babuk | 3a7ce9c2729308e680c439e4032c63ff32d83f6d66ab2528d2fadb8ca7f08274

General

Target

6123373352222720.zip
Size

1.8MB
Sample

210630-6h4hc1ljtj
MD5

b334bba8aac9dd208d3bae23968f63da
SHA1

e72b8189a041849264f52feb55f14cae062be681
SHA256

3a7ce9c2729308e680c439e4032c63ff32d83f6d66ab2528d2fadb8ca7f08274
SHA512

ea8512652e63e6f58796159884b29f0a9010e44afc02707ff08dd950a676da5891f9fe8267c0856c0114793ba5679a56a082ff1ca6d9bbcd81bdf322eb5f7bc9

Score

10^/10

Malware Config

Targets

- Target
  
  028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc
- Size
  
  79KB
- MD5
  
  eb9e0b14e2235af24eeee881892fc825
- SHA1
  
  3fb00aa10ccfaedfd29f8b01ef6ef4434d260eb9
- SHA256
  
  028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc
- SHA512
  
  c341517ba090bf530bd1324758644c8d6d2e488912bae19e0b066d508f3e37845ca8b39e5ee86fe75b22126d5d4bcb4957f58e02360c2606f9c0278382238c0a
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093
- Size
  
  1.8MB
- MD5
  
  7678217358637f0e5f06128dfdc7b3e4
- SHA1
  
  0867c058cdcf861deacde7ea2fcd2b589729a3b6
- SHA256
  
  b2ead315d6a392726c96cc0f928a5218ecc4282dacd43f36a249219391457093
- SHA512
  
  9880f2635237f22ee1da10bd766ebc9df28e73a5ff63191c5c5cd48f6f4ce13be96de0ce03cfdfe0307746258e739102a7aaf1a40d3719099832c5b5fdb770e6
Score

10^/10

cryptbot discovery spyware stealer
- CryptBot
  A C++ stealer distributed widely in bundle with other software.
  spyware stealer cryptbot
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053
- Size
  
  359KB
- MD5
  
  b91c50ad0926f99ca352aca8676a0184
- SHA1
  
  0989cee8a66ccd52d0636cc3a8148fb33620f6b9
- SHA256
  
  d17c45b69bc45e17de1152841ebddb3a6abfe85202569fd5dea6b8d52a44c053
- SHA512
  
  96eba795492867c4c4bfae5dae67b6d85a41d35bfa7033347b3e788719a7fba6364f32bf659a57f4d2caadeffa2da201a6fa567c00ce42fc205ac00c12cfb263
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6