MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea
SHA3-384 hash:	64b72e89eff8899e915f8c4fe24216358c7eb16b6615fd5b616c3826534222f883bac35c9c36f6281ad656a2c8ff0f67
SHA1 hash:	455d58f5fae03e55361d5391d87c4ea6b531a620
MD5 hash:	991506cfaaac1258761fab21effb4617
humanhash:	kitten-angel-carbon-coffee
File name:	869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea
Download:	download sample
Signature	Babadeda Alert Create hunting rule
File size:	328'192 bytes
First seen:	2023-04-06 12:32:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep	3072:Dq6+ouCpk2mpcWJ0r+QNTBf6B3YDXyhhYeagE93CYliUfSqqYHXJFBWLMoeZ:Dldk1cWQRNTBSJYDX0XNUfjH5Fug
Threatray	197 similar samples on MalwareBazaar
TLSH	T15364A43C6B5C45A9F8650A303666A189EE133B5543034487A3383DB2C47539F7FBBE9A
TrID	36.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.4% (.EXE) Win64 Executable (generic) (10523/12/4) 7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	806ee2b2f2b2b004 (1 x Babadeda)
Reporter	adrian__luca
Tags:	Babadeda exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

270

Origin country :

HU

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea

Verdict:

Malicious activity

Analysis date:

2023-04-06 12:31:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e5068d53-eb44-4d02-9bfd-b13d68f19d0f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/380647/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Suspicious

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a file in the %AppData% directory

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Creating a file

Launching a process

Creating a window

Sending a custom TCP request

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76818/overview

Behaviour

MalwareBazaar

CPUID_Instruction

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

lazagne packed shell32.dll tiny

Link:

https://www.filescan.io/uploads/642ebbfe2254dc891204720e/reports/c675a749-279b-4258-ac0e-7a36b9620b9e/overview

Hybrid Analysis Win/malicious_confidence_70%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/12d0f36a-15f7-427c-98a2-830319672d66

Joe Sandbox Babadeda

Result

Threat name:

Babadeda

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1209668

Signature

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Babadeda

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea/

ReversingLabs TitaniumCloud Win32.Trojan.Casdet

Threat name:

Win32.Trojan.Casdet

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-03-28 19:15:54 UTC

File Type:

PE (Exe)

Extracted files:

19

AV detection:

17 of 24 (70.83%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q2ot2kowyj6bjp44lxznmvhm44mqa2ipiyagiqszwtxd7oqajpva._file

Threatray malicious

Verdict:

malicious

Similar samples:

5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b

Babadeda

9bc57cb47132054e4fc642fdde80688017ef460270e75888c12bd8d7845e4bc4

Babadeda

a0bb62f64b56c9ba7cf6672ffc30141b83763fb7fece4c55284d1fab65529ac6

Babadeda

b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945

Babadeda

bf15eff9faac6d7177d0e9a3a9d1fa0c4ea305df2fadf469ffa1120bdac56b5e

Babadeda

cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf

Babadeda

e9a4fb6d396c3493298b340d73f29e0e210c4c1bd5ebe005026edb456b799dae

Babadeda

ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9

Babadeda

f9441e319741dcc962b25e716a1dc0ba787592565e68785aea091126fef6474a

Babadeda

f96ebf738e60dd227c72ec3d6d217c3b4ff9cfe9ef7bfc8d28cfd6b29b746983

Babadeda

+ 187 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

n/a

Link:

https://tria.ge/reports/230406-pq62hseh5x/

Behaviour

Delays execution with timeout.exe

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UnpacMe

Unpacked files

SH256 hash:

869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea

MD5 hash:

991506cfaaac1258761fab21effb4617

SHA1 hash:

455d58f5fae03e55361d5391d87c4ea6b531a620

Link:

https://www.unpac.me/results/10a92840-a500-4c05-8492-dcaf83c54f8e/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/869d3d29d6c27c14bf9c5df2d654ece71900690f4600644259b4ee3fba004bea

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380647/