MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6cc9c8fdeb23608fb3566df3fb8ada07aac8a9fc5e333303fdb3db730a5b5e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6cc9c8fdeb23608fb3566df3fb8ada07aac8a9fc5e333303fdb3db730a5b5e8
SHA3-384 hash: dea86f8497e9e801d9a5bd73570ff12f2715536347bd160a9d1262a904b6ec8611a952d86e857d1a49a391e75133920c
SHA1 hash: 41ac8d91a9c06aad7c4b72620f157066b1d33a0e
MD5 hash: d95e741b99b3bd4784e2b657ffdb615e
humanhash: johnny-yellow-undress-oranges
File name:d95e741b99b3bd4784e2b657ffdb615e
Download: download sample
Signature Babadeda
Create hunting rule
File size:24'256'736 bytes
First seen:2022-11-18 08:49:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9369b8cbf820fedf4c7837b944ee2543 (8 x Babadeda, 1 x Amadey)
ssdeep 393216:gVZHFwVAHv7PWWexqaHiWxKuNTxUNj5aBM9BYwZk/D6h+URNw/GFyutsug:gVhFwVAPb96H/K6kj5aYBHZGDGNw/PD
Threatray 53 similar samples on MalwareBazaar
TLSH T17D373359F4C03FA8E9CD62B11E83352BD512318B42912DAFD809B7ED71DA72B8FB8511
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
7.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2e2e5630adc9ce48 (12 x Babadeda)
Reporter zbetcheckin
Tags:32 Babadeda exe signed

Code Signing Certificate

Organisation:James Caulfield
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-08-11T00:00:00Z
Valid to:2023-08-11T23:59:59Z
Serial number: 967cb0898680d1c174b2baae5fa332db
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: c231f1e6cc3aec983d892e1bc3bb1815335fb24e3e2f611d79bade9a07cbd819
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d95e741b99b3bd4784e2b657ffdb615e
Verdict:
Malicious activity
Analysis date:
2022-11-18 08:50:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e33c631-b435-44e3-80bf-318ddc59a551

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Adware.Dealply-6619273-0
Create hunting rule

PUA.Win.Adware.Dealply-6888374-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Delayed reading of the file
Creating a file in the %temp% subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6377473cb7b400a0e0092f6d/reports/f132bf45-3fb4-4777-8981-07f5b589853f/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Babadeda
Create hunting rule
Detection:
suspicious
Classification:
troj
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1116402
Signature
Multi AV Scanner detection for submitted file
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Tedy
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 08:51:25 UTC
File Type:
PE (Exe)
Extracted files:
2803
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43gjzd66wi3ar6zvm3pt7ofnub5kzcu7yxrtgmb73m63omffwxua._file
Verdict:
unknown
Similar samples:
06089228420b587517a8674d586b6a2880b939d15775ca8e0a64c4364daadeed
Babadeda
1a98be3c94ae7a5f690fbed35341b989b8a28132f59784bb68ec91a1c850666d
Babadeda
37056d95d8a40efef2409cc81894bb294a063a51ab152401f4dab83817b11013
Babadeda
3faabdca1f4040c7f6038c8532542316562b4c8febe4f4a2b2671dbe103305bd
Babadeda
925b2a6cffe8f4835e1fd4db52b33a863adc953be537638be28462c82389e9e0
Babadeda
a6d25755fa8924d8df0ccbf885516f13ab602bae86462388cc146e8e5191cece
Babadeda
eb67f3f67c1959e1921e8f4837d96cbb71c0063e4eadfe5260c90e0c4f477c84
Babadeda
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/221118-krlpraha32/
Behaviour
Enumerates physical storage devices
UPX packed file
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0d13881e-82c5-4e2a-8a71-6c3ca1dbe231
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe e6cc9c8fdeb23608fb3566df3fb8ada07aac8a9fc5e333303fdb3db730a5b5e8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2425430/

Comments


Avatar
zbet commented on 2022-11-18 08:49:33 UTC

url : hxxp://www.bearware.org/download/IN167/Setup2010u32.exe