MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Babuk

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
SHA3-384 hash:	13e747f7a047afeee400b38ce5a5a08ac8389a54494d7cc1992f802ef748bd5de5b4f05f490b5badbef67f22f413a6ff
SHA1 hash:	b040f2bdee3999aad415396f9f79e43b2aa9452b
MD5 hash:	be76ed428523b9aefe706aeaa72bb6b2
humanhash:	wolfram-kilo-lemon-moon
File name:	BABUK.exe
Download:	download sample
Signature	Babuk Create hunting rule
File size:	39'424 bytes
First seen:	2021-01-22 00:07:31 UTC
Last seen:	2021-02-25 22:54:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7f859628bfaa9e07b62f58214585994e (2 x Babuk)
ssdeep	768:xDkvIOcdqNwbWSPHEV8X3QEJPtgyYcKgoSr:lk78EkR28oS
Threatray	5 similar samples on MalwareBazaar
TLSH	CD03A3122F5BD62CC2C1A2315221E5B5C52A5CA053F1729B63C015EB3E62EECE1BDF66
Reporter	_ilbaroni
Tags:	Babuk babuklocker Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

395

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BABUK.exe

Verdict:

Malicious activity

Analysis date:

2021-01-22 00:10:46 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/a9aab3f5-12e2-4270-8139-4590f2b7b601

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Babuk

Link:

https://www.capesandbox.com/analysis/113435/

Detection(s):

Win.Ransomware.Babuk-9819006-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Running batch commands

Creating a process with a hidden window

Creating a file

Changing a file

Changing an executable file

Launching a service

Launching a process

Sending a UDP request

Creating a window

Creating a file in the %temp% subdirectories

Moving a file to the %temp% subdirectory

Creating a file in the %AppData% subdirectories

Moving a file to the %AppData% subdirectory

Deleting volume shadow copies

Forced shutdown of a system process

Forced shutdown of a browser

Encrypting user's files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Babuk

Detection:

malicious

Classification:

rans.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/587909

Signature

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May disable shadow drive data (uses vssadmin)

Multi AV Scanner detection for submitted file

Yara detected Babuk Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430/

Threat name:

Win32.Ransomware.Babuk

Status:

Malicious

First seen:

2021-01-21 23:16:00 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v7hsmwq5zwpkwwvle4gurkswdzg55ny4axrszbl5hoajxnsmaqya._file

Verdict:

malicious

Babuk

30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8

Babuk

550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf

Babuk

704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320

Babuk

8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9

Babuk

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/210122-dcvdsabdme/

Behaviour

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Enumerates connected drives

Drops startup file

Modifies extensions of user files

Deletes shadow copies

Unpacked files

SH256 hash:

afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430

MD5 hash:

be76ed428523b9aefe706aeaa72bb6b2

SHA1 hash:

b040f2bdee3999aad415396f9f79e43b2aa9452b

Link:

https://www.unpac.me/results/c56d9d76-9c68-4d60-8093-00123e42ebf7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Filecoder

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Destructive_Ransomware_Gen1 Create hunting rule
Author:	Florian Roth
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/113435/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample