MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babuk


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
SHA3-384 hash: 19bf078de5477dd459512d423365215fb89ec11d12271fbbaa35e11f8ffb7f67de2544adc4aa3953c8b8ffbab3263a94
SHA1 hash: 320d799beef673a98481757b2ff7e3463ce67916
MD5 hash: e10713a4a5f635767dcd54d609bed977
humanhash: oklahoma-ohio-triple-maine
File name:8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9.bin
Download: download sample
Signature Babuk
Create hunting rule
File size:31'232 bytes
First seen:2021-01-03 01:12:40 UTC
Last seen:2021-01-19 20:44:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a07d82bc384cbae972c1524ff6fb5cc1 (3 x Babuk)
ssdeep 768:S4DnL4DGrUVvP917yo6Xee7amb26ZghLybmGJ87tHvg7jzTzt:SILd639NdCbXZxbytH6
TLSH CCE218116F555276F3E2813062BB92B7C83838218376C2D723C019E9FA756A8BD39F57
Reporter Arkbird_SOLG
Tags:Babuk Ransomware

Intelligence

File Origin
# of uploads :
4
# of downloads :
751
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BABUK.exe
Verdict:
Malicious activity
Analysis date:
2021-01-01 17:18:47 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/263b6af2-1a71-44f2-be87-dd83ced71f54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110326/
Detection(s):
SecuriteInfo.com.Trojan.Encoder.33362.27418.13339.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Changing a file
Creating a file
Launching a service
Launching a process
Changing an executable file
Sending a UDP request
Moving a file to the %temp% subdirectory
Creating a file in the %temp% subdirectories
Moving a file to the %AppData% subdirectory
Setting browser functions hooks
Deleting volume shadow copies
Forced shutdown of a system process
Forced shutdown of a browser
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/572987
Signature
Deletes shadow drive data (may be related to ransomware)
Found Tor onion address
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335556 Sample: cDQJsQiPgR.bin Startdate: 03/01/2021 Architecture: WINDOWS Score: 72 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 May disable shadow drive data (uses vssadmin) 2->24 26 3 other signatures 2->26 7 cDQJsQiPgR.exe 496 502 2->7         started        9 SearchUI.exe 3 46 2->9         started        11 SearchUI.exe 1 46 2->11         started        process3 process4 13 cmd.exe 1 7->13         started        signatures5 28 May disable shadow drive data (uses vssadmin) 13->28 30 Deletes shadow drive data (may be related to ransomware) 13->30 16 conhost.exe 13->16         started        18 vssadmin.exe 1 13->18         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/
Threat name:
Win32.Trojan.DelShad
Create hunting rule
Status:
Malicious
First seen:
2021-01-01 04:05:00 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qib4f4aozu5osyglgjd2pv57wnpflq4jhfqhzbo33nojf4cjl6uq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
ransomware
Link:
https://tria.ge/reports/210103-gpzkfkh3ej/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Enumerates connected drives
Drops startup file
Modifies extensions of user files
Deletes shadow copies
Unpacked files
SH256 hash:
8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
MD5 hash:
e10713a4a5f635767dcd54d609bed977
SHA1 hash:
320d799beef673a98481757b2ff7e3463ce67916
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
30ee553d1551cee9b394f86218917f8ba8aba5e1903a58b0fe7418f4fb1d0a71
MD5 hash:
11dd1ba1f33f651da166d64edf69fd88
SHA1 hash:
7bc28f1857d49418353cff6c33bc818ae32e306a
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
a51d8025ddcbf861432b747aa0bd81dbb8e83ec65286d5210438bee75b3dc984
MD5 hash:
d3026f9f4a03a3fe9f899b03766a9d63
SHA1 hash:
8d7979aa50a73272c17b8cde3bf2b502153c33ab
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
ceb9d43678f23d99bc4cac4d2f017f479b86c8b6cdae9396fc22c9d900d86422
MD5 hash:
929912819d2f4598fdcf5f48538724e9
SHA1 hash:
ae8f481667ca3b6d62b73efc4172113d1d11d7ef
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
624e6a7e6213a1585506123cb81200811dac2820efd8a9ceb1298ea7d264b592
MD5 hash:
e0e38b25ffa8e93742dc520588f590f8
SHA1 hash:
db93de4a16fdd672c338444f42c6e8b29dd63877
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
SH256 hash:
a9e27989d9cc01ae7aceb4294100ce81d271d4738f0dbe82b3b0e9d791f15997
MD5 hash:
25558314a84c41ef3b277e477fb82160
SHA1 hash:
f9b966e774a8157d333a0e242f51e5c071700bf7
Link:
https://www.unpac.me/results/5c76299c-ac90-4a06-a547-e30ef482a520/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8203c2f00ecd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Filecoder
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Destructive_Ransomware_Gen1
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICOUS_EXE_References_VEEAM
Create hunting rule
Description:Detects executables containing many references to VEEAM. Observed in ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/110326/

Comments