babuk | 5339981168dfcefb874dc7e82563fa7aca047f17b1184ae8db9336a2335473a9

Sharing

Copy URL

Twitter E-mail

General

Target

exe.ransomware.lockbit.zip
Size

66.5MB
Sample

221201-gp54tsec7w
MD5

dd96e1a6f74ed2d418ebb5be0198f46b
SHA1

039702613f0fda0e2e67f3720cf47863543a0484
SHA256

5339981168dfcefb874dc7e82563fa7aca047f17b1184ae8db9336a2335473a9
SHA512

2e748d5eb91cd811c872ddb692739273d5497fd9e48353d418e783f5ce154fa5d3bc178c9023037f785c3328340ca3cbd12f396cf7abb18f3a0f2727fa9662dc
SSDEEP

786432:1VHIImoKfuQsMVwtzyyOyqwEqv0Zf3YLcWzr6RBWQ0+Bzfysaq:ZKmQsM9nZf3IcWQ0+BzfKq

Score

10^/10

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note

----------- [ Hello! ] -------------> ****BY NAME LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- support: collen1r7ssh@mail.com admin: brh47cordas@mail.com !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Emails

collen1r7ssh@mail.com

brh47cordas@mail.com

Extracted

Path

C:\Restore Your Files.txt

Ransom Note

[+] What has happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension ".chernobyl". You can restore everything, but you need to follow our instructions. Otherwise, you can never return your data. And that shouldn't be the only worry on you mind, since we downloaded sensitive information from your network prior to it's encryption. If our demands are not met, we'd be forced to release it publicly. Some highly valuable information will be sold to other cybercriminals who would be commiting financial fraud for the upcoming month with the personal data of your employees [+] Guarantees [+] To restore your network and secure the personal information of your company - you should pay the ransom. We guarantee that we will restore your network, delete all your data from our servers, it will not be leaked nor sold anywhere. That is our promise and business model In addition we will provide you with instructions on patching vulnerabilities in the network so that you would be secure in the future. Consider it a cybersecurity expenditure, and us - consulting/auditing company, albeit illegal but very professional one Now to the main agenda: we demand 60 thousands EUR in bitcoin, it's a very modest price compared to what you'd be asked for network restoration or hiring cybersecurity company to deal with vulnerabilities(and I promise you, they can't recover your data - usually they just receive hefty payment, pay the asked ransom from it and save the cut, they're real crooks :D) Also this sum includes dissuasion to sell your data, which would damage your reputation. If you pay - nothing will be leaked nor sold [+] How to pay/negotiate [+] Our contact details are as follows: chernobylransomware@protonmail.com Btc wallet for payment: 1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2 You can google how to buy bitcoins, it's fairly straightforward and easy nowadays. As soon as the payment done, we will send you the decryption keys along with instructions on how to use it. Additionally we will provide you with guidance on how to fix vulnerabilities or answer any of your questions on the topic, feel free to contact us ----------------------------------------------------------------------------------------- We advise against using any sofware to restore your files. You will certainly not succeed but you might damage them so that further restoration will be impossible. On our part, we guarantee help ----------------------------------------------------------------------------------------- With regards, Valeriy Legasov, CTO of Chernobyl Group

Emails

chernobylransomware@protonmail.com

Wallets

1PbjpEYvCK7GCB4FmaZEewMjhT7N6rWnn2

Extracted

Path

C:\Help Restore Your Files.txt

Ransom Note

ATTENTION! Gentlemen! Your business is at serious risk. There is a significant flaw in your company's security system. We easily penetrate your network. You should thank the Lord that you were invaded by serious people, not some stupid students or dangerous punks. They can damage all your important data just for fun. Now your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Nobody can help you restore files without our special decoder. The only file recovery method is to buy a decryption tool and an exclusive key for you Delta Plus 2.4 version. This software will decrypt all your encrypted files. What guarantees do you have? Free decryption as a guarantee You can send us up to 1 file for free decryption. The file size must be less than 1 Mb (not archived). We do not decrypt for testing DATABASE, XLS and other important files. Remember this. decoding cost The cost of decryption is $10,500 USD. We only receive payment in BITCOINS. (Bitcoin is a form of digital currency) 50% discount available if you contact us within the first 72 hours, the price for you is $5250 USD. Each day of delay will cost you an additional $100 nothing personal just business contact emails deltapaymentbitcoin@gmail.com or retrievedata300@gmail.com Value First 72 hours: $5250 USD. Bitcoin Address: 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs No system is secure

Emails

deltapaymentbitcoin@gmail.com

retrievedata300@gmail.com

Wallets

3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs

Extracted

Path

C:\MSOCache\How To Restore Your Files.txt

Ransom Note

----------- [ Hello world! ] -------------> ****BY BABUK LOCKER**** Ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. Now that we got your attention, lets make it short... -WHAT HAPPENED? ----------------------------------------------Some bad news... -All the files on your computer/network have been encrypted with SHA-256, ChaCha8 and ECC algorithms-translated, you can't open/decrypt your files on your own. -All your files such as customers info, scans, billing, insurance, passports... are in our hands now and we might decide to sell/make them public if you dont contact us. -Dont forget about GDPR ) ----------------------------------------------Some good news... -Contact us with the information below and you will recover all your data with our universal decryptor and we will permanently delete your info from our servers. WHAT GUARANTEES? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. Just google us, we have the decryption keys and we never leaked information of any paying company. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. Also information on how all this happened and further information to help you increase your network security, so this won't happen again. How to contact us? Good decision) ---------------------------------------------- -Send us an email: iamunknown@keemail.me babyk@mail2tor.com make sure you check your spam folder for our reply. -qTox for instant support, download TOX (https://tox.chat/download.html): our tox ID: 81B2B719AB9BDDCE9116776FA01956C2D4BB8A7CA5464592593F9A25DA1F91174391480C6DC0 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!! Customer ID: S01E01AMS-DB7

Emails

iamunknown@keemail.me

babyk@mail2tor.com

URLs

https://tox.chat/download.html

Targets

- Target
  
  exe.ransomware.babuk/00/99/96/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879/0099963E7285AEAFC09E4214A45A6A210253D514CBD0D4B0C3997647A0AFE879
- Size
  
  79KB
- MD5
  
  e3dd1eb73e602ea95ad3e325d846d37c
- SHA1
  
  a0a4fb4a58f663d2ff12d6efac1b07b63eb03e28
- SHA256
  
  0099963e7285aeafc09e4214a45a6a210253d514cbd0d4b0c3997647a0afe879
- SHA512
  
  0bac92222143f699a5c01403b6aeefdc8b05fa73928186bee9e8a63d8f9da7486b5e4a5720bade9be17e884f8ef651e3f0bbb0c556b33e330f8788832d22a639
- SSDEEP
  
  1536:F6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:RhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

9^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2
- Target
  
  exe.ransomware.babuk/00/E5/59/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F/00E559A406F5D78514ADA50FE573374D78FCC5C12C6D443D07311131B2542E2F
- Size
  
  79KB
- MD5
  
  e9fca248189c7cf66e7b6471713b0f98
- SHA1
  
  a17d9d6dbb4fda3aa7bd4600d0fef75cc9a8a405
- SHA256
  
  00e559a406f5d78514ada50fe573374d78fcc5c12c6d443d07311131b2542e2f
- SHA512
  
  460c32147156d63160a51a7710be9bd4c1bcea944a54c0fe57adc05911377ef922e3d9e2c9a310d664c2c20d683454cc5984395649e47ec6a2033d6d15ab900d
- SSDEEP
  
  1536:r6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:vhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  exe.ransomware.babuk/02/8F/AC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC/028FACFF67136DE55FE200177A190DA625C8E1713B4E7D95BF5FC5412A5AFFFC
- Size
  
  79KB
- MD5
  
  eb9e0b14e2235af24eeee881892fc825
- SHA1
  
  3fb00aa10ccfaedfd29f8b01ef6ef4434d260eb9
- SHA256
  
  028facff67136de55fe200177a190da625c8e1713b4e7d95bf5fc5412a5afffc
- SHA512
  
  c341517ba090bf530bd1324758644c8d6d2e488912bae19e0b066d508f3e37845ca8b39e5ee86fe75b22126d5d4bcb4957f58e02360c2606f9c0278382238c0a
- SSDEEP
  
  1536:m6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:ghZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5 behavioral6
- Target
  
  exe.ransomware.babuk/02/94/11/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59/0294114D5F411B6C47EB255D4ED6865DF99D1C5252F4F585AABF44E6CBACAA59
- Size
  
  79KB
- MD5
  
  d3c83232b0e85485724c4029e8b93dc1
- SHA1
  
  2cfe3762a2e0c7e9a15bd617e693076f47d84028
- SHA256
  
  0294114d5f411b6c47eb255d4ed6865df99d1c5252f4f585aabf44e6cbacaa59
- SHA512
  
  07d83a9b09452eab085bec3819a1bd5353e2364c134cf87fe0c1a6770ed447d32cb954c98337ca6121fce2db1dff05a5ea5518239f4bb02ca50dabee02cab490
- SSDEEP
  
  1536:2PG6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:OAhZ5YesrQLOJgY8Zp8LHD4XWaNH71dc
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral7 behavioral8
- Target
  
  exe.ransomware.babuk/02/E9/88/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3/02E9883501635DA9B501E715BB827A0B9D0C265991F1263F073EB6C5D9B335C3
- Size
  
  79KB
- MD5
  
  c7ec4e7022f26949ed39033616efe894
- SHA1
  
  0e4da1fa8b3bc8b2f410cfd7230b9fc70dc10670
- SHA256
  
  02e9883501635da9b501e715bb827a0b9d0c265991f1263f073eb6c5d9b335c3
- SHA512
  
  04976b2e50e5f7f7a067b0dc07072f22c607d8ae6c33b4ec4e65a851b71bef939725f29fdeaa7a943033a9aa6b5f9a09f1d029860a0dbd6184be768754982aff
- SSDEEP
  
  1536:/hkWBeGnwEvWsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:LBevwWsrQLOJgY8Zp8LHD4XWaNH71dLc
Score

9^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral10 behavioral9
- Target
  
  exe.ransomware.babuk/03/11/0B/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7/03110BAA5AAD9D01610293F2B8CD21B44CC7EFA0A465E677D6B3F92510A4B1D7
- Size
  
  79KB
- MD5
  
  1dbd0abfdd692d5939f2aa201674d870
- SHA1
  
  5a8d3472a642eb62cfde5e4db469c62422b16792
- SHA256
  
  03110baa5aad9d01610293f2b8cd21b44cc7efa0a465e677d6b3f92510a4b1d7
- SHA512
  
  ad1398d865cda6c009cfab67901fcb7f2928a5b7dfd8cdc0a892bb6f1ec62f8d492f1f3a59277afac2251ebe2069a243b66d57754629290bbf68791f586c7311
- SSDEEP
  
  1536:d6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:5hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11 behavioral12
- Target
  
  exe.ransomware.babuk/04/12/6B/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3/04126B30C1C2663CDF2B6386781AEDBFCE2EF418A0B01DE510BD536903F577E3
- Size
  
  72KB
- MD5
  
  1b1285367305da0324daf76b0d524086
- SHA1
  
  61bae11359a57fb4238374da269c05232068a6db
- SHA256
  
  04126b30c1c2663cdf2b6386781aedbfce2ef418a0b01de510bd536903f577e3
- SHA512
  
  c1f655f665008cf40c1a8222f56b44a9bdf8959d913eb5dc0cff8a9c4ac5db8b35f6ea9828748e344c13337bd618956494c7ff4c4347df6d02525b0e9376909d
- SSDEEP
  
  1536:3rM/TWBeGB3yKNQETsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2905:3Be1asrQLOJgY8Zp8LHD4XWaNH71dLdH
Score

10^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral13 behavioral14
- Target
  
  exe.ransomware.babuk/04/9E/53/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8/049E53F72C8AFA5CCB850429D55A00E2FBE799E68247FD13F5058146CF0F4CF8
- Size
  
  79KB
- MD5
  
  643c8c25fbe8c3cc7576bc8e7bcd8a68
- SHA1
  
  5440796acedc3d0d847c8a812e5e647460ae3a27
- SHA256
  
  049e53f72c8afa5ccb850429d55a00e2fbe799e68247fd13f5058146cf0f4cf8
- SHA512
  
  d2042c4a908a53b59e52cc3ebf4c13fd7c537761de8fe33a65a664a055b13b6c58fbb482824e68764a09299affe1b592e72b6c846d8a65ddb1ace6a396bc371c
- SSDEEP
  
  1536:4dikWBeG/LEq1srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:HBeMJ1srQLOJgY8Zp8LHD4XWaNH71dLT
Score

10^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral15 behavioral16
- Target
  
  exe.ransomware.babuk/05/AD/C9/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F/05ADC97ABE6349C6132AA4AB44006B51945225A1EC764C87B781D5044A4E176F
- Size
  
  79KB
- MD5
  
  71c3b5e49e75e1d593b81bdc9cca7507
- SHA1
  
  911bc4790b653276e946a05bce4bb583192c61dd
- SHA256
  
  05adc97abe6349c6132aa4ab44006b51945225a1ec764c87b781d5044a4e176f
- SHA512
  
  e954e1e30075f378f4c87f1f29b0aadb908b08cec81cf671df552d56a21387abb31a07843c8786f63cb1797f983db7c9b18a8d82cd68051305c972bb81b34736
- SSDEEP
  
  1536:R6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:9hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral17 behavioral18
- Target
  
  exe.ransomware.babuk/08/99/29/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057/089929F1CDE37E9FD14DD09A7844272678AC48E47887EDE23B561D156FE50057
- Size
  
  68KB
- MD5
  
  ca8f16095de5ba8a08b1feb119eac680
- SHA1
  
  7644cb98ba41682021727232b547d2712419490e
- SHA256
  
  089929f1cde37e9fd14dd09a7844272678ac48e47887ede23b561d156fe50057
- SHA512
  
  d4dc713f02f191faab71b9b5122ef5992632e712de1c5c3b2a36ab919cb45048ed8981fc95624aee1be05579ec8e3f18a9ba47b33f8ae31d150efb0930c6f705
- SSDEEP
  
  1536:yohF6+Kmq1sAFmDR3zzLssrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2pyqMsi:yQY+KmqOAADR3zcsrQLOJgY8Zp8LHD4G
Score

3^/10
behavioral19 behavioral20
- Target
  
  exe.ransomware.babuk/0B/93/A0/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F/0B93A024B5D6874D7BB69ABD7F0E2D54A67C602584575A9B6D1212BAAE81442F
- Size
  
  79KB
- MD5
  
  2245c35306910a280961d356e4b5ab94
- SHA1
  
  0ca5cc08a4f5226332d2ce49a9131216ac32bec2
- SHA256
  
  0b93a024b5d6874d7bb69abd7f0e2d54a67c602584575a9b6d1212baae81442f
- SHA512
  
  09342308aebf1f5bcf494904b00eba2df9faa75c1d884dd8f2e706e4429905244e269bedc28c71d692348a87a257a4b00b12aa79e9a9b7f7498a441a73344ac4
- SSDEEP
  
  1536:m6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:ghZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral21 behavioral22
- Target
  
  exe.ransomware.babuk/0B/BA/AB/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23/0BBAABB3C8603C5C10BE282DFD13C776612FDE54D18DDD06A96AD42E9B3BAF23
- Size
  
  68KB
- MD5
  
  4f10d3d19db282da43446544e07e7aab
- SHA1
  
  25a558a01a14282d4075490d6ca8beacd7cc4b06
- SHA256
  
  0bbaabb3c8603c5c10be282dfd13c776612fde54d18ddd06a96ad42e9b3baf23
- SHA512
  
  05eba8c6d07d10198014ca418c800df45dfb62e566ef7c20362773635fedffc083aa1de21b82aac54acfceb6f32ad3f9d627af605373f24b2fd4f2873fb27fd9
- SSDEEP
  
  1536:yHjUeTD0DsbEmDx1xhiBsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hyqM8EQ:yDUeTD0gbrDx1xusrQLOJgY8Zp8LHD4D
Score

3^/10
behavioral23 behavioral24
- Target
  
  exe.ransomware.babuk/0C/55/C4/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5/0C55C4FB23178948E0DF495158B290CCE676BC93C5927E8EA57D93B3128972F5
- Size
  
  79KB
- MD5
  
  a55fa9c010416b233a1f8e63b658ecbc
- SHA1
  
  75a580aa9cc3f4901e229843411f6e2669256525
- SHA256
  
  0c55c4fb23178948e0df495158b290cce676bc93c5927e8ea57d93b3128972f5
- SHA512
  
  71889ebe24f6836c08db83f36f54dc53b4ef8d2d3f31a1e42e68e40eb74f6ffaa4456a3876a4dd2f7da9e4783c41c768f964d50c8da0d96748fe06257d07dacf
- SSDEEP
  
  1536:n6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:bhZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral25 behavioral26
- Target
  
  exe.ransomware.babuk/0D/3A/60/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA/0D3A60C89463AC1E39FA7CFF05F7AB365B32096E89F49000F26ECDD1D542D5EA
- Size
  
  78KB
- MD5
  
  754f324349f65108552dab958549739a
- SHA1
  
  02b05c57c37e3a1abb4e6f06a0c53af24013cfa0
- SHA256
  
  0d3a60c89463ac1e39fa7cff05f7ab365b32096e89f49000f26ecdd1d542d5ea
- SHA512
  
  4f03387bd3473dc70854647efb8876ed487e3e8aa0c00729cc25c2cebeb75adf394f7f3cb78b8c7970132bce12c913c4d51d1cd841dfbeeacf968c58ec866c84
- SSDEEP
  
  1536:J1kWBeGcADE6fsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2EMfq:5Bek5fsrQLOJgY8Zp8LHD4XWaNH71dLM
Score

9^/10

ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral27 behavioral28
- Target
  
  exe.ransomware.babuk/10/5A/F5/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B/105AF5C40C65F51979308E022C25DD285DB3CD20E9656CAABA0E9B1FC253898B
- Size
  
  67KB
- MD5
  
  63b475e11b85f91942bcec10cc77bee9
- SHA1
  
  450d3c8a613146140d04d2b75de90acee48958eb
- SHA256
  
  105af5c40c65f51979308e022c25dd285db3cd20e9656caaba0e9b1fc253898b
- SHA512
  
  1e55613646f3aabb692b1aa7fd20545730ba982720d52dd49dc233fba488f70bd0d5a889f26d6a955700ee5ec664d55569d4e927fc1aee4e26cc2e528ccf34d1
- SSDEEP
  
  1536:PhkWBeG/LEOSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG27:LBe8dSsrQLOJgY8Zp8LHD4XWaNH71dLr
Score

1^/10
behavioral29 behavioral30
- Target
  
  exe.ransomware.babuk/10/61/18/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223/106118444E0A7405C13531F8CD70191F36356581D58789DFC5DF3DA7BA0F9223
- Size
  
  78KB
- MD5
  
  b43e8b865d3339eeb8b8b11f900f6c89
- SHA1
  
  52538e17d4dc85c22f6a01acbbc8caa7447a50b0
- SHA256
  
  106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223
- SHA512
  
  cc31cbf27ab26bd026c6a92af518ecf5fdaf32c1607813c192fb080de2f8ed54b8f9b360c14f885db5ffd65ea99c013a36109e2e7c5c813f451eb3865f1c9ae0
- SSDEEP
  
  1536:8LhkWBeG/LEOSsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Osf:UBe8dSsrQLOJgY8Zp8LHD4XWaNH71dLT
Score

10^/10

ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Deletes shadow copies

Modifies extensions of user files

Checks computer location settings

Enumerates connected drives

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9