MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Babadeda


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9
SHA3-384 hash: 50e90b5ed8f7816e9e091dbb938f5c7da0a16c5957a9d7af5b9e5040d590026872903dfec2a544f5dfc35acff46128ba
SHA1 hash: ed8b8680c853dd3f76fdf00e53a9e948d2f05399
MD5 hash: b5657b29f0e8d846757a62d2dd7b7b81
humanhash: nuts-single-bluebird-cup
File name:Maxonic.exe
Download: download sample
Signature Babadeda
Create hunting rule
File size:11'035'648 bytes
First seen:2025-07-21 19:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 196608:B+x/H70KSJ+awbWDK/G30YBzDqmixMdZ3wpno7rVVk+URZdmmsZLN/6jA:4DhorwwdNLigZuoXk+YZY+c
TLSH T16EB6336DD4CC40EDFFA446F954C09B898BC2072445AE946AC73D2EE44ED23F2662C96F
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10522/11/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon d8b0e4ee2e9eece0 (3 x Babadeda)
Reporter burger
Tags:Babadeda exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16163/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e8f8d2f623871a5f17125
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Launching a process
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed purebasic zero
Link:
https://www.filescan.io/uploads/687e8f8919132d9848844415/reports/55507d01-2351-436d-87dc-821986771ee4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b5d21f4f-addc-405f-aa4b-65d0786e979a
Result
Threat name:
Babadeda, LummaC Stealer, RHADAMANTHYS,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741561
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Detected unpacking (overwrites its own PE header)
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Babadeda
Yara detected LummaC Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741561 Sample: Maxonic.exe Startdate: 21/07/2025 Architecture: WINDOWS Score: 100 119 pastebin.com 2->119 121 corepulse988.com 2->121 123 12 other IPs or domains 2->123 171 Suricata IDS alerts for network traffic 2->171 173 Found malware configuration 2->173 175 Antivirus / Scanner detection for submitted sample 2->175 179 13 other signatures 2->179 14 Maxonic.exe 10 2->14         started        18 svchost.exe 2->18         started        20 msedge.exe 2->20         started        23 11 other processes 2->23 signatures3 177 Connects to a pastebin service (likely for C&C) 119->177 process4 dnsIp5 111 C:\Users\user\Desktop\install1.exe, PE32 14->111 dropped 113 C:\Users\user\Desktop\inject2.exe, PE32+ 14->113 dropped 215 Detected unpacking (overwrites its own PE header) 14->215 25 cmd.exe 1 14->25         started        217 Changes security center settings (notifications, updates, antivirus, firewall) 18->217 28 MpCmdRun.exe 18->28         started        125 239.255.255.250 unknown Reserved 20->125 30 msedge.exe 20->30         started        33 msedge.exe 20->33         started        35 msedge.exe 20->35         started        37 msedge.exe 20->37         started        127 127.0.0.1 unknown unknown 23->127 39 conhost.exe 23->39         started        41 schtasks.exe 23->41         started        file6 signatures7 process8 dnsIp9 191 Uses schtasks.exe or at.exe to add and modify task schedules 25->191 43 install1.exe 25->43         started        46 inject2.exe 25->46         started        48 conhost.exe 25->48         started        50 conhost.exe 28->50         started        143 192.168.2.7, 4233, 443, 49672 unknown unknown 30->143 145 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49720, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->145 147 11 other IPs or domains 30->147 signatures10 process11 signatures12 195 Multi AV Scanner detection for dropped file 43->195 197 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 43->197 199 Switches to a custom stack to bypass stack traces 43->199 52 OpenWith.exe 43->52         started        201 Writes to foreign memory regions 46->201 203 Allocates memory in foreign processes 46->203 205 Injects a PE file into a foreign processes 46->205 56 MSBuild.exe 46->56         started        process13 dnsIp14 129 202.71.14.210, 49694, 8181 RKINFRATEL-INRKINFRATELLIMITEDIN India 52->129 131 cloudflare-dns.com 104.16.248.249, 443, 49693 CLOUDFLARENETUS United States 52->131 133 vault-360-nexus.com 52->133 181 Query firmware table information (likely to detect VMs) 52->181 183 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 52->183 185 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 52->185 189 3 other signatures 52->189 58 OpenWith.exe 8 52->58         started        135 sworwdcp.top 167.160.161.12, 443, 49681, 49682 ASN-QUADRANET-GLOBALUS United States 56->135 187 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->187 signatures15 process16 dnsIp17 137 x.ns.gin.ntt.net 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 58->137 139 ntp1.hetzner.de 213.239.239.164 HETZNER-ASDE Germany 58->139 141 7 other IPs or domains 58->141 107 C:\Users\user\AppData\Local\...\YJIb.exe, PE32+ 58->107 dropped 109 C:\Users\user\AppData\Local\...\3m_-cE8hm.exe, PE32 58->109 dropped 207 Early bird code injection technique detected 58->207 209 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 58->209 211 Tries to steal Mail credentials (via file / registry access) 58->211 213 7 other signatures 58->213 63 YJIb.exe 58->63         started        67 wmpshare.exe 58->67         started        69 3m_-cE8hm.exe 58->69         started        71 4 other processes 58->71 file18 signatures19 process20 file21 115 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 63->115 dropped 155 Query firmware table information (likely to detect VMs) 63->155 157 Modifies windows update settings 63->157 159 Adds a directory exclusion to Windows Defender 63->159 169 2 other signatures 63->169 73 powershell.exe 63->73         started        76 cmd.exe 63->76         started        161 Writes to foreign memory regions 67->161 163 Allocates memory in foreign processes 67->163 78 dllhost.exe 67->78         started        117 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 69->117 dropped 165 Antivirus detection for dropped file 69->165 81 cmd.exe 69->81         started        83 cmd.exe 69->83         started        167 Found many strings related to Crypto-Wallets (likely being stolen) 71->167 85 chrome.exe 71->85         started        87 chrome.exe 71->87         started        89 msedge.exe 71->89         started        signatures22 process23 dnsIp24 193 Loading BitLocker PowerShell Module 73->193 91 conhost.exe 73->91         started        93 net.exe 76->93         started        95 conhost.exe 76->95         started        149 213.209.150.143, 4233, 49732 KEMINETAL Germany 78->149 97 conhost.exe 81->97         started        99 schtasks.exe 81->99         started        101 conhost.exe 83->101         started        103 timeout.exe 83->103         started        151 googlehosted.l.googleusercontent.com 142.251.32.97, 443, 49707, 49708 GOOGLEUS United States 85->151 153 clients2.googleusercontent.com 85->153 signatures25 process26 process27 105 net1.exe 93->105         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/b5657b29f0e8d846757a62d2dd7b7b81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9/
Verdict:
Malicious
Threat:
Trojan.Win32.Rhadamanthys
Link:
https://tip.neiki.dev/file/ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-21 19:05:42 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=742xh3but53ssg3anwpd67rffkiqhzeotu4qcrgv7xmrp4mgm3mq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
unc_loader_048
Create hunting rule
Similar samples:
error
Babadeda
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:rhadamanthys discovery spyware stealer
Link:
https://tria.ge/reports/250721-xrtrksyry5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Executes dropped EXE
Detects Rhadamanthys Payload
Lumma Stealer, LummaC
Lumma family
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://sworwdcp.top/aote
https://tunenrnc.top/xodz
https://permwgp.xyz/xlak
https://recopcwr.top/atki
https://ultracpj.xyz/apgk
https://vegemuoe.top/xauy
https://seruneqy.live/akiz
https://siniavzv.life/xajz
https://strujqwn.xyz/xkkd
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/76429c0a-d856-4813-bd76-77d540daf574
Unpacked files
SH256 hash:
ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9
MD5 hash:
b5657b29f0e8d846757a62d2dd7b7b81
SHA1 hash:
ed8b8680c853dd3f76fdf00e53a9e948d2f05399
Link:
https://www.unpac.me/results/fb46da97-4b16-4fbb-b7a3-cf98eed41b0e/
SH256 hash:
d412473c5d220a32792787708f1e848df61d3445259eef52953618bcd711ae52
MD5 hash:
404c22e5494ac950590202d1c9a01988
SHA1 hash:
2a084b420a4828c110949f808a43acd23424f589
Link:
https://www.unpac.me/results/fb46da97-4b16-4fbb-b7a3-cf98eed41b0e/
SH256 hash:
d2000fb7fc6ead5b38e1a41f2cd8a259cfd02360f46fb68678e2c53aebe6b612
MD5 hash:
f68aca98056a96352bd1056ec9be9231
SHA1 hash:
e67558c6777a4122c89d12ead033c02852c57ad4
Link:
https://www.unpac.me/results/fb46da97-4b16-4fbb-b7a3-cf98eed41b0e/
SH256 hash:
e8a6c1efe67d3ecf8f7766ee89d23f2326cfe5acb8fb201fc0950b2595dcf43b
MD5 hash:
1b500e38094fec128b7e15ae07e30f94
SHA1 hash:
3e89adb73f45abf62f08fa3cfe9256956eaf5d18
Link:
https://www.unpac.me/results/fb46da97-4b16-4fbb-b7a3-cf98eed41b0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Babadeda

Executable exe ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9

(this sample)

Rhadamanthys

Executable exe 7b88e16d4927eb2ceaafe48a8d9e13bdf1c220b5f99bc9cfbc26a7311b485763

  
Dropping
SHA256 7b88e16d4927eb2ceaafe48a8d9e13bdf1c220b5f99bc9cfbc26a7311b485763
  
Dropping
SHA256 2788fbfb634c2c0de07c8bd9b3a6b077971b33b45282f45cd416a41a27afaf67
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/16163/
  
Dropping
MD5 7e0b8800b5c5e5a653e33fc6e809a9ed
  
Dropping
MD5 076bb3bfe093af8e3ac9074254ca19b2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.DLL::timeBeginPeriod
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetWindowsDirectoryW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::RemoveDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::CreateWindowExW

Comments