MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
SHA3-384 hash: 1c01b6f18ddf04ba05ccaeae5528f08462641a1b1dcda662fae9990b8923b25a11e9caa7bb625a0b224b5b13ff95019f
SHA1 hash: c9f5cb5aeb67fa49071df1feab9e66c8e40bae75
MD5 hash: 6cdbca5c6ce1901d7a712f0b09b4d94e
humanhash: single-eleven-mexico-edward
File name:mac.exe2
Download: download sample
Signature Babadeda
Create hunting rule
File size:93'184 bytes
First seen:2022-07-16 11:36:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:f7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfDw2AfeO2:T7DhdC6kzWypvaQ0FxyNTBfD3ck
Threatray 2'171 similar samples on MalwareBazaar
TLSH T16F937D41F3E202F7E6F2093100A6726F973663389764A8DBC74C2D529953AD1A63D3F9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter KdssSupport
Tags:Babadeda exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NCODE-SPOOFER.exe
Verdict:
Malicious activity
Analysis date:
2022-07-15 20:44:31 UTC
Tags:
loader
Link:
https://app.any.run/tasks/dcbcac5e-dc26-45e9-9bb9-853e193a18d5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291197/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Creating a file
Launching the process to change network settings
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a service
Sending a UDP request
Forced system process termination
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26345/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/249d3b5d-81ac-43be-8dea-3b3544ae0880
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1033686
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 666180 Sample: mac.exe2 Startdate: 16/07/2022 Architecture: WINDOWS Score: 72 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Babadeda 2->39 41 Machine Learning detection for sample 2->41 8 mac.exe 8 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        13 conhost.exe 8->13         started        signatures5 45 Uses cmd line tools excessively to alter registry or file data 10->45 47 Uses netsh to modify the Windows network and firewall settings 10->47 15 cmd.exe 1 10->15         started        17 netsh.exe 3 10->17         started        20 cmd.exe 1 10->20         started        22 10 other processes 10->22 process6 signatures7 24 WMIC.exe 1 15->24         started        27 findstr.exe 1 15->27         started        35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->35 29 WMIC.exe 1 20->29         started        31 findstr.exe 1 20->31         started        33 WMIC.exe 1 22->33         started        process8 signatures9 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66/
Threat name:
Win32.PUA.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-07-15 21:45:53 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
20 of 41 (48.78%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyrxivc72av76xjfcnghdfal6qrroou3wyi7kt25wzzjzbah3jta._file
Verdict:
unknown
Similar samples:
0ea218366bfa6605657baaa410baa697c1c861cd256159aeb91746a4117fabf6
Babadeda
157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32
Babadeda
1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e
Babadeda
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
Babadeda
80af29bf7cb3a8b904a8d11d34c13bd5a2dcf5b4798138c16c093b2b8a5a9105
Babadeda
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
Babadeda
b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9
Babadeda
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
Babadeda
+ 2'161 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220716-nq6kbaccgm/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66
MD5 hash:
6cdbca5c6ce1901d7a712f0b09b4d94e
SHA1 hash:
c9f5cb5aeb67fa49071df1feab9e66c8e40bae75
Link:
https://www.unpac.me/results/987ad6d6-ca6b-47ba-9da6-5424a058ccd8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe 9e2374545fd02bff5d25134c71940bf423173a9bb611f54f5db6729c8407da66

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/291197/

Comments