305733
Link:
https://www.unpac.me/results/38441e81-e496-4962-9897-0feabbf86265/
SH256 hash:
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
MD5 hash:
4e37cb17a7683b385680719f2eb0db20
SHA1 hash:
b5c564414d7c01334de373095dc77b400866fce9
Link:
https://www.unpac.me/results/38441e81-e496-4962-9897-0feabbf86265/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8e604b70dd6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/d43795cf-52c8-40f0-ae5c-e00ef04b4f23
Cape
Cape
https://www.capesandbox.com/analysis/246665/

Comments