MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Babuk

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments

SHA256 hash:	2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf
SHA3-384 hash:	0cf9693762d9c2e62967c34f3b86a9b6de5076a82a2e8918c3b658f0f847349f855dd8f905134f35bf10f39db555d776
SHA1 hash:	9d0c6528565303e5b10a964a2783c77f25b9695b
MD5 hash:	f6282c938e0662cf851feee0146d79a4
humanhash:	network-batman-vermont-double
File name:	2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe
Download:	download sample
Signature	Babuk Create hunting rule
File size:	80'896 bytes
First seen:	2021-03-30 21:56:10 UTC
Last seen:	2023-04-25 17:41:44 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	202fa14f574c71c2f95878e40a79322d (35 x Babuk)
ssdeep	1536:Iiyy6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:IiyshZ5YesrQLOJgY8Zp8LHD4XWaNH7Q
Threatray	7 similar samples on MalwareBazaar
TLSH	6C83E8115D45D2B6C5D1623191A7F1AAC13A197003B5B38B63C027AEFB10AE8F6BCF67
Reporter	FirehaK
Tags:	Babuk babyk Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

422

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf.exe

Verdict:

Malicious activity

Analysis date:

2021-03-30 22:03:56 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/7cee1351-94c2-4755-b640-bc9d80b7c4c5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Babuk

Link:

https://www.capesandbox.com/analysis/128778/

Detection(s):

Win.Ransomware.Maze-7473772-0

Win.Ransomware.Babuk-9819006-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Creating a file

Changing a file

Sending a UDP request

Launching a service

Launching a process

Creating a file in the mass storage device

Deleting volume shadow copies

Forced shutdown of a browser

Encrypting user's files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Babuk

Detection:

malicious

Classification:

rans.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/659187

Signature

Deletes shadow drive data (may be related to ransomware)

Found ransom note / readme

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May disable shadow drive data (uses vssadmin)

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Yara detected Babuk Ransomware

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Ransomware.Babuk

Status:

Malicious

First seen:

2021-03-30 17:52:42 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ee4mri2kd37ubor7zanw4o3vmtdlnfnriduc6p6peozoyk7sshhq._file

Verdict:

malicious

Babuk

391cfcd153881743556f76de7bbca5b19857f8b69a6f6f6dfde6fd9b06c17f5e

Babuk

499e43933c5ee3bb730417e07d74c93a5f7d7dee05db31714e09dffeb7e3c285

Babuk

81e7942a1f32fb18e37cf622c5a24b7c54c4792549363fddf9a3a9095a07f23e

Babuk

9a089790e04683ebf37d9746e0284322f59c46eef2a86cc231839482f323e871

Babuk

ab4eae618bb05b4fb4a8d3790a0d18a3e1566ab477519991cb161398803a8847

Babuk

cbdc8fd073176c4e0328aff65147f37e5d46847de62508e7a3cf12f49a40b799

Babuk

Result

Malware family:

babuk

Score:

10/10

Tags:

family:babuk ransomware

Link:

https://tria.ge/reports/210330-ryryr7azks/

Behaviour

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Enumerates connected drives

Modifies extensions of user files

Deletes shadow copies

Babuk Locker

Unpacked files

SH256 hash:

2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf

MD5 hash:

f6282c938e0662cf851feee0146d79a4

SHA1 hash:

9d0c6528565303e5b10a964a2783c77f25b9695b

Link:

https://www.unpac.me/results/586cfcab-3e67-491e-8049-63e8f5b6a070/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2138c8a34a1e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Filecoder

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2138c8a34a1eff40ba3fc81b6e3b7564c6b695b140e82f3fcf23b2ec2bf291cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Babuk Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Babuk / Babyk ransomware
Reference:	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/

Rule name:	Destructive_Ransomware_Gen1 Create hunting rule
Author:	Florian Roth
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	Ransom_Babuk Create hunting rule
Author:	TS @ McAfee ATR
Description:	Rule to detect Babuk Locker

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/128778/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample