MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88f9515a15433092c34ef33860d1f4994fed90c52bbc219493f4cee2cb2ccbfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babuk


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88f9515a15433092c34ef33860d1f4994fed90c52bbc219493f4cee2cb2ccbfa
SHA3-384 hash: 9e926572300a6bb05fa1b972372b378446c30d57b606a2187d417d42d1dae7d8261936578565c8d09ad68e3fe3eddda0
SHA1 hash: 562ea6933da9fd7e99a56daca1685802f6e91b89
MD5 hash: 81418ff9c19478b43ebf747b531ad3d0
humanhash: missouri-nevada-stream-nitrogen
File name:81418FF9C19478B43EBF747B531AD3D0
Download: download sample
Signature Babuk
Create hunting rule
File size:82'432 bytes
First seen:2022-11-30 16:01:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 202fa14f574c71c2f95878e40a79322d (35 x Babuk)
ssdeep 1536:LM6dRu8Lo6sgsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Nc:XdRu19gsrQLOJgY8Zp8LHD4XWaNH71dm
Threatray 3'434 similar samples on MalwareBazaar
TLSH T14783B7105985D2B6D5D12231D167F1AAC13A29F00375A38B63C017AEFBD0A98E67FF27
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Merlin_Azel
Tags:Babuk exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
81418FF9C19478B43EBF747B531AD3D0
Verdict:
Malicious activity
Analysis date:
2022-11-30 19:45:48 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/aca23760-77d4-4192-b82f-30f16f4ddaaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Babuk
Create hunting rule
Link:
https://www.capesandbox.com/analysis/340605/
Detection(s):
Win.Ransomware.Packer-7473772-1
Create hunting rule

Win.Ransomware.Babuk-9819006-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Changing a file
Searching for synchronization primitives
Launching a service
Deleting volume shadow copies
Creating a file in the mass storage device
Encrypting user's files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm cdb.exe cmd.exe evasive hacktool ransomware shell32.dll ttdinject.exe tttracer.exe
Link:
https://www.filescan.io/uploads/63877e7fccc04a029db35017/reports/3c22a3b1-9728-4149-8fba-b078abe4bfc2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1124157
Signature
Antivirus / Scanner detection for submitted sample
Deletes shadow drive data (may be related to ransomware)
Malicious sample detected (through community Yara rule)
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756882 Sample: a3aRCAT3TI.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 76 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 2 other signatures 2->40 7 a3aRCAT3TI.exe 297 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        12 wevtutil.exe 1 7->12         started        14 wevtutil.exe 1 7->14         started        16 6 other processes 7->16 signatures5 42 May disable shadow drive data (uses vssadmin) 9->42 44 Deletes shadow drive data (may be related to ransomware) 9->44 18 conhost.exe 9->18         started        20 vssadmin.exe 1 9->20         started        22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 conhost.exe 16->30         started        32 3 other processes 16->32 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88f9515a15433092c34ef33860d1f4994fed90c52bbc219493f4cee2cb2ccbfa/
Threat name:
Win32.Ransomware.Babuk
Create hunting rule
Status:
Malicious
First seen:
2022-05-22 15:47:26 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd4vcwqvimyjfq2o6m4gbuputfh63egffo6cdfet6thofszmzp5a._file
Verdict:
malicious
Similar samples:
1d5f8c4e2cb635bb5cfb001dfd0db882b9eeea700f04a6b9cb1a934667b85368
Babuk
51c86805e6350412f78a21f197aa00b4c9d4484118dd0261bd03e8539109f569
Babuk
82c79a1f9ccf5f5dd3d147b562b75ba641d6cbed3e6fbb2e757cf852a1280a64
Babuk
9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0
Babuk
ab8eee432fa636360b3c6724fe6851e9cf8eeae1ee9da6fc576bee1cd5d7fad2
Babuk
e08f17b42e47bf973bf866f167a49b931b99fe1b50bc820078ac2644bd8c209c
Babuk
+ 3'424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion ransomware
Link:
https://tria.ge/reports/221130-tgvdksgh51/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates connected drives
Checks computer location settings
Modifies extensions of user files
Clears Windows event logs
Deletes shadow copies
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/26ba6a75-6734-472b-a34f-43afa465b621
Unpacked files
SH256 hash:
88f9515a15433092c34ef33860d1f4994fed90c52bbc219493f4cee2cb2ccbfa
MD5 hash:
81418ff9c19478b43ebf747b531ad3d0
SHA1 hash:
562ea6933da9fd7e99a56daca1685802f6e91b89
Detections:
win_astralocker_auto
Create hunting rule
Link:
https://www.unpac.me/results/fe19e48f-5eaa-4552-af1d-a1742db8681d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88f9515a1543/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/88f9515a15433092c34ef33860d1f4994fed90c52bbc219493f4cee2cb2ccbfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Babuk
Create hunting rule
Author:@_FirehaK <yara@firehak.com>
Description:Babuk / Babyk ransomware
Reference:http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/
Rule name:Destructive_Ransomware_Gen1
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:Destructive_Ransomware_Gen1_RID31CB
Create hunting rule
Author:Florian Roth
Description:Detects destructive malware
Reference:http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Rule name:INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
Author:ditekSHen
Description:Detects executables containing commands for clearing Windows Event Logs
Rule name:INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
Author:ditekSHen
Description:detects command variations typically used by ransomware
Rule name:INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many IR and analysis tools
Rule name:MALWARE_Win_Babuk
Create hunting rule
Author:ditekSHen
Description:Detects Babuk ransomware
Rule name:win_astralocker_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.astralocker.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/340605/

Comments