MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
SHA3-384 hash: 891bf76a80daeb3f8dd5f77e4c11408efbaf8207da504268ff3bb99fccebd3c3a59364b7c9cd5265a0195ff00c26f910
SHA1 hash: 95c8e49f80180c352281c2b8ce8c51ab167ae43c
MD5 hash: e6db112fa5dcfe99e1fb8db01d7b8877
humanhash: arizona-quebec-don-purple
File name:paymentinvoice.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:119'296 bytes
First seen:2022-02-14 19:10:34 UTC
Last seen:2022-02-14 20:56:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 3072:Iq6+ouCpk2mpcWJ0r+QNTBfMhl9EKJ3FSwCPPsY:Ildk1cWQRNTBEBF1gPPD
Threatray 104 similar samples on MalwareBazaar
TLSH T1ADC3AE45F3E202F7EAE14A3200A6712FA73567249724E8D7C34C3D839953AD19A7D3E9
File icon (PE):PE icon
dhash icon 70c0d0d0c8ccf0f0 (8 x Formbook, 4 x NanoCore, 3 x RedLineStealer)
Reporter 604Kuzushi
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e6db112fa5dcfe99e1fb8db01d7b8877.exe.vir
Verdict:
Suspicious activity
Analysis date:
2022-02-15 01:47:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cb30a510-7d80-43da-9fd7-60e50e7a8a9d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241480/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.8247.15289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Searching for the window
Creating a process from a recently created file
Creating a window
Adding an access-denied ACE
Creating a file in the Windows subdirectories
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lazagne packed shell32.dll
Link:
https://www.filescan.io/uploads/620aa94b54047500bb555793/reports/48d003ff-23b6-40b7-bbea-19067c414b70/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c5d1ec0c-f817-4f88-97b2-883c7bb51c9b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/939677
Signature
Detected unpacking (overwrites its own PE header)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572151 Sample: paymentinvoice.exe Startdate: 14/02/2022 Architecture: WINDOWS Score: 68 44 Multi AV Scanner detection for submitted file 2->44 46 Executable has a suspicious name (potential lure to open the executable) 2->46 48 Machine Learning detection for sample 2->48 50 Initial sample is a PE file and has a suspicious name 2->50 9 paymentinvoice.exe 8 2->9         started        process3 signatures4 52 Detected unpacking (overwrites its own PE header) 9->52 12 cmd.exe 3 2 9->12         started        process5 process6 14 AcroRd32.exe 40 12->14         started        16 powershell.exe 14 17 12->16         started        19 conhost.exe 12->19         started        dnsIp7 21 RdrCEF.exe 59 14->21         started        23 RdrCEF.exe 9 14->23         started        26 AcroRd32.exe 14 6 14->26         started        40 meacz.gq 162.240.21.171, 443, 49754 UNIFIEDLAYER-AS-1US United States 16->40 process8 dnsIp9 28 RdrCEF.exe 21->28         started        30 RdrCEF.exe 21->30         started        32 RdrCEF.exe 21->32         started        34 RdrCEF.exe 21->34         started        42 192.168.2.1 unknown unknown 23->42 36 RdrCEF.exe 23->36         started        38 RdrCEF.exe 23->38         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf/
Threat name:
Win32.Trojan.SpyNoon
Create hunting rule
Status:
Malicious
First seen:
2022-02-14 17:00:34 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=znj3drr6ic7cpn5kptkfrw7em7tln2eh7owgwnztosqsjqbfhsxq._file
Verdict:
malicious
Similar samples:
1f79ce7d7716512af2a93caf014f302846d5f41ff9850af71120c7fed2bf5845
Babadeda
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
Babadeda
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
Babadeda
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
Babadeda
605412b4ceaf25fc66306e96a347662161925ba372383ad39a28703d4ef65caa
Babadeda
6b664d6b89eabbac55c8927fa29d2669ba629a40f1abbf12d76f8d9b14e4facb
Babadeda
7dfdcd5bc610f3718de9ecd3fc67aba996d3a9c786b5954832ede3cc99d0b0b7
Babadeda
888497ac8f3cb030dc34d198ef8e307fab6b129f31f4fc9c41ea78f94d831529
Babadeda
ceddcfa72226e91f7435facafe6631d1385ca4d246d242d5136ac4e9462b8611
Babadeda
f68cf2d7540359cd27bae6aaa15274efd2444f148e1632a9d4bf90facfe5c927
Babadeda
+ 94 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220214-xvx86sadh7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Unpacked files
SH256 hash:
cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf
MD5 hash:
e6db112fa5dcfe99e1fb8db01d7b8877
SHA1 hash:
95c8e49f80180c352281c2b8ce8c51ab167ae43c
Link:
https://www.unpac.me/results/ae77757f-50f0-45b4-ba42-44d0f50528a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Babadeda

Executable exe cb53b1c63e40be27b7aa7cd458dbe467e6b6e887fbac6b373374a124c0253caf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241480/

Comments