MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
SHA3-384 hash: efdcbbee4e9e9ebe8e8aec122b31d6bd6240c96a4d4877d2ef5409e4057ceca123d3975d480a25d5f557211a84bf326a
SHA1 hash: 5701d6d8757d9d86e4eb612274e1e7047bed789c
MD5 hash: 617fb71aca0ed7804f0273b7c69661c9
humanhash: yellow-victor-arizona-fillet
File name:617fb71aca0ed7804f0273b7c69661c9.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:355'328 bytes
First seen:2022-03-03 09:40:05 UTC
Last seen:2022-03-22 05:23:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 6144:bldk1cWQRNTBqTpDqr2m+lQ8vhzQSDxdKqpByyO8hkXuaoLmM79oKihB:bcv0NT4oam+y8vhcS+SMy2PoL55wB
Threatray 108 similar samples on MalwareBazaar
TLSH T1B3740205B7E641F2E4F34A7000E7722B9736A6345724A8EBC35C3D038693DD995BA3E9
Reporter abuse_ch
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246902/
Detection(s):
SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8047/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/149849e9-0039-48ed-a6a8-19a88a9d47b7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/950169
Signature
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 582653 Sample: 3i4sGb3lxC.exe Startdate: 03/03/2022 Architecture: WINDOWS Score: 57 27 store-images.s-microsoft.com 2->27 31 Multi AV Scanner detection for submitted file 2->31 33 Machine Learning detection for sample 2->33 35 Yara detected BatToExe compiled binary 2->35 8 3i4sGb3lxC.exe 9 2->8         started        signatures3 process4 file5 25 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 8->25 dropped 37 Detected unpacking (overwrites its own PE header) 8->37 12 cmd.exe 1 3 8->12         started        signatures6 process7 signatures8 39 Uses BatToExe to download additional code 12->39 15 extd.exe 1 12->15         started        18 extd.exe 2 12->18         started        21 extd.exe 2 12->21         started        23 2 other processes 12->23 process9 dnsIp10 41 Multi AV Scanner detection for dropped file 15->41 29 transfer.sh 144.76.136.153, 443, 49751, 49752 HETZNER-ASDE Germany 18->29 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-03 05:14:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0728b1603407e57a7f30b16bb706dfaa69439b16181178fca3f3852a91bd208e
Babadeda
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
Babadeda
39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c
Babadeda
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
Babadeda
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
Babadeda
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
Babadeda
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
Babadeda
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
Babadeda
f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
Babadeda
+ 98 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220303-lm8t6aada3/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
UPX packed file
Executes dropped EXE
Unpacked files
SH256 hash:
2f1d39ba573b84486227a1a96ee73c2016ef1ff08db4ef0101a14118d31f3f24
MD5 hash:
ff1fe289bf932bd268f5b8de03a1ee52
SHA1 hash:
3ed3b21e7b9e1b9fa07754550bd014352fdba6cd
Link:
https://www.unpac.me/results/df77f3be-fa69-4606-96b8-54371714eb62/
SH256 hash:
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
MD5 hash:
617fb71aca0ed7804f0273b7c69661c9
SHA1 hash:
5701d6d8757d9d86e4eb612274e1e7047bed789c
Link:
https://www.unpac.me/results/df77f3be-fa69-4606-96b8-54371714eb62/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073027/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246902/

Comments