MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



BadRabbit


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA3-384 hash: af433e4633ca0569362eac3ee889b5348b29852f12064a945a5b4d106b1419d6502c8d9276ac97a0073ff927cbd61757
SHA1 hash: de5c8d858e6e41da715dca1c019df0bfb92d32c0
MD5 hash: fbbdc39af1139aebba4da004475e8839
humanhash: vermont-blue-eight-pluto
File name:Trojan-Ransom.Win32.BadRabbit.e-630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da.bin
Download: download sample
Signature BadRabbit
File size:441'899 bytes
First seen:2022-04-19 16:18:28 UTC
Last seen:2024-07-24 22:50:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e3bda9df66f1f9b2b9b7b068518f2af1 (1 x BadRabbit)
ssdeep 12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Threatray 2 similar samples on MalwareBazaar
TLSH T1199412426729EE92D1E1B8F84093E7CC4BB97B090FB991EF9D993485CC79B8319380D5
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10523/12/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8c49aa9acd6ea86 (3 x CobaltStrike, 1 x Arechclient2, 1 x BadRabbit)
Reporter petikvx
Tags:badrabbit badrabbit-e exe Ransomware

Intelligence


File Origin
# of uploads :
4
# of downloads :
987
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Endermanch@BadRabbit.exe
Verdict:
Malicious activity
Analysis date:
2022-03-21 03:03:57 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows directory
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Running batch commands
Creating a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Changing a file
Network activity
DNS request
Sending a custom TCP request
Enabling autorun for a service
Enabling autorun by creating a file
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
badrabbit overlay packed ransomware shell32.dll
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Signature
Antivirus or Machine Learning detection for dropped file
Antivirus or Machine Learning detection for sample
Clears the journal log
Clears the windows event log
Connects to many ports of the same IP (likely port scanning)
Contains functionality to create processes via WMI
Contains functionality to enumerate network shares of other devices
Contains functionality to infect the boot sector
Contains functionality to register a low level keyboard hook
Detected TCP or UDP traffic on non-standard ports
Drops executables to the windows directory (C:\Windows) and starts them
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 164027 Sample: czW7VNjSme.exe Startdate: 16/08/2019 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus or Machine Learning detection for sample 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 6 other signatures 2->73 8 czW7VNjSme.exe 2 2->8         started        10 cmd.exe 1 2->10         started        process3 signatures4 13 rundll32.exe 1 3 8->13         started        18 conhost.exe 8->18         started        79 Drops executables to the windows directory (C:\Windows) and starts them 10->79 20 dispci.exe 17 10->20         started        22 conhost.exe 10->22         started        process5 dnsIp6 61 23.37.43.27, 139, 445, 49693 unknown United States 13->61 63 67.27.154.254, 139, 445, 49707 unknown United States 13->63 65 5 other IPs or domains 13->65 55 C:\Windows\dispci.exe, PE32 13->55 dropped 57 C:\Windows\6B9.tmp, PE32+ 13->57 dropped 59 C:\Windows\cscc.dat, PE32+ 13->59 dropped 81 System process connects to network (likely due to code injection or exploit) 13->81 83 Contains functionality to enumerate network shares of other devices 13->83 85 Clears the journal log 13->85 97 3 other signatures 13->97 24 cmd.exe 1 13->24         started        27 6B9.tmp 1 13->27         started        29 cmd.exe 1 13->29         started        35 3 other processes 13->35 87 Antivirus or Machine Learning detection for dropped file 20->87 89 Multi AV Scanner detection for dropped file 20->89 91 Contains functionality to infect the boot sector 20->91 93 Contains functionality to register a low level keyboard hook 20->93 31 cmd.exe 1 20->31         started        33 conhost.exe 20->33         started        file7 95 Detected TCP or UDP traffic on non-standard ports 63->95 signatures8 process9 signatures10 75 Clears the journal log 24->75 49 6 other processes 24->49 77 Antivirus or Machine Learning detection for dropped file 27->77 37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 schtasks.exe 1 29->41         started        51 2 other processes 31->51 43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        53 3 other processes 35->53 process11
Threat name:
Win32.Ransomware.BadRabbit
Status:
Malicious
First seen:
2017-10-24 10:46:38 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
39 of 42 (92.86%)
Threat level:
  5/5
Result
Malware family:
mimikatz
Score:
  10/10
Tags:
family:badrabbit family:mimikatz ransomware
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Modifies extensions of user files
mimikatz is an open source tool to dump credentials on Windows
BadRabbit
Mimikatz
Unpacked files
SH256 hash:
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
MD5 hash:
fbbdc39af1139aebba4da004475e8839
SHA1 hash:
de5c8d858e6e41da715dca1c019df0bfb92d32c0
Detections:
win_eternal_petya_g0
Malware family:
BadRabbit
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BadRabbitInstaller
Rule name:BadRabbit_Gen
Author:Florian Roth
Description:Detects BadRabbit Ransomware
Reference:https://pastebin.com/Y7pJv3tK
Rule name:BadRabbit_Gen_RID2BE5
Author:Florian Roth
Description:Detects BadRabbit Ransomware
Reference:https://pastebin.com/Y7pJv3tK
Rule name:badrabbit_ransomware
Author:Marc Rivero | McAfee ATR Team
Description:Rule to detect Bad Rabbit Ransomware
Reference:https://securelist.com/bad-rabbit-ransomware/82851/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BadRabbit

Executable exe 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

(this sample)

  
Delivery method
Distributed via web download

Comments