MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9441e319741dcc962b25e716a1dc0ba787592565e68785aea091126fef6474a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9441e319741dcc962b25e716a1dc0ba787592565e68785aea091126fef6474a
SHA3-384 hash: db03987f88d9ba91f71f4c2b59c4dfa73f7c341b9d5cc92fec78f6c567317dbc0ded2ee5328296c7451ba89955cca1fd
SHA1 hash: 16cff7eba18f412d4e678dc3ed3eb7a8648c5016
MD5 hash: 442306d09d8349637b4d0f55b39b0d15
humanhash: fruit-west-texas-speaker
File name:Start Offline.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:153'600 bytes
First seen:2022-12-24 11:36:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 1536:y7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfGxPbJrNY61vzKR7tgF:wq6+ouCpk2mpcWJ0r+QNTBfGTrNYGbH
Threatray 186 similar samples on MalwareBazaar
TLSH T1B2E35B87E6C64566C6E05B3000B6F23EB37FDE612E248B83C7E978505FB29456A743E4
TrID 36.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon fb7ed1e87c9eebfe (1 x Babadeda)
Reporter adfxxx1
Tags:Babadeda exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Start Offline.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-24 11:39:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0a4b6bb-4550-4eb4-a413-d78aadabd09b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.AI.392946571.12299.9836.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lazagne packed shell32.dll
Link:
https://www.filescan.io/uploads/63a6e45f657c03f3643106ec/reports/3992f34a-5e3f-4449-9a45-fbd03e716cd6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d081fd8-af4c-4711-a27a-9586ddf2e650
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1140422
Signature
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 773152 Sample: Start Offline.exe Startdate: 24/12/2022 Architecture: WINDOWS Score: 72 20 Multi AV Scanner detection for submitted file 2->20 22 Detected unpacking (overwrites its own PE header) 2->22 24 Yara detected Babadeda 2->24 26 Machine Learning detection for sample 2->26 7 Start Offline.exe 8 2->7         started        process3 process4 9 cmd.exe 1 1 7->9         started        signatures5 28 Uses cmd line tools excessively to alter registry or file data 9->28 12 conhost.exe 9->12         started        14 xcopy.exe 1 9->14         started        16 attrib.exe 1 9->16         started        18 2 other processes 9->18 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9441e319741dcc962b25e716a1dc0ba787592565e68785aea091126fef6474a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-20 12:07:08 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 40 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fcb4mmxihomsyvslzywuhoaxj4hleswlzuhqwxkbeisn7xwi5fa._file
Verdict:
malicious
Similar samples:
064c82c9caf9d7ac84081f1a3e7db2f8b53fe0b63b42f950700305cfb61912ac
Babadeda
40fa2841472cc954499bfa367343a445a348ec9312744bdfb32cc671489eccc7
Babadeda
4710c5debc1ad17a85ef82676a4b6b7e15054966de57b0f4bab61c4ede209830
Babadeda
5e85f99fa8cd28b0cf1d9c5dbfe47c82ff1ada5727c5bf5007a11e8e9890cb9b
Babadeda
5fcf5f6ab5218cdcc5745e391ff77ec1e7769134048c9f8432f1325f3c59dd5f
Babadeda
6e34f951634493ec7a71e5c3418ed7d973ffc87351a5459722e04016c94b1471
Babadeda
8e604b70dd6ca05df996f71508ba0c06b89da8c0107b789076617a8664ba4e6d
Babadeda
9bc57cb47132054e4fc642fdde80688017ef460270e75888c12bd8d7845e4bc4
Babadeda
b3847c94d840dd53c3ba7248734424f06715deacf6dd6ebb727c2f1a7de4c945
Babadeda
f1e6657c4eb47b8e3fbd4c88a53913bf5ddcfa697096b54b3c6a097ae5d2099a
Babadeda
+ 176 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221224-nq5ysadb6v/
Behaviour
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
f9441e319741dcc962b25e716a1dc0ba787592565e68785aea091126fef6474a
MD5 hash:
442306d09d8349637b4d0f55b39b0d15
SHA1 hash:
16cff7eba18f412d4e678dc3ed3eb7a8648c5016
Link:
https://www.unpac.me/results/677e8bd5-86e3-49ec-a5d7-4d86b81d452e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9441e319741dcc962b25e716a1dc0ba787592565e68785aea091126fef6474a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments