MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
SHA3-384 hash: f841adc9d326d2d0809651b5d14375d35ffe38eb5cce553bcc42bc88711c0dd97013d5df6553ecb440713b2c4cb4c1d9
SHA1 hash: d432365f43c862ea2c9a8d2fab3417697f49ceb8
MD5 hash: e97d9da16a0e7f538d0b317e9863ce3b
humanhash: blue-robin-romeo-missouri
File name:Hackstore.exe.vir
Download: download sample
Signature Babadeda
Create hunting rule
File size:117'760 bytes
First seen:2022-06-18 12:01:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 3072:S7DhdC6kzWypvaQ0FxyNTBfCSru6pOILaufaz:SBlkZvaF4NTBKKfaz
Threatray 2'024 similar samples on MalwareBazaar
TLSH T1ABB39D41F2E242F7EAF2053100A6622F973663389764E8DBC75C3D529913AD1A63D3F9
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter KdssSupport
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Hackstore.exe
Verdict:
Malicious activity
Analysis date:
2022-06-18 11:55:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc254b22-d2eb-4708-a0f3-45934b3a77b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281145/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Сreating synchronization primitives
Forced system process termination
Creating a file
Creating a process from a recently created file
Launching the process to interact with network services
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21840/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/62adbebec07f2e38a157ac81/reports/684b025e-0400-4ef5-a3e9-2666a44f12fb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f5dd7d6-7304-460c-8161-52eeecbe0b4e
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1015658
Signature
Command shell drops VBS files
Drops script or batch files to the startup folder
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suspicious powershell command line found
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 648153 Sample: Hackstore.exe.vir Startdate: 18/06/2022 Architecture: WINDOWS Score: 60 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Babadeda 2->56 58 Sigma detected: Drops script at startup location 2->58 60 Machine Learning detection for sample 2->60 11 Hackstore.exe.exe 8 2->11         started        process3 process4 13 cmd.exe 1 11->13         started        16 conhost.exe 11->16         started        signatures5 66 Suspicious powershell command line found 13->66 68 Drops script or batch files to the startup folder 13->68 18 powershell.exe 14 13->18         started        process6 process7 20 Hackstore.exe.exe 8 18->20         started        process8 22 cmd.exe 10 20->22         started        26 conhost.exe 20->26         started        file9 50 C:\Users\user\AppData\Roaming\...\nibba.bat, DOS 22->50 dropped 52 C:\Programsx64\Filestack\hackmsg.vbs, ASCII 22->52 dropped 62 Command shell drops VBS files 22->62 64 Drops script or batch files to the startup folder 22->64 28 cscript.exe 1 22->28         started        30 net.exe 1 22->30         started        32 net.exe 1 22->32         started        34 11 other processes 22->34 signatures10 process11 process12 36 conhost.exe 28->36         started        38 net1.exe 1 30->38         started        40 net1.exe 1 32->40         started        42 net1.exe 1 34->42         started        44 net1.exe 1 34->44         started        46 net1.exe 1 34->46         started        48 8 other processes 34->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lyi63jam4g2u4ldkkyy7pdyahknxou6e34yntweeneup2b3xiha._file
Verdict:
unknown
Similar samples:
0ea218366bfa6605657baaa410baa697c1c861cd256159aeb91746a4117fabf6
Babadeda
157309f0e70964df3b84f400e2b6f6898bc6e47233ff963deb37a9203c654b32
Babadeda
1d1c688d117950a23ae8c39cbe2bfee953030f33a59afe869989b2e9470c464e
Babadeda
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
Babadeda
4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
Babadeda
80af29bf7cb3a8b904a8d11d34c13bd5a2dcf5b4798138c16c093b2b8a5a9105
Babadeda
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
Babadeda
b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9
Babadeda
+ 2'014 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220618-n7fefsbca6/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops startup file
Unpacked files
SH256 hash:
eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e
MD5 hash:
e97d9da16a0e7f538d0b317e9863ce3b
SHA1 hash:
d432365f43c862ea2c9a8d2fab3417697f49ceb8
Link:
https://www.unpac.me/results/2fd615b4-5af5-43ce-ae81-f440a0144cef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaf08f6d20670daa716352b18fbc7801d4dbba9e26f986cec4234947e83bba0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281145/

Comments