MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Babuk

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc
SHA3-384 hash:	b33d03efa89f2ad8804d8074ae3a0e074d25e535de6ac50c27c655468edb93d564b702ea8506b7583b449cb53d420330
SHA1 hash:	e4934d730f999bc2bc0e05fec3b9afe324d8a32b
MD5 hash:	b8e5bd86046b596d8cf43843f433bb5d
humanhash:	bulldog-saturn-north-fruit
File name:	l.exe
Download:	download sample
Signature	Babuk Create hunting rule
File size:	80'896 bytes
First seen:	2021-04-16 00:35:11 UTC
Last seen:	2021-04-16 00:35:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	202fa14f574c71c2f95878e40a79322d (35 x Babuk)
ssdeep	1536:IK36UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:IKLhZ5YesrQLOJgY8Zp8LHD4XWaNH71m
Threatray	10 similar samples on MalwareBazaar
TLSH	A883E8115D85D2B6C5D1623151A7F1AAC13A197003B5A38B63C027AEFB10AE8F6BCF67
Reporter	FirehaK
Tags:	Babuk babyk Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

393

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

l.exe

Verdict:

Malicious activity

Analysis date:

2021-04-16 00:45:19 UTC

Tags:

ransomware

Link:

https://app.any.run/tasks/e24447b4-9f8a-46b8-b4ad-ffce865959a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Babuk

Link:

https://www.capesandbox.com/analysis/135651/

Detection(s):

Win.Ransomware.Maze-7473772-0

Win.Ransomware.Babuk-9819006-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Deleting a recently created file

Creating a file

Running batch commands

Creating a process with a hidden window

Searching for the window

Changing a file

Sending a UDP request

Launching a process

Creating a file in the system32 subdirectories

Launching a service

Creating a file in the Windows subdirectories

Creating a file in the mass storage device

Encrypting user's files

Result

Threat name:

Babuk

Detection:

malicious

Classification:

rans.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/678919

Signature

Deletes shadow drive data (may be related to ransomware)

Found ransom note / readme

Found Tor onion address

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May disable shadow drive data (uses vssadmin)

Multi AV Scanner detection for submitted file

Writes a notice file (html or txt) to demand a ransom

Yara detected Babuk Ransomware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc/

Threat name:

Win32.Ransomware.Babuk

Status:

Malicious

First seen:

2021-04-15 15:08:33 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xmy7enpinmh5ugc6mwao6uzh7agwu3dvj54ethugi7pf4iuxnhga._file

Result

Malware family:

babuk

Score:

10/10

Tags:

family:babuk ransomware

Link:

https://tria.ge/reports/210416-kn884nv1n6/

Behaviour

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Enumerates connected drives

Modifies extensions of user files

Deletes shadow copies

Babuk Locker

Unpacked files

SH256 hash:

bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc

MD5 hash:

b8e5bd86046b596d8cf43843f433bb5d

SHA1 hash:

e4934d730f999bc2bc0e05fec3b9afe324d8a32b

Link:

https://www.unpac.me/results/5673bc7c-e447-4c0f-b90e-007ad8f0dfdc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Filecoder

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bb31f235e86b0fda185e6580ef5327f80d6a6c754f78499e8647de5e229769cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Babuk Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	Babuk / Babyk ransomware
Reference:	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/

Rule name:	Destructive_Ransomware_Gen1 Create hunting rule
Author:	Florian Roth
Description:	Detects destructive malware
Reference:	http://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICOUS_EXE_References_VEEAM Create hunting rule
Description:	Detects executables containing many references to VEEAM. Observed in ransomware

Rule name:	MALWARE_Win_Babuk Create hunting rule
Author:	ditekSHen
Description:	Detects Babuk ransomware

Rule name:	Ransom_Babuk Create hunting rule
Author:	TS @ McAfee ATR
Description:	Rule to detect Babuk Locker

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/135651/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample