MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6
SHA3-384 hash: 15f3c64a19aa07f1059fc7f3122b988ecbaece70a83e026edd97aff8d2a97384be59d06e6ab6e9df51c0c8175fa44f8f
SHA1 hash: 49310de06329d5b0d275d445f3e1d27e8ba5a868
MD5 hash: 935efee52d7c9761b93bf19470a233b2
humanhash: triple-alabama-glucose-robert
File name:real-deupx.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:92'160 bytes
First seen:2022-06-10 14:19:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 771106f54fcc51d1aa3989e528332f80 (2 x Babadeda, 1 x CoViper)
ssdeep 1536:G7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIf4micpO:8q6+ouCpk2mpcWJ0r+QNTBf4v
Threatray 138 similar samples on MalwareBazaar
TLSH T1D8936C41B3D241F7EAF10A7100A6722FA73676249724E8DBC34C3D839953AD59A3D3E9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter James_inthe_box
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
real-deupx.exe
Verdict:
Malicious activity
Analysis date:
2022-06-10 14:35:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/47711d8b-e83b-45c8-ba82-443cc43a5341

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/278698/
Detection(s):
SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Searching for the window
Sending a custom TCP request
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62a353502d4be2eac84a3b2a/reports/3b8a2330-81fb-402a-a8ae-5d37ea0324bb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c2f3d54-643c-4338-9a03-05c80ea6004e
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1010909
Signature
Antivirus detection for URL or domain
Disables Windows Defender (via service or powershell)
Machine Learning detection for sample
Modifies the windows firewall
Powershell drops PE file
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6/
Threat name:
Win32.Hacktool.DefeatDefend
Create hunting rule
Status:
Malicious
First seen:
2022-06-10 14:19:17 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 26 (69.23%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uc5wf5slk3e3u7hwm4x7ymaudobxmp5x73heyvjijup2wzkstlda._file
Verdict:
unknown
Similar samples:
011bb4cfef72d6381568e872d8ab226bd4803ba0a898d6d59410884c8d140ed5
Babadeda
4710c5debc1ad17a85ef82676a4b6b7e15054966de57b0f4bab61c4ede209830
Babadeda
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
Babadeda
6e34f951634493ec7a71e5c3418ed7d973ffc87351a5459722e04016c94b1471
Babadeda
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
Babadeda
97a0cdc140d31645bd20d5048e40c299c6c6a0497ca1de080b9a7e4e1eb5a139
Babadeda
c7784f0373b36e09b80ac72e18068821af9c10634fda6a7a1e82213dcd9a9fee
Babadeda
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
Babadeda
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
Babadeda
f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a
Babadeda
+ 128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion exploit
Link:
https://tria.ge/reports/220610-rneklacaal/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Modifies file permissions
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Possible privilege escalation attempt
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
https://filebin.net/b5aekxnrmokmhn8s/win.js
Unpacked files
SH256 hash:
a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6
MD5 hash:
935efee52d7c9761b93bf19470a233b2
SHA1 hash:
49310de06329d5b0d275d445f3e1d27e8ba5a868
Link:
https://www.unpac.me/results/505f50ec-918a-43d0-9f70-6fe6b33417f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/278698/

Comments