babuk | 45438e0d6a47a90beea24d4bb1d0a4387032a12a9b7d64b2e08986cbfb264406 | Triage

Resubmissions

11-03-2023 15:20

230311-sqvv2abh7w 7

11-03-2023 13:56

230311-q8tpksbf8y 10

Sharing

General

Target

Desktop.zip
Size

441KB
Sample

230311-q8tpksbf8y
MD5

9939ec0b4762cb5f5aef3116ec62763d
SHA1

b6571f2c205412d9c7b2cf0a5aabda448844b634
SHA256

45438e0d6a47a90beea24d4bb1d0a4387032a12a9b7d64b2e08986cbfb264406
SHA512

d3a1314e0f44de3f20aae125851173e36a704daf0fcf14327b1c9341059311c3174e5aad274f5cbad08e8b71bbdaa93f590f2480f5c3ec6b7d0fe2c546125a6f
SSDEEP

12288:FCK5maH/V4sBXIxzv1C0sSihBVW6CDg1K1on61UDhG:T7C5S072BlCk14on61kG

Score

10^/10

babuk ransomware spyware stealer

Malware Config

Targets

- Target
  
  Desktop.zip
- Size
  
  441KB
- MD5
  
  9939ec0b4762cb5f5aef3116ec62763d
- SHA1
  
  b6571f2c205412d9c7b2cf0a5aabda448844b634
- SHA256
  
  45438e0d6a47a90beea24d4bb1d0a4387032a12a9b7d64b2e08986cbfb264406
- SHA512
  
  d3a1314e0f44de3f20aae125851173e36a704daf0fcf14327b1c9341059311c3174e5aad274f5cbad08e8b71bbdaa93f590f2480f5c3ec6b7d0fe2c546125a6f
- SSDEEP
  
  12288:FCK5maH/V4sBXIxzv1C0sSihBVW6CDg1K1on61UDhG:T7C5S072BlCk14on61kG
Score

1^/10
behavioral1 behavioral2
- Target
  
  babyk/babyk.exe
- Size
  
  79KB
- MD5
  
  dd82341bde54c2d34496523a463d2771
- SHA1
  
  a193b2770d17a6405e92f6e28840e1b87db45356
- SHA256
  
  4b5438ad0818c9fe1e9aa6d43bca9ef0bced418365e71340e44dd3cc5a2ad54a
- SHA512
  
  c027bcc7ecd1761c6c4cbb32d528f40b123f80c6aa498c22e35aeddd064d4533fbf31fc93915bb29d5f3fc72811452fe988b9524ae01b3d630f5ccffc98525f8
- SSDEEP
  
  1536:rKkWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:yBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc
Score

10^/10

babuk ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4
- Target
  
  babyk/builder.exe
- Size
  
  72KB
- MD5
  
  24b900f5b1ddde73743bd5f974e3dd26
- SHA1
  
  bb767c8fae9dec637d20611d5bb77e5e2cb6061a
- SHA256
  
  2ff8bc1c9154579a490fc26601713873e8ecd1af824a72c5eff514ce75fe0641
- SHA512
  
  85ea92fd49bb9cfd28544c786c1352254d045dbafa150ff9d884152d7a988adc5355135ef28b79b8c37fbbe51f7a4914d1c8ffb37bbcfc95ef395f4011525b67
- SSDEEP
  
  768:l8LRzRDRzR/KXsMQ1aUHhlvVMSOBBanNb+6Y9Luwizgevrj3maLhsIijSCDzyU:luK8MyxMSOBQoawSgejj1Lhs9IU
Score

1^/10
behavioral5 behavioral6
- Target
  
  babyk/decryptor.exe
- Size
  
  69KB
- MD5
  
  e1b2cfa88cc03d30a6f6268b72babbc4
- SHA1
  
  f75c083f9fef28ca9cd5d05c9172dc44477712d6
- SHA256
  
  4192105a7de1145b81bf2debf8940f3d3afe02f8237d57fbeaf108179b922f35
- SHA512
  
  2ac7011bb28a1cd53d6ff793923f0b9879b830154e9a0dd1c86406e1fd33507398b4575ffc11df08e6c27305e2ca69022594dc711a83a4f6c75f760f0ab495c2
- SSDEEP
  
  1536:Ei6+W1BBsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2wARxYTs88:y+WhsrQLOJgY8Zp8LHD4XWaNH71dLdGo
Score

3^/10
behavioral7 behavioral8
- Target
  
  conti/decryptor.exe
- Size
  
  155KB
- MD5
  
  04dce97942dfb520fb4c12527c82164b
- SHA1
  
  0f25bf233a3e6b4a84aad701fc8d50e28d2766f0
- SHA256
  
  142cf75bc8dbfbd76f21f48b86ecbe11297e94071c9c55c1ee280d95c6ac6814
- SHA512
  
  dd9b1189f6baa3e2a345c4ad233438bb1af46e5d8c1ea4280676d4115ca51da9400672f70bf9bc5d7320798244f489c972fb0ce1420eea94368e4fe1285a1e93
- SSDEEP
  
  1536:THCXKoIcuow+zOOm3gQgXAcDAaX1fWgQhoSyg4b+3nmvJmu:TSRuoGOm3gQgXAOAaX1ugQhoSV4uUn
Score

1^/10
behavioral10 behavioral9
- Target
  
  conti/locker.exe
- Size
  
  1.4MB
- MD5
  
  f9f2b0dca4ff4365b98599afb5c1e14e
- SHA1
  
  9cac04b31f29b81c89cfd840e160a1185768c699
- SHA256
  
  2b19e130390bf1a65c40a909a3dc5ce2af96d921d2bb4949724be9085e0abbe7
- SHA512
  
  52d586efaeea2e3350e08ce53b3b8fef63c4cd22eab757aa7d42a6534011d505ad14c39b59d70f45a17ed0035bc234fd0dffef209739a81cae8841b214d1308a
- SSDEEP
  
  12288:GZH7AAO2VRbDEsLC3L79iiauuxJ8QahIha4B7ByfdoiUriupSezaVm:GZH7Hc3L7yJGhIha4B1yfui8b2m
Score

7^/10

spyware stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral11 behavioral12

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

behavioral2

behavioral3

babukransomware

behavioral4

babukransomware

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12