MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babuk


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb
SHA3-384 hash: 56bb9be63e3586339ae6e83b8666a086b39ab82cdd4459b06bb754768b0de2fe18e11f5b0077425d3e3b527b86d901fd
SHA1 hash: 5d316698dfe20b8fcdc881dbf68632b13af11d0f
MD5 hash: 16c7212928b23a170cebb12935a933fa
humanhash: pip-stairway-avocado-washington
File name:18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb
Download: download sample
Signature Babuk
Create hunting rule
File size:80'896 bytes
First seen:2021-04-13 18:30:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 202fa14f574c71c2f95878e40a79322d (35 x Babuk)
ssdeep 1536:jpfS6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:jpfMhZ5YesrQLOJgY8Zp8LHD4XWaNH7Q
Threatray 9 similar samples on MalwareBazaar
TLSH F483E8115D45D2B6C5D1723151A7F1AAC13A197003B5A38B63C027AEFB10AE8F6BCF67
Reporter FirehaK
Tags:Babuk babyk Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
495
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb
Verdict:
Malicious activity
Analysis date:
2021-04-13 19:01:18 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/0924fec3-e775-4aa0-8266-b1c6bdc11554

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Babuk
Create hunting rule
Link:
https://www.capesandbox.com/analysis/133993/
Detection(s):
Win.Ransomware.Maze-7473772-0
Create hunting rule

Win.Ransomware.Babuk-9819006-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file
DNS request
Changing a file
Sending a UDP request
Launching a service
Launching a process
Creating a file in the mass storage device
Deleting volume shadow copies
Forced shutdown of a browser
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Babuk ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3fad24dd-c5db-4bdf-bee5-005a3299001d
Result
Threat name:
Babuk
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/674605
Signature
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb/
Threat name:
Win32.Ransomware.BabukCrypt
Create hunting rule
Status:
Malicious
First seen:
2021-04-13 00:50:24 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddrjtvbtdth7qbjhlmq7go7auo6t2hm444vhtoty2lzs3vsxx65q._file
Verdict:
malicious
Similar samples:
1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402
Babuk
2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf
Babuk
391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e
Babuk
499e43933c5ee3bb730417e07d74c93a5f7d7dee05db31714e09dffeb7e3c285
Babuk
81e7942a1f32fb18e37cf622c5a24b7c54c4792549363fddf9a3a9095a07f23e
Babuk
9a089790e04683ebf37d9746e0284322f59c46eef2a86cc231839482f323e871
Babuk
ab4eae618bb05b4fb4a8d3790a0d18a3e1566ab477519991cb161398803a8847
Babuk
cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799
Babuk
f1719415abe4dcba0daef0a1e5c8994d1d3c0c659d3e0a11b34f307370dd8683
Babuk
Result
Malware family:
babuk
Create hunting rule
Score:
  10/10
Tags:
family:babuk ransomware
Link:
https://tria.ge/reports/210413-p5y8k9fbvs/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Modifies extensions of user files
Deletes shadow copies
Babuk Locker
Unpacked files
SH256 hash:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb
MD5 hash:
16c7212928b23a170cebb12935a933fa
SHA1 hash:
5d316698dfe20b8fcdc881dbf68632b13af11d0f
Link:
https://www.unpac.me/results/ac209041-f62c-4980-b4d7-50cec0e28c19/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Babuk
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Babuk / Babyk ransomware
Reference:http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/
Rule name:Destructive_Ransomware_Gen1
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Description:Detects executables containing many references to VEEAM. Observed in ransomware
Rule name:MALWARE_Win_Babuk
Create hunting rule
Author:ditekSHen
Description:Detects Babuk ransomware
Rule name:Ransom_Babuk
Create hunting rule
Author:TS @ McAfee ATR
Description:Rule to detect Babuk Locker

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/133993/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 07:55:46 UTC

================================================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
================================================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0012.001] Anti-Static Analysis::Argument Obfuscation
2) [C0027.006] Cryptography Micro-objective::HC-128::Encrypt Data
3) [C0021.003] Cryptography Micro-objective::Use API::Generate Pseudo-random Sequence
5) [C0051] File System Micro-objective::Read File
6) [C0050] File System Micro-objective::Set File Attributes
7) [C0052] File System Micro-objective::Writes File
8) [F0014.001] Impact::Delete Shadow Drive
9) [C0043] Process Micro-objective::Check Mutex
10) [C0042] Process Micro-objective::Create Mutex
11) [C0017] Process Micro-objective::Create Process
12) [C0038] Process Micro-objective::Create Thread
13) [C0018] Process Micro-objective::Terminate Process