Overview

overview

10

Static

static

8

0099963e72...79.exe

windows7_x64

9

0099963e72...79.exe

windows10_x64

9

028facff67...fc.exe

windows7_x64

10

028facff67...fc.exe

windows10_x64

10

0294114d5f...59.exe

windows7_x64

10

0294114d5f...59.exe

windows10_x64

10

02e9883501...c3.exe

windows7_x64

9

02e9883501...c3.exe

windows10_x64

9

03110baa5a...d7.exe

windows7_x64

10

03110baa5a...d7.exe

windows10_x64

10

0b93a024b5...2f.exe

windows7_x64

10

0b93a024b5...2f.exe

windows10_x64

10

12c561ac82...f8.exe

windows7_x64

10

12c561ac82...f8.exe

windows10_x64

10

15656e1825...d3.exe

windows7_x64

10

15656e1825...d3.exe

windows10_x64

10

18e282e680...5f.exe

windows7_x64

10

18e282e680...5f.exe

windows10_x64

10

1ab45a508d...38.exe

windows7_x64

10

1ab45a508d...38.exe

windows10_x64

10

1d40f42fa3...94.exe

windows7_x64

10

1d40f42fa3...94.exe

windows10_x64

10

1deb1efad2...02.exe

windows7_x64

10

1deb1efad2...02.exe

windows10_x64

10

1e24560100...90.exe

windows7_x64

10

1e24560100...90.exe

windows10_x64

10

63b6a51be7...85.exe

windows7_x64

10

63b6a51be7...85.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4775178813997056.zip

  • Size

    389KB

  • Sample

    211215-g4vlmsggg9

  • MD5

    9b621494b8a13bfdc16bb8c717e97f71

  • SHA1

    442a318e8aa46d0fb36b9bfd1a87e2528d611fdc

  • SHA256

    a3788d8cf37d691627bdbc5add07b598fdde66bdfcdb05299b0976715b392a61

  • SHA512

    dfccd344771f69f3b77cb8153f59ffbea8126a50e01bc1541c6585b632e11cb35b2b172a7759c91d3b11ce63411745d0e387841d9644318ecdf53b20fc9f8636

Score
10/10
babukransomwareupx

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
----------- [ Hello world! ] -------------> ****BY BABUK LOCKER**** Ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. Now that we got your attention, lets make it short... -WHAT HAPPENED? ----------------------------------------------Some bad news... -All the files on your computer/network have been encrypted with SHA-256, ChaCha8 and ECC algorithms-translated, you can't open/decrypt your files on your own. -All your files such as customers info, scans, billing, insurance, passports... are in our hands now and we might decide to sell/make them public if you dont contact us. -Dont forget about GDPR ) ----------------------------------------------Some good news... -Contact us with the information below and you will recover all your data with our universal decryptor and we will permanently delete your info from our servers. WHAT GUARANTEES? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. Just google us, we have the decryption keys and we never leaked information of any paying company. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. Also information on how all this happened and further information to help you increase your network security, so this won't happen again. How to contact us? Good decision) ---------------------------------------------- -Send us an email: [email protected] [email protected] make sure you check your spam folder for our reply. -qTox for instant support, download TOX (https://tox.chat/download.html): our tox ID: 81B2B719AB9BDDCE9116776FA01956C2D4BB8A7CA5464592593F9A25DA1F91174391480C6DC0 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Customer ID: S01E01AMS-DB7
URLs

https://tox.chat/download.html

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
This is the end. All your files have been encrypted. Please contact us at xxxx to decrypt your files

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note
############## [ babuk ransomware greeings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/08deb1f2411fcdd93d524213ee3063b9719716e6813e886cb80f21df4a0d3ad5 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorythm and you can harm your files by using 3rd party decryption software.
URLs

http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/08deb1f2411fcdd93d524213ee3063b9719716e6813e886cb80f21df4a0d3ad5

Extracted

Path

C:\Help Restore Your Files.txt

Ransom Note
All of your files have been encrypted! The harddisks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special software Doydo. To purchase your key and restore your data, please follow these three easy: 1. The price for the software is $300 dollars USD. Payment can be made in Bitcoin only. 2. Bitcoin Address: 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs 3. Once paid, send proof of payment: Email: [email protected] You receive your key in 20 minutes: To make sure we have the decryptor and it works, you can send an email: [email protected] and decrypt a file for free. But this file shouldn't be of any value! Warning: do not turn off your pc! If you abort this process, you could destroy all of your data! Please ensure that your power cable is plugged in!
Wallets

3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs

Targets

    • Target

      0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879

    • Size

      79KB

    • MD5

      e3dd1eb73e602ea95ad3e325d846d37c

    • SHA1

      a0a4fb4a58f663d2ff12d6efac1b07b63eb03e28

    • SHA256

      0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879

    • SHA512

      0bac92222143f699a5c01403b6aeefdc8b05fa73928186bee9e8a63d8f9da7486b5e4a5720bade9be17e884f8ef651e3f0bbb0c556b33e330f8788832d22a639

    Score
    9/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc

    • Size

      79KB

    • MD5

      eb9e0b14e2235af24eeee881892fc825

    • SHA1

      3fb00aa10ccfaedfd29f8b01ef6ef4434d260eb9

    • SHA256

      028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc

    • SHA512

      c341517ba090bf530bd1324758644c8d6d2e488912bae19e0b066d508f3e37845ca8b39e5ee86fe75b22126d5d4bcb4957f58e02360c2606f9c0278382238c0a

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59

    • Size

      79KB

    • MD5

      d3c83232b0e85485724c4029e8b93dc1

    • SHA1

      2cfe3762a2e0c7e9a15bd617e693076f47d84028

    • SHA256

      0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59

    • SHA512

      07d83a9b09452eab085bec3819a1bd5353e2364c134cf87fe0c1a6770ed447d32cb954c98337ca6121fce2db1dff05a5ea5518239f4bb02ca50dabee02cab490

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3

    • Size

      79KB

    • MD5

      c7ec4e7022f26949ed39033616efe894

    • SHA1

      0e4da1fa8b3bc8b2f410cfd7230b9fc70dc10670

    • SHA256

      02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3

    • SHA512

      04976b2e50e5f7f7a067b0dc07072f22c607d8ae6c33b4ec4e65a851b71bef939725f29fdeaa7a943033a9aa6b5f9a09f1d029860a0dbd6184be768754982aff

    Score
    9/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

    • Target

      03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7

    • Size

      79KB

    • MD5

      1dbd0abfdd692d5939f2aa201674d870

    • SHA1

      5a8d3472a642eb62cfde5e4db469c62422b16792

    • SHA256

      03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7

    • SHA512

      ad1398d865cda6c009cfab67901fcb7f2928a5b7dfd8cdc0a892bb6f1ec62f8d492f1f3a59277afac2251ebe2069a243b66d57754629290bbf68791f586c7311

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral9behavioral10

    • Target

      0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f

    • Size

      79KB

    • MD5

      2245c35306910a280961d356e4b5ab94

    • SHA1

      0ca5cc08a4f5226332d2ce49a9131216ac32bec2

    • SHA256

      0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f

    • SHA512

      09342308aebf1f5bcf494904b00eba2df9faa75c1d884dd8f2e706e4429905244e269bedc28c71d692348a87a257a4b00b12aa79e9a9b7f7498a441a73344ac4

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11behavioral12

    • Target

      12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8

    • Size

      79KB

    • MD5

      4b4ed15014cad303edf6ceafedb3d594

    • SHA1

      bc327c544d5cdce1b7112a6ab389a14a803fa2dc

    • SHA256

      12c561ac827c3f79afff026b0b1d3ddec7c4b591946e2b794a4d00c423b1c8f8

    • SHA512

      bc35af57a4798b7b8490ceb2a74fda06c866a4e0854b3a754fd81cfd2bf8319aedc6da5f9d9ec5caac835f2ddd37a508e9fc8a5748344928c4ace19af9ed133d

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral13behavioral14

    • Target

      15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3

    • Size

      79KB

    • MD5

      075951011cd90b9d7b202d7aa45fda8e

    • SHA1

      19043c94c4b99ccd26aeed37236e534cf15a37ef

    • SHA256

      15656e1825383c4749fadcc46f9825df6262ca2f1f98d895d64c840febe3d9d3

    • SHA512

      e782c80568a7424eabf2f725d90ecc861dd5d23f31812227e3bb1b00897f659c864e38d768359dcb6965012f5dd4da2cc37bad28a071cabce9e77317f717ad84

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral15behavioral16

    • Target

      18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f

    • Size

      79KB

    • MD5

      e749820eb5214ce88ab2e6a109a2a31c

    • SHA1

      fb971681274419d82692085d7c8391c61fd0ba3a

    • SHA256

      18e282e6806903ff00a78b91f6d0ad1bc3aae4b4846d6a5705c036a88138605f

    • SHA512

      056e4f0f20c853fbad054987340a0519d3f960e8255b47f1a8923acc7515fdc2637bbb43a6eac8485eea5e5b1e5310317c2dfc6cf11a5cef70cb90d42babc8c3

