MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c
SHA3-384 hash: 532779d09ac50d07cb3bb4f8bdbb6c21be059e0815e88f1fbbb457036f4e108c9db51c052500119388cad726a7282b12
SHA1 hash: f15189ca8223fbc728adbe9ff8c66ccec435a3d9
MD5 hash: 155f40398681245e1dfdab63d846127a
humanhash: monkey-eighteen-violet-stairway
File name:155f40398681245e1dfdab63d846127a.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:379'800 bytes
First seen:2022-03-03 09:00:41 UTC
Last seen:2022-03-20 05:04:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 6144:ezBkLL2NTB2H0TsrOTV7TX5vzp19b4mSlJWbmm1ltW70yY3SzNyxerVvdjKsQ5bl:eKyNTQK7TpvV19b470mstW7ZYMTvdTWl
Threatray 107 similar samples on MalwareBazaar
TLSH T14C840191E3F581F3EAE2093202F5E12BA939635A5710DCC7E34D78415E81BD5AB742F8
Reporter abuse_ch
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246807/
Detection(s):
SecuriteInfo.com.BAT.KillWin.dropper.1184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8011/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5bc9355-20f2-4f72-bd24-6756cdf80159
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/949832
Signature
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 582341 Sample: U3fwbhgsGr.exe Startdate: 03/03/2022 Architecture: WINDOWS Score: 76 27 store-images.s-microsoft.com 2->27 31 Multi AV Scanner detection for submitted file 2->31 33 Machine Learning detection for sample 2->33 35 Yara detected BatToExe compiled binary 2->35 8 U3fwbhgsGr.exe 9 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 8->25 dropped 37 Detected unpacking (overwrites its own PE header) 8->37 12 cmd.exe 1 3 8->12         started        signatures6 process7 signatures8 39 Uses BatToExe to download additional code 12->39 15 extd.exe 1 12->15         started        18 extd.exe 2 12->18         started        21 extd.exe 2 12->21         started        23 2 other processes 12->23 process9 dnsIp10 41 Multi AV Scanner detection for dropped file 15->41 29 transfer.sh 144.76.136.153, 443, 49759, 49760 HETZNER-ASDE Germany 21->29 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 11:01:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
28 of 42 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0728b1603407e57a7f30b16bb706dfaa69439b16181178fca3f3852a91bd208e
Babadeda
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
Babadeda
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
Babadeda
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
Babadeda
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
Babadeda
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
Babadeda
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
Babadeda
f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
Babadeda
+ 97 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/220303-kywtasbggk/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
de0bba1070f5948ec19237631047839405a5b19ec27c974d2119cdcdf27d1189
MD5 hash:
cc8d9d08532e98f79efffb65f86d5a3a
SHA1 hash:
fc30dbd7301b4143163e3ee81bcf95d3c53802ea
Link:
https://www.unpac.me/results/92fb87f1-e4d4-43e8-973a-d84e2b36c066/
SH256 hash:
39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c
MD5 hash:
155f40398681245e1dfdab63d846127a
SHA1 hash:
f15189ca8223fbc728adbe9ff8c66ccec435a3d9
Link:
https://www.unpac.me/results/92fb87f1-e4d4-43e8-973a-d84e2b36c066/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe 39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072596/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246807/

Comments