General
-
Target
989a13464845131fc51872c4155886fb9bbda534df9a58e361bce5a298463a3f
-
Size
10.2MB
-
Sample
220524-sjn4xafea2
-
MD5
81a5c617e71c3322275a5886fba8f3e2
-
SHA1
7fa7823659a5cb0177f0b33bc18d8b55dd75782a
-
SHA256
989a13464845131fc51872c4155886fb9bbda534df9a58e361bce5a298463a3f
-
SHA512
33eafdf12e021f2c441ceb7f4e20c9a87f1947dd9fa704a427faaf17a99d08b1b29f924481426fe6cca462e6ce25c7962d4f0efbb1f65c4ac74931de2605ceef
Malware Config
Targets
-
-
Target
989a13464845131fc51872c4155886fb9bbda534df9a58e361bce5a298463a3f
-
Size
10.2MB
-
MD5
81a5c617e71c3322275a5886fba8f3e2
-
SHA1
7fa7823659a5cb0177f0b33bc18d8b55dd75782a
-
SHA256
989a13464845131fc51872c4155886fb9bbda534df9a58e361bce5a298463a3f
-
SHA512
33eafdf12e021f2c441ceb7f4e20c9a87f1947dd9fa704a427faaf17a99d08b1b29f924481426fe6cca462e6ce25c7962d4f0efbb1f65c4ac74931de2605ceef
Score10/10-
suricata: ET MALWARE Babax Stealer Exfil via Telegram
suricata: ET MALWARE Babax Stealer Exfil via Telegram
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-