MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc
SHA3-384 hash: f049a9fa6d1314188910e128f8c375c9e283adbea0e6e6a11b766d23f0df405b698f19db857a095ffff66e0efa851d52
SHA1 hash: 2fe8c41c2821a50415bda0abc6143f3e4b5e8698
MD5 hash: be6dccbf16219045637e8b340b1cad57
humanhash: hamper-angel-bakerloo-fourteen
File name:SetupLdr_v8.15.2.0.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:6'007'196 bytes
First seen:2022-04-26 10:27:50 UTC
Last seen:2022-04-26 11:56:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:8SiVD4E6CB+mIQdjJa7RbyJnGU0Qq9jf4Umft7d07LniR3H4RbLOC88Vu9qN6VlH:pE6IP9JaRykvf4U2t50Pni34RbZVuNXH
Threatray 4 similar samples on MalwareBazaar
TLSH T1C456123FF268A13EC46B1B3145B39250883BBA25B81A8C1E47FC394DCF765611E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:Babadeda exe roseannmortali-com backspinnews-com

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Windows11InstaIIationAssistant.scr
Verdict:
Malicious activity
Analysis date:
2022-04-26 10:14:28 UTC
Tags:
loader trojan
Link:
https://app.any.run/tasks/a8a6de9c-b068-4135-ac9d-e9ae54920fdd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266719/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process with a hidden window
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Moving a recently created file
Moving a file to the %temp% subdirectory
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Launching a process
Adding an access-denied ACE
Running batch commands
Launching a tool to kill processes
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6267c935de94014db62741be/reports/2e658cc3-ba39-4663-b49d-e46e44b0fb8a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dcd756c2-19f9-4275-b3b0-90e514c840a9
Result
Threat name:
Babadeda Python Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/983128
Signature
.NET source code references suspicious native API functions
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Yara detected Babadeda
Yara detected Python Ransomware
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615615 Sample: SetupLdr_v8.15.2.0.exe Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Found ransom note / readme 2->62 64 6 other signatures 2->64 10 SetupLdr_v8.15.2.0.exe 2 2->10         started        14 wscript.exe 1 2->14         started        process3 file4 48 C:\Users\user\...\SetupLdr_v8.15.2.0.tmp, PE32 10->48 dropped 68 Obfuscated command line found 10->68 16 SetupLdr_v8.15.2.0.tmp 3 13 10->16         started        19 cmd.exe 1 14->19         started        signatures5 process6 file7 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->44 dropped 21 SetupLdr_v8.15.2.0.exe 2 16->21         started        25 conhost.exe 19->25         started        27 reg.exe 19->27         started        process8 file9 46 C:\Users\user\...\SetupLdr_v8.15.2.0.tmp, PE32 21->46 dropped 66 Obfuscated command line found 21->66 29 SetupLdr_v8.15.2.0.tmp 5 284 21->29         started        signatures10 process11 file12 50 C:\Users\user\AppData\Local\...\is-86VPO.tmp, PE32+ 29->50 dropped 52 C:\Users\...\postinstall_readme.txt (copy), ASCII 29->52 dropped 54 C:\Users\user\AppData\...\is-6P00R.tmp, data 29->54 dropped 56 32 other files (none is malicious) 29->56 dropped 32 taskkill.exe 1 29->32         started        34 by.exe 1 29->34         started        36 icacls.exe 1 29->36         started        process13 process14 38 conhost.exe 32->38         started        40 conhost.exe 34->40         started        42 conhost.exe 36->42         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc/
Threat name:
Win32.Packed.FakeInstaller
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 03:35:15 UTC
File Type:
PE (Exe)
AV detection:
20 of 26 (76.92%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxsjtygb444v7pg672lbv6wefmfdgpqaaqee6vlqpk2tzkl7ytoa._file
Verdict:
malicious
Similar samples:
3b7b846373c9e626c33e2561a6ff5515a67f25dc089f6e62711e792572105a17
Babadeda
614c970bb776bad75d7b79488a591a5a9954cfd3835817246ce544ddb4a1fd83
Babadeda
a5541460d296b3b3ca23cc1663882122351a08067b3ee608fabb88e38e95e515
Babadeda
b31bacca7824f68859ded0863bac01fd8844eaf00558fe505557f94e1da1e8c5
Babadeda
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit discovery evasion persistence ransomware trojan
Link:
https://tria.ge/reports/220426-mhnh4acaf3/
Behaviour
Interacts with shadow copies
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Modifies file permissions
Disables use of System Restore points
Drops file in Drivers directory
Executes dropped EXE
Deletes shadow copies
Modifies Windows Defender notification settings
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
0218cd7fa896bb5304c22d3938649304fa5ee660b0a67784333ccf05a712ce73
MD5 hash:
3c6651054cc75272c5521f6ead145b56
SHA1 hash:
07bd9e1f0a47d2a9fda9af822e6a7578a0ce8bf6
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
da161e8e104e84b7bce3b41c8df7b056bf72e6945be56976da6b7ff2f9ad56d1
MD5 hash:
411c00af0243dbcaf3360248ef22f9e5
SHA1 hash:
fc1db53798fc9addc53c06518b813091b86ccf6e
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
fb735240c68a6a1bb18d015da79d0b7cbbd4bf8395abf81c5cffb662b39537f0
MD5 hash:
727b740741f046bc52670664c5c6dcbe
SHA1 hash:
ece6acbad16a24ef30b608c19e7038e06092014e
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
af7757b119d8b6681c48653a0572be296fc128ee4d3e2531b97a9af735f6bf55
MD5 hash:
543866704559bc130f3df564b68da181
SHA1 hash:
d99763f67999ddcc16c90e7bc49e50ff8ba9ba73
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
ca04e95bc1faf2d91f5ff04bba951d8f29b06f68a0efe31e3cdc7feb6c16bcba
MD5 hash:
642455200713c7665a8aca4cdd224be9
SHA1 hash:
d4a97bf54c0451ff0bc2ee46949e447801e84f41
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
69400bf8230efbf78916de04278f82a28e5519825b8e948b4235bbcc5e0b629a
MD5 hash:
f25bedd3a1fbd2e545b78ec926f1bb68
SHA1 hash:
8d81f4e27cf90cb77c7408dbbd4a1474c2c5f39a
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
3567b528e4dc1f0f0638983b177621c21216505fee1a8523ea9ccfbd306376d6
MD5 hash:
0ed26942ca2a24230e6ff69ccecea73a
SHA1 hash:
5e1ca35c5bae642a01bbb57ff372913e52e5af4f
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
966a474060a8aca70c73ba09d0b6fe2353035961c7107b9003ef879c010ff8da
MD5 hash:
02c63f568e598aad85dd401d7b26e82a
SHA1 hash:
2da9ec7612835e1f69d4a93aa2d49ec9bdff7f7c
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
e58641006d8b79b4cb33535d0b95ba0f3033f01a80a20ff934a415467fc9409f
MD5 hash:
f7cefb2c30f3547818cccd1ab56c7450
SHA1 hash:
23345edfcff685a84ed4edb69bf88eb075cabb29
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
bfa80778745114609ad595ea15e47ef461cf8dd6eeeaa003587549bcc05e8a90
MD5 hash:
56dad9e4ee1c77d56f423d54fe39ad72
SHA1 hash:
21e95de5b77fade0089e8461d22a924dc8f44d41
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
4398416ec84b1e80876d5ced3b595cd2ac5685954c179c37c2253b6c76539054
MD5 hash:
c8c179caa75e7da9ac8aea69ec7b8245
SHA1 hash:
2ee1c267e3e94c51f766109f17621df7599d64b7
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
SH256 hash:
85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc
MD5 hash:
be6dccbf16219045637e8b340b1cad57
SHA1 hash:
2fe8c41c2821a50415bda0abc6143f3e4b5e8698
Link:
https://www.unpac.me/results/a5a9cf1d-8ac0-40ff-b580-edb52b424592/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe 85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2164778/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/266719/

Comments