MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
SHA3-384 hash: d5531fcc692cb334662107dc3d3ec4e39fd4fe341c8c69412072cdecdcbac76c87c42999c4fa6aa35eda12cbe1ed8a18
SHA1 hash: b1e29be1a7d502a8fefeecab981829b2c6ff4818
MD5 hash: 51ecec287af1910aba3e7f4d724890cc
humanhash: idaho-maine-oregon-floor
File name:5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
Download: download sample
Signature Babadeda
Create hunting rule
File size:591'872 bytes
First seen:2022-02-15 08:56:52 UTC
Last seen:2022-02-15 10:43:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 12288:Hcv0NTl83xZAI2hO1OAglNFHznrTDxDMT7Vas3yH:HcvkTlqxZGO1sDFH3xDMnAs3yH
Threatray 5'146 similar samples on MalwareBazaar
TLSH T1BAC41345B6FB01FBFAF34A35009A642A9726B630975AD8D7C70C3C42A543DE2993C3E5
Reporter struppigel
Tags:Babadeda batch2exe dropper evilnominatuscrypto exe Ransomware


Avatar
struppigel
EvilNominatusCrypto screenlocker/filecrypter hybrid
➡️Batch to exe dropper
➡️decryptable
➡️Bkhtyaryrwzbh@gmail.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
797
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241556/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3123.28463.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a window
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/620b6ae1a2660f3bb9d8cda4/reports/ab5cf9e2-3af1-42b0-a076-53fd5e2117e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba6a6152-6663-4cc1-a2eb-28517ddd4b3e
Result
Threat name:
Python Ransomware Voidcrypt
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/939962
Signature
Deletes shadow drive data (may be related to ransomware)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Sigma detected: Suspicious Certutil Command
Yara detected Python Ransomware
Yara detected Voidcrypt Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572440 Sample: tT3x6bhwV3 Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 8 other signatures 2->67 9 tT3x6bhwV3.exe 8 2->9         started        process3 file4 49 C:\Users\user\AppData\Local\Temp\...\95E.bat, ASCII 9->49 dropped 69 Detected unpacking (overwrites its own PE header) 9->69 13 cmd.exe 4 9->13         started        signatures5 process6 file7 51 C:\Users\user\XoX, ASCII 13->51 dropped 16 AntivirusScan.exe 7 13->16         started        19 certutil.exe 3 2 13->19         started        22 certutil.exe 2 13->22         started        24 conhost.exe 13->24         started        process8 file9 53 Multi AV Scanner detection for dropped file 16->53 55 Obfuscated command line found 16->55 57 Deletes shadow drive data (may be related to ransomware) 16->57 26 cmd.exe 1 16->26         started        29 cmd.exe 2 16->29         started        31 cmd.exe 1 16->31         started        33 cmd.exe 1 16->33         started        45 C:\Users\user\AntivirusScan.exe, PE32 19->45 dropped 59 Drops PE files to the user root directory 19->59 47 C:\Users\user47od32Installer.exe, PE32 22->47 dropped signatures10 process11 signatures12 71 Deletes shadow drive data (may be related to ransomware) 26->71 35 conhost.exe 26->35         started        37 vssadmin.exe 1 26->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 33->43         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f/
Threat name:
Win32.Ransomware.EvilNominatus
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 05:25:03 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
1f79ce7d7716512af2a93caf014f302846d5f41ff9850af71120c7fed2bf5845
Babadeda
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
Babadeda
605412b4ceaf25fc66306e96a347662161925ba372383ad39a28703d4ef65caa
Babadeda
6b664d6b89eabbac55c8927fa29d2669ba629a40f1abbf12d76f8d9b14e4facb
Babadeda
800f0b3cb78a8f0934c09d710a8e42286275cbaa10dbdb1841669f6280f0ab51
Babadeda
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
Babadeda
a87c3901341ded9488bfa9f84856a3518fbbaec4d69a72e13c0d5e481b7e373c
Babadeda
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
Babadeda
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
Babadeda
f68cf2d7540359cd27bae6aaa15274efd2444f148e1632a9d4bf90facfe5c927
Babadeda
+ 5'136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion macro persistence ransomware
Link:
https://tria.ge/reports/220215-kwk9sadae3/
Behaviour
Checks processor information in registry
Gathers network information
Interacts with shadow copies
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Checks computer location settings
Disables RegEdit via registry modification
Executes dropped EXE
Suspicious Office macro
Deletes shadow copies
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
69811a6c9376b219b335a055cfa970d38cd768abeca7138a2c1905560d468fef
MD5 hash:
7cdf50ee4f3d0febc70dd36298ed07da
SHA1 hash:
0170c2deae4486a43894c202ea92d43556218e1c
Link:
https://www.unpac.me/results/0097e1e6-2bf8-491b-b593-ed804920c497/
SH256 hash:
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
MD5 hash:
51ecec287af1910aba3e7f4d724890cc
SHA1 hash:
b1e29be1a7d502a8fefeecab981829b2c6ff4818
Link:
https://www.unpac.me/results/0097e1e6-2bf8-491b-b593-ed804920c497/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/241556/

Comments