MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babuk


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
SHA3-384 hash: 1c5582e939bb5d13f73a0d486e3ba5b17dea27ca7cd4ceced6357c63c0e236ac0211d6be70ca8f759779ca67832a60bc
SHA1 hash: ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b
MD5 hash: dd7f88a68a76acc0be9eb0515d54a82a
humanhash: arkansas-shade-texas-hamper
File name:30FCFF7ADD11EA6685A233C8CE1FC30ABE67044630524A6EB363573A4A9F88B8
Download: download sample
Signature Babuk
Create hunting rule
File size:31'744 bytes
First seen:2021-01-08 06:42:16 UTC
Last seen:2022-04-20 09:54:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a07d82bc384cbae972c1524ff6fb5cc1 (3 x Babuk)
ssdeep 768:73QN4DGrqBLP977YowZe478mR26fgjVyBm8Je7tFv/7iJFzMWe:7gdoT93DaRXf5B+tFcJe
Threatray 1 similar samples on MalwareBazaar
TLSH BEE219116F455276F3D2C135227BA2B7D83438208376C2D7238019E9FA696A8BE3DF57
Reporter JAMESWT_WT
Tags:Babuk Locker Ransomware

Intelligence

File Origin
# of uploads :
6
# of downloads :
773
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
30FCFF7ADD11EA6685A233C8CE1FC30ABE67044630524A6EB363573A4A9F88B8
Verdict:
Malicious activity
Analysis date:
2021-01-08 06:35:01 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/66aa4158-5557-4989-9626-6d4a8a7da9dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110900/
Detection(s):
SecuriteInfo.com.Variant.Razy.821445.20986.11830.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Changing a file
Creating a file
Launching a service
Launching a process
Sending a UDP request
Changing an executable file
Moving a file to the %temp% subdirectory
Creating a file in the %temp% subdirectories
Deleting volume shadow copies
Forced shutdown of a system process
Forced shutdown of a browser
Encrypting user's files
Result
Verdict:
MALICIOUS
Result
Threat name:
Babuk
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/576411
Signature
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Yara detected Babuk Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337260 Sample: 5sBe4Oeh8C Startdate: 08/01/2021 Architecture: WINDOWS Score: 80 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Babuk Ransomware 2->26 28 4 other signatures 2->28 7 5sBe4Oeh8C.exe 462 502 2->7         started        9 SearchUI.exe 309 46 2->9         started        11 SearchUI.exe 1 53 2->11         started        13 2 other processes 2->13 process3 process4 15 cmd.exe 1 7->15         started        signatures5 30 May disable shadow drive data (uses vssadmin) 15->30 32 Deletes shadow drive data (may be related to ransomware) 15->32 18 conhost.exe 15->18         started        20 vssadmin.exe 1 15->20         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8/
Threat name:
Win32.Ransomware.BabukLocker
Create hunting rule
Status:
Malicious
First seen:
2021-01-05 03:09:00 UTC
File Type:
PE (Exe)
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gd6p66w5chvgnbncgpem4h6dbk7gobcggbjeu3vtmnltusu7rc4a._file
Verdict:
unknown
Similar samples:
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
Babuk
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/210108-8k176xp1zj/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Enumerates connected drives
Drops startup file
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
9e70ac27d2226c470bbbaeb3e9bede3a4422738003524b11a4d104a3806846e9
MD5 hash:
ae25a77bb28f90b614016c7da47e8e09
SHA1 hash:
5c408038c24931701c6615a384bc48ed96229af2
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
55aa44d66c20894d59fcc23630643df758ae6aab53c3104e8f29384bf1c31501
MD5 hash:
cd0920b2c16f476ffa8d60bf448821e7
SHA1 hash:
a9eb03a81d53f23fee3f5c7f13f4b02827482020
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
34d08f8e063d402725a92052bb2120840ec135109f8e1c54f58698f516c81dca
MD5 hash:
d2757787310fb88ea83c4f86af853159
SHA1 hash:
dd0be68cdc1118920f85a64e54ea2e814cea768d
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
60be87cf8bc8f411ee817687db4330b20bbf1660c14725989713da69c47bd055
MD5 hash:
61e62a8053c92ab15417660d834ab860
SHA1 hash:
e422063eade8be47af92210bdde33f20b6dccd9d
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
2486b36746773d90b9cf09322cbc3cb0ace83693d2da84551c56f9dd60236b81
MD5 hash:
f36c25870a13058f77f148e809ccfe86
SHA1 hash:
cb3a6756989e355a482b20af0f384395d3a626fd
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
SH256 hash:
30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
MD5 hash:
dd7f88a68a76acc0be9eb0515d54a82a
SHA1 hash:
ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b
Link:
https://www.unpac.me/results/32ed0d07-4910-45c7-b675-1b5f08377c70/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Destructive_Ransomware_Gen1
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Description:Detects executables containing many references to VEEAM. Observed in ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110900/

Comments