MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee0e754ae6cc20656a4c2a4f43b25978fa0d725136a880b7924c1395f6b30e9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee0e754ae6cc20656a4c2a4f43b25978fa0d725136a880b7924c1395f6b30e9b
SHA3-384 hash: 90e1cc4c9e456cd59470941989d7dbe70881e5f1cfad17aec92972729ffaf6b13fdf0d302e5df9bd9ea886ee7f85c608
SHA1 hash: baf805e054b9b392b53412d6ab6cea171c9d77ac
MD5 hash: d290b5ba66f5ab9129b8195b9a616b30
humanhash: pizza-moon-louisiana-mexico
File name:d290b5ba66f5ab9129b8195b9a616b30
Download: download sample
Signature Babadeda
Create hunting rule
File size:243'064 bytes
First seen:2022-04-04 16:20:57 UTC
Last seen:2022-04-04 17:07:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 6144:HNeZmfze6ldHqQ7s+sCpky3IJkBptsFHK:HNlfRldKu5YJ8cq
Threatray 130 similar samples on MalwareBazaar
TLSH T19A3412291FA1C073EA6305700EBE9713EFF3942015789A8707569FBD7620E82D63E799
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 Babadeda exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
402c5e5d6b4f4e14ae9b6b1e271ddaaa
Verdict:
Malicious activity
Analysis date:
2022-04-04 20:30:06 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/066a9f8c-d316-404a-bdea-7c5549e88628

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/260673/
Detection(s):
SecuriteInfo.com.W32.Threat-HLLSI-based.17510.11861.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12573/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/624b1b0fdb9ca5cf841cfb98/reports/64f4095e-73ef-44fb-8000-7486b2487a30/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87683da9-3b4e-46a2-a075-9c77128923d4
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/970304
Signature
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell File Write to Suspicious Folder
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 602790 Sample: 8PtCHGXy6c Startdate: 04/04/2022 Architecture: WINDOWS Score: 96 46 api.ipify.org.herokudns.com 2->46 48 api.ipify.org 2->48 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Babadeda 2->54 56 May check the online IP address of the machine 2->56 58 4 other signatures 2->58 10 8PtCHGXy6c.exe 18 2->10         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\Temp\ffnqv.exe, PE32 10->44 dropped 13 ffnqv.exe 10->13         started        process6 signatures7 62 Detected unpacking (overwrites its own PE header) 13->62 64 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->64 66 Injects a PE file into a foreign processes 13->66 16 ffnqv.exe 8 13->16         started        process8 file9 32 C:\Users\user\AppData\Local\Temp\...\9856.bat, ASCII 16->32 dropped 19 cmd.exe 2 16->19         started        process10 process11 21 powershell.exe 14 18 19->21         started        26 kmshost.exe 18 19->26         started        28 conhost.exe 19->28         started        30 attrib.exe 1 19->30         started        dnsIp12 50 transfer.sh 144.76.136.153, 443, 49775 HETZNER-ASDE Germany 21->50 34 C:\Users\Public\shams\kmshost.exe, PE32 21->34 dropped 60 Powershell drops PE file 21->60 36 C:\Users\user\AppData\Local\...\_raw_ecb.pyd, PE32 26->36 dropped 38 C:\Users\user\AppData\Local\...\_raw_des3.pyd, PE32 26->38 dropped 40 C:\Users\user\AppData\Local\...\_raw_des.pyd, PE32 26->40 dropped 42 12 other files (none is malicious) 26->42 dropped file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee0e754ae6cc20656a4c2a4f43b25978fa0d725136a880b7924c1395f6b30e9b/
Threat name:
Win32.Trojan.NSISInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-04 14:27:32 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
001d44ce5590b27ee8ce45ef7426722cce535c748992c6be977f693c5dd24b46
Babadeda
266a45969422bf72c70f51789a21f70f175f12a1e8b387b0dfcf6bf3f71c68e4
Babadeda
39233ad29392ccae0a5f1a13569d11baf3b942b57dd01de2ec15288beb8ec02c
Babadeda
55d3824935af6618ca3acfa8929c8f3725e2fb462b40c064bf9d666dff935acc
Babadeda
68468e56e132b170aabb28e2868b1dbd0bf40f14c0b0406fe78ad3c71ce9f527
Babadeda
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
Babadeda
98eaad7740c03a9ebdf1c694333de75adf6edab153bc6457d354d2a6457d093f
Babadeda
cd44397176993e5f5f33754c4300b5735f3fd7859506d0647689aa7759ebe9cc
Babadeda
ed770464373d7578963c4f42cacca5e9b3094443a1666d1fa02fad0f4420f4f9
Babadeda
eda69c9baceb0b4fc02c469aac89bc73b006efb2041390eb4270e56a8ced0265
Babadeda
+ 120 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/220404-ttmjhacgdm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
be6d2613b6a238f93fc3edfa674eef1fd411c73afe53d328052437a5f52a0f95
MD5 hash:
fa8c4672613ab6e0d31a3ea31d3b506a
SHA1 hash:
4da5071bd849d5b7df28d227d2705a21eba81909
Link:
https://www.unpac.me/results/c9ea61a8-50ac-4632-9493-d0db2a6578c9/
SH256 hash:
6e0475b8c3b16ac2999fc4cc9b4bf29fdfe98fb98ea4979b86b300846ecbe922
MD5 hash:
10e4cc1206a9d51f61513d421c7e1150
SHA1 hash:
558f7ce08b0b51758daaf80c6848f3f60ce8c4d8
Link:
https://www.unpac.me/results/c9ea61a8-50ac-4632-9493-d0db2a6578c9/
SH256 hash:
d84a49fc9e6c2db17bfc1ef09fdcac763214ade15966f1243152b3e799f730bb
MD5 hash:
845acf3accb15dd1b3f25bd9864e2e46
SHA1 hash:
7a192374318a5e5caf1c935ff2f21ae2b84df2f3
Link:
https://www.unpac.me/results/c9ea61a8-50ac-4632-9493-d0db2a6578c9/
SH256 hash:
ee0e754ae6cc20656a4c2a4f43b25978fa0d725136a880b7924c1395f6b30e9b
MD5 hash:
d290b5ba66f5ab9129b8195b9a616b30
SHA1 hash:
baf805e054b9b392b53412d6ab6cea171c9d77ac
Link:
https://www.unpac.me/results/c9ea61a8-50ac-4632-9493-d0db2a6578c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee0e754ae6cc20656a4c2a4f43b25978fa0d725136a880b7924c1395f6b30e9b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe ee0e754ae6cc20656a4c2a4f43b25978fa0d725136a880b7924c1395f6b30e9b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2130898/
Cape
Cape
https://www.capesandbox.com/analysis/260673/

Comments


Avatar
zbet commented on 2022-04-04 16:20:58 UTC

url : hxxp://saraparedesrectora.cl/wp-content/plugins/ywjnmetzpw/grace.jpg