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral17behavioral18

    • Target

      1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238

    • Size

      79KB

    • MD5

      ad44e77dff1efa05b990292b35f56b11

    • SHA1

      f7d3fabf0f901908bb29aaa8dd13baded4c408f0

    • SHA256

      1ab45a508da655ef755ad4394f869c664f664b3ac111875704a583e9485f2238

    • SHA512

      4bb500bcb9004e2dd1096ff664ab7e511d13ea1ce5a78fe39ce8e48eab4e2ed91a81823c449282caddc29ab06309927b3dece508fe606b8c6376ea88910e7e3f

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral19behavioral20

    • Target

      1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994

    • Size

      79KB

    • MD5

      38bf2b92a281f885e964a549575a5804

    • SHA1

      0150c32d9de1fc49e8a2cd80031c561748e8cca7

    • SHA256

      1d40f42fa328a9a6192d4fa8c6e5ce6f813ea9132774784521713b202d772994

    • SHA512

      99464b0867a297877eb88e0e322de1d4d613f75a2a420ea573e89a1798580f32ea0faac65752114223ff0ab684ae46fe4b0fcb629beb48077a949fac1ffe7d76

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral21behavioral22

    • Target

      1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402

    • Size

      79KB

    • MD5

      d24e9b0c3a81e884e14596d6047e31be

    • SHA1

      0557ae0a95e11e10fe9a33742f8b258b35c0aae6

    • SHA256

      1deb1efad2c469198aabbb618285e2229052273cf654ee5925c2540ded224402

    • SHA512

      5f9cfaf495d186c599ffe8fd63b7bf1c775313e38f0397f4f422d0944cfabf1c497b8cf81514d2a5d1ed2631d00f9356d8013fd90efea1bb29d17d7bae2a2ccd

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral23behavioral24

    • Target

      1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90

    • Size

      79KB

    • MD5

      92832ae49373b56748817cb5398ed706

    • SHA1

      61e4505d605882b809d9c7f3dcbf163ff1678382

    • SHA256

      1e24560100d010c27cc19c59f9fe1531e4286ecb21fe53763165f30c5f58dc90

    • SHA512

      398ef0e5ffb6f914a2d1df23f12561153ef52ea28d345232cbb2daa84c43d1f1934be0c40d00b2502c2437c2733d0cdf75d24be6a8b47fc69648ad16c0bb4858

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral25behavioral26

    • Target

      63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85

    • Size

      25KB

    • MD5

      a22ca06bb3a58d4ca2bca856434b96f3

    • SHA1

      4a12e232b2442746334ef5d94fab4c3577b33de7

    • SHA256

      63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85

    • SHA512

      e0f22e150d52b22a2033a4e9a8f99f2d17a2eb496d039b11ef217a94c711f51db4f5b07d941335ace99c10d824fc547494b2b3ee2458c8239853d4780fe283c1

    Score
    10/10
    ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral27behavioral28

MITRE ATT&CK Enterprise v6

Tasks

static1

upx
Score
8/10

behavioral1

ransomware
Score
9/10

behavioral2

ransomware
Score
9/10

behavioral3

babukransomware
Score
10/10

behavioral4

babukransomware
Score
10/10

behavioral5

babukransomware
Score
10/10

behavioral6

babukransomware
Score
10/10

behavioral7

ransomware
Score
9/10

behavioral8

ransomware
Score
9/10

behavioral9

babukransomware
Score
10/10

behavioral10

babukransomware
Score
10/10

behavioral11

babukransomware
Score
10/10

behavioral12

babukransomware
Score
10/10

behavioral13

ransomware
Score
10/10

behavioral14

ransomware
Score
10/10

behavioral15

babukransomware
Score
10/10

behavioral16

babukransomware
Score
10/10

behavioral17

babukransomware
Score
10/10

behavioral18

babukransomware
Score
10/10

behavioral19

babukransomware
Score
10/10

behavioral20

babukransomware
Score
10/10

behavioral21

babukransomware
Score
10/10

behavioral22

babukransomware
Score
10/10

behavioral23

babukransomware
Score
10/10

behavioral24

babukransomware
Score
10/10

behavioral25

babukransomware
Score
10/10

behavioral26

babukransomware
Score
10/10

behavioral27

ransomware
Score
10/10

behavioral28

ransomware
Score
10/10