MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64
SHA3-384 hash: c0cb123d8b51428143510e6dfc5d52279f4d17c62d611f2d48e96d7bcc18b3cf34e9c8a8c13213662065c2e14d48618d
SHA1 hash: 75a4690028051f5eb8df5195a5bec283066b8420
MD5 hash: edf02789603a77a4c7b42dd8091babe0
humanhash: earth-mango-solar-december
File name:CLOUDFLA.EXE
Download: download sample
Signature Babadeda
Create hunting rule
File size:32'356'443 bytes
First seen:2022-09-08 05:58:31 UTC
Last seen:2022-09-08 06:36:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fdea00646d77e95955396ef4ea72bea5 (2 x NetSupport, 1 x Babadeda, 1 x ArkeiStealer)
ssdeep 786432:SQRwdPcRhvUvAtRNW0sm2CGFSXOSmL5NDBsX9LsD73e486:1RwdPcRavyu0F2zFz5De9LW7e486
Threatray 1'106 similar samples on MalwareBazaar
TLSH T1A0672345EA8360F5EC5305B0C557F77F4F20EE019028CEAEEA487E4CEE73A56560A35A
TrID 34.8% (.EXE) InstallShield setup (43053/19/16)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
13.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
dhash icon 71d4b6e8b2b6d471 (1 x Babadeda)
Reporter GovCERT_CH
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CLOUDFLA.EXE
Verdict:
Malicious activity
Analysis date:
2022-09-08 06:01:52 UTC
Tags:
installer
Link:
https://app.any.run/tasks/a1fb89c7-e78e-48da-9eff-6598d971191f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file in the Program Files subdirectories
Searching for synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37015/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/631984e855480bd187d5686b/reports/f9491a8b-d264-41bc-99e7-05d6c1149e4a/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1065465
Signature
Detected unpacking (creates a PE file in dynamic memory)
Drops executable to a common third party application directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 697991 Sample: Cloudflare_security_installer.exe Startdate: 06/09/2022 Architecture: WINDOWS Score: 84 51 Multi AV Scanner detection for submitted file 2->51 53 Detected unpacking (creates a PE file in dynamic memory) 2->53 55 Yara detected Babadeda 2->55 57 Sigma detected: Drops script at startup location 2->57 7 Cloudflare_security_installer.exe 1 114 2->7         started        11 client32.exe 2->11         started        process3 file4 27 C:\Users\user\AppData\...\thunderbird.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Roaming\...\pr, RIFF 7->29 dropped 31 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 7->31 dropped 33 91 other files (none is malicious) 7->33 dropped 59 Drops executable to a common third party application directory 7->59 13 thunderbird.exe 21 7->13         started        signatures5 process6 file7 35 C:\Users\user\AppData\...35etSupport.url, data 13->35 dropped 37 C:\Users\user\AppData\...\uninstall.exe, PE32 13->37 dropped 39 C:\Users\user\AppData\...\remcmdstub.exe, PE32 13->39 dropped 41 8 other files (none is malicious) 13->41 dropped 16 client32.exe 17 13->16         started        20 uninstall.exe 8 13->20         started        process8 dnsIp9 43 5.61.44.162 LEASEWEB-DE-FRA-10DE United Kingdom 16->43 45 8.8.8.8 GOOGLEUS United States 16->45 47 2 other IPs or domains 16->47 49 Multi AV Scanner detection for dropped file 16->49 23 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 20->23 dropped 25 C:\...behaviorgraphoogleCrashHandler.exe, PE32 20->25 dropped file10 signatures11
Gathering data
Threat name:
Win32.Infostealer.ChePro
Create hunting rule
Status:
Malicious
First seen:
2022-09-06 11:33:16 UTC
File Type:
PE (Exe)
Extracted files:
170
AV detection:
6 of 25 (24.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r453o4fnrsx4vpsoxkpwpotz6nj533smv4yfgltsjpplcvej35sa._file
Verdict:
unknown
Similar samples:
28fb68d0fc8e305257af9613cf9cfeeb65d12379a7672541f7b3add0a58562a8
Babadeda
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
Babadeda
638fa26aea7fe6ebefe398818b09277d01c4521a966ff39b77035b04c058df60
Babadeda
b9c3dd797d2a590da62c4824d658ad8decf1ed1ffa77bfaa47f3f12966757a0d
Babadeda
c0a2b7fadd4a95724bde0514baca54dd68fb6aa14237df8bd65b7243e1f68b41
Babadeda
d2f9dc8e7278a2ec0aa634536ac8d23db209aba8ca0e109ce80469c27517ab33
Babadeda
df5b822cfb367fb862dce788d16009b0299461c8543c5098009fb85dd2150170
Babadeda
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
Babadeda
+ 1'096 additional samples on MalwareBazaar
Result
Malware family:
babadeda
Create hunting rule
Score:
  10/10
Tags:
family:babadeda crypter evasion loader trojan
Link:
https://tria.ge/reports/220908-gpqzxadgg5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks whether UAC is enabled
Loads dropped DLL
Executes dropped EXE
Babadeda
Babadeda Crypter
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f3bb770ad8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Babadeda

Executable exe 8f3bb770ad8cafcabe4eba9f67ba79f353ddee4caf30532e724bdeb15489df64

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments