MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Babadeda

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32
SHA3-384 hash:	ce9c633905f2bf87ccd940c92b1d0bb021a0a3bbf8c879df29685bc8ffb58c55f9f9e2181ab60ff36e055108949360ce
SHA1 hash:	8121c56a394c5adb8e2560d2ed39aaf3db44c7e8
MD5 hash:	612d340583cb9e11a707496c1f29dcfe
humanhash:	skylark-hydrogen-romeo-lake
File name:	avdisable.exe.vir
Download:	download sample
Signature	Babadeda Create hunting rule
File size:	90'624 bytes
First seen:	2022-06-18 08:53:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep	1536://7ftfkS5g9YOms+gZcQipICdXkNDqLLZX9lItVGL++eIOlnToIfAwC:/zFfHgTWmCRkGbKGLeNTBfA3
Threatray	2'025 similar samples on MalwareBazaar
TLSH	T1A8937D45F2E242F7E6F2053201A6716FE735A6388724E8DBC74C2D429943AD1A73D3E9
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	KdssSupport
Tags:	Babadeda exe

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

avdisable.exe

Verdict:

Suspicious activity

Analysis date:

2022-06-18 08:49:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c172809f-001c-4f07-a8e7-d161a4b8813b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/281121/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Launching a process

Forced system process termination

Blocking the Windows Defender launch

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21815/overview

Behaviour

MalwareBazaar

CPUID_Instruction

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/62ad92be7046ab63f87ac7c6/reports/3bd91e4c-096f-4623-a476-585d1c98402d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0c6e6130-7bf5-4d21-b37c-e6c4e2d85343

Result

Threat name:

Babadeda

Detection:

malicious

Classification:

troj

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1015591

Signature

Machine Learning detection for sample

Yara detected Babadeda

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-06-18 08:54:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

9 of 26 (34.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cvzqt4hhbfsn6o4e6qaofnxwrgf4nzdsgp7zmpplg6usapdfjmza._file

Verdict:

unknown

Babadeda

1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e

Babadeda

3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4

Babadeda

80af29bf7cb3a8b904a8d11d34c13bd5a2dcf5b4798138c16c093b2b8a5a9105

Babadeda

993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d

Babadeda

b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9

Babadeda

e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca

Babadeda

eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e

Babadeda

+ 2'015 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220618-ktv17sadd3/

Behaviour

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32

MD5 hash:

612d340583cb9e11a707496c1f29dcfe

SHA1 hash:

8121c56a394c5adb8e2560d2ed39aaf3db44c7e8

Link:

https://www.unpac.me/results/5c9bf54e-7fc5-46a7-b7c1-b10aeea2999a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/281121/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample