MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89
SHA3-384 hash: 2bdfad85ecd6fffdfac7f9090a7a1c9620caab99b6beadf73c3ac9d666a6d5acce5e402556e2defcf1a9e94b5d3bc1b5
SHA1 hash: a8cc5ef2f1571bc073f5ec141b8047b6572e65f8
MD5 hash: a5a28f826c387c49e2e7bd353948d3dd
humanhash: fifteen-bakerloo-zulu-oranges
File name:run.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:2'761'728 bytes
First seen:2026-03-03 16:03:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (61 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 49152:eS2Tv+4C9l6zd24gHlfBtu4O1MM25DofjNhxSprkA7ICZPWk8sbvVtOiYT+hF:30C9loiFfBs85Dohh4p+C9NhbvVtO5yL
TLSH T16AD533797DCA83B7F5BA083300E06559BB613400EB61AFBBD728BA1292817C5D17D3D9
TrID 38.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.0% (.EXE) Win64 Executable (generic) (6522/11/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
BatToExeConverter
Details
BatchScript
varying reportable information from embedded commands and any observed URLs
BatToExeConverter
an RC4 decrypted batch script or command line
Link:
https://research.acce.ciphertechsolutions.com/results/87414572-6ef9-4363-a811-736a9f6d6203/
Malware family:
n/a
ID:
1
File name:
run.exe
Verdict:
Malicious activity
Analysis date:
2026-03-03 16:07:00 UTC
Tags:
uac golang
Link:
https://app.any.run/tasks/800c83f2-cb9d-47e3-bc8e-622eb8fa53db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55443/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a70691e1f958bf668333d2
Tags:
shell virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
DNS request
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bat_to_exe_converter packed packed purebasic
Link:
https://www.filescan.io/uploads/69a7068e9eaae846594235a7/reports/a41c15ed-32d0-430b-a497-367bac07a9b4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89
Result
Gathering data
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e6c62af-a9a4-43ad-b2bc-474e9113dc2d
Result
Threat name:
Babadeda, Gocoder
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1877682
Signature
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Disables the Smart Screen filter
Disables UAC (registry)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Custom File Open Handler Executes PowerShell
Sigma detected: Fodhelper UAC Bypass
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
UAC bypass detected (Fodhelper)
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Yara detected Babadeda
Yara detected Gocoder ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1877682 Sample: run.exe Startdate: 03/03/2026 Architecture: WINDOWS Score: 100 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Yara detected Babadeda 2->101 103 7 other signatures 2->103 11 run.exe 9 2->11         started        14 steamwebhelper.exe 2->14         started        process3 file4 81 C:\Users\user\Desktop\steamwebhelper.exe, PE32+ 11->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\9C2B.bat, ASCII 11->83 dropped 16 cmd.exe 2 11->16         started        20 conhost.exe 11->20         started        process5 file6 71 C:\Users\user\AppData\Local\Temp\delme.bat, DOS 16->71 dropped 89 Suspicious powershell command line found 16->89 91 Uses cmd line tools excessively to alter registry or file data 16->91 93 Bypasses PowerShell execution policy 16->93 95 2 other signatures 16->95 22 steamwebhelper.exe 16->22         started        26 powershell.exe 37 16->26         started        29 powershell.exe 14 17 16->29         started        31 3 other processes 16->31 signatures7 process8 dnsIp9 85 45.83.207.111, 3128, 49696 CLOUVIDERClouvider-GlobalASNGB Netherlands 22->85 115 Suspicious powershell command line found 22->115 117 Uses cmd line tools excessively to alter registry or file data 22->117 119 Adds a directory exclusion to Windows Defender 22->119 33 powershell.exe 22->33         started        35 powershell.exe 23 22->35         started        38 reg.exe 1 22->38         started        42 5 other processes 22->42 73 C:\Users\user\Desktop\bin\warz.exe, PE32+ 26->73 dropped 75 C:\Users\user\Desktop\bin\udprand.exe, PE32+ 26->75 dropped 77 C:\Users\user\Desktop\bin\udpconns.exe, PE32+ 26->77 dropped 79 8 other malicious files 26->79 dropped 121 Loading BitLocker PowerShell Module 26->121 87 147.50.253.3, 49689, 80 CSLOX-IDC-AS-APCSLOXINFOPublicCompanyLimitedTH Thailand 29->87 123 Powershell drops PE file 29->123 40 cmd.exe 1 31->40         started        file10 signatures11 process12 signatures13 44 fodhelper.exe 33->44         started        47 conhost.exe 33->47         started        107 Loading BitLocker PowerShell Module 35->107 49 conhost.exe 35->49         started        109 Disables UAC (registry) 38->109 51 conhost.exe 38->51         started        53 conhost.exe 40->53         started        55 timeout.exe 1 40->55         started        111 UAC bypass detected (Fodhelper) 42->111 113 Disables the Smart Screen filter 42->113 57 conhost.exe 42->57         started        59 conhost.exe 42->59         started        61 3 other processes 42->61 process14 signatures15 125 Adds a directory exclusion to Windows Defender 44->125 63 cmd.exe 44->63         started        process16 signatures17 127 Suspicious powershell command line found 63->127 129 Adds a directory exclusion to Windows Defender 63->129 66 powershell.exe 63->66         started        69 conhost.exe 63->69         started        process18 signatures19 105 Loading BitLocker PowerShell Module 66->105
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89/
Verdict:
Malicious
Threat:
Exploit.Win32.BypassUAC
Link:
https://tip.neiki.dev/file/6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-03 16:05:15 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxtu3hryyatmj46edakulkhjf76tlzvfzkqqmgpdmlrfrtrg7seq._file
Verdict:
malicious
Label(s):
unc_loader_048
Create hunting rule
Similar samples:
error
Babadeda
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution persistence trojan
Link:
https://tria.ge/reports/260303-th6s1adz6x/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
System Location Discovery: System Language Discovery
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
UAC bypass
Unpacked files
SH256 hash:
6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89
MD5 hash:
a5a28f826c387c49e2e7bd353948d3dd
SHA1 hash:
a8cc5ef2f1571bc073f5ec141b8047b6572e65f8
Link:
https://www.unpac.me/results/4803ba24-7653-43f6-82a2-4bb6e1e4b402/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe 6de74d9e38c026c4f3c4181545a8e92ffd35e6a5caa10619e362e258ce26fc89

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3784166/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55443/

Comments