MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
SHA3-384 hash: 45c4d4dc0cd509bf84b144ba8e002301c98ac3ec1cee368c0ca21bb349f503e88e484db6b583cbab8f7231fcfdd91b4e
SHA1 hash: 4f3a8cd939fbe37426efda7c88fbd2e49d8f8986
MD5 hash: df7952a5fc82dfb2e49ae81b6a1be135
humanhash: sweet-green-uranus-magnesium
File name:df7952a5fc82dfb2e49ae81b6a1be135.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:354'816 bytes
First seen:2022-01-14 09:14:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 6144:ezBkLL2NTBY2j1gmB0cR8zGnIu4TBJCb2WefmJwJS6jbMXC3DvMk7y:eKyNTa25ccRPIu49JmYt3jbM/
Threatray 93 similar samples on MalwareBazaar
TLSH T1DA740151B7E055F6FAE1423201F276ABE23BA36C8714ADD3D34E28421D46AC997342FD
Reporter abuse_ch
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df7952a5fc82dfb2e49ae81b6a1be135.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 09:23:10 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/0ec4ebef-41a7-4179-bf14-b21b7ee15e7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219266/
Detection(s):
SecuriteInfo.com.BAT.KillWin.dropper.1184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4172/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e13ee1e997359713eb60fa/reports/de550309-8e3c-4d7e-86c0-814634903aef/overview
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5dfa71b-7bff-4baf-a165-28bd8ef1cbc7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920619
Signature
Command shell drops VBS files
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553097 Sample: Za35fCUFau.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for submitted file 2->32 34 Machine Learning detection for sample 2->34 36 Sigma detected: WScript or CScript Dropper 2->36 38 2 other signatures 2->38 7 Za35fCUFau.exe 10 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\Temp\...\AEE6.bat, ASCII 7->26 dropped 40 Detected unpacking (overwrites its own PE header) 7->40 42 Potential malicious VBS script found (suspicious strings) 7->42 11 cmd.exe 3 5 7->11         started        signatures5 process6 signatures7 44 Potential malicious VBS script found (suspicious strings) 11->44 46 Command shell drops VBS files 11->46 48 Uses BatToExe to download additional code 11->48 14 wscript.exe 11->14         started        18 extd.exe 2 11->18         started        20 extd.exe 2 11->20         started        22 3 other processes 11->22 process8 dnsIp9 28 iplogger.org 148.251.234.83, 443, 49748 HETZNER-ASDE Germany 14->28 50 System process connects to network (likely due to code injection or exploit) 14->50 52 May check the online IP address of the machine 14->52 30 a0621298.xsph.ru 141.8.194.74, 49749, 49750, 49752 SPRINTHOSTRU Russian Federation 18->30 54 Multi AV Scanner detection for dropped file 18->54 56 Creates HTML files with .exe extension (expired dropper behavior) 18->56 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 09:14:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
Babadeda
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
Babadeda
534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0
Babadeda
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
Babadeda
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
Babadeda
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
Babadeda
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
Babadeda
+ 83 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220114-k7cf1sfdb6/
Behaviour
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
e7ad5144ee211ea50188d41383ff9dc962ee323eaabc359aec70bd342184a62e
MD5 hash:
cc92f34bb09e6d59a0e09769f5d13a21
SHA1 hash:
cbf295dab06d152b94f69f2fe4b581d3bde27c21
Link:
https://www.unpac.me/results/dbc8bdf0-3eb6-4bb0-b39d-1ad44713d331/
SH256 hash:
f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc
MD5 hash:
df7952a5fc82dfb2e49ae81b6a1be135
SHA1 hash:
4f3a8cd939fbe37426efda7c88fbd2e49d8f8986
Link:
https://www.unpac.me/results/dbc8bdf0-3eb6-4bb0-b39d-1ad44713d331/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f04b77c60c896b33ed8fe286de3341fc3ffd0211a987435475dc7e9d0abcb0cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219266/

Comments