Overview

overview

10

Static

static

1

Desktop.zip

windows7-x64

1

Desktop.zip

windows10-2004-x64

1

babyk/babyk.exe

windows7-x64

10

babyk/babyk.exe

windows10-2004-x64

10

babyk/builder.exe

windows7-x64

1

babyk/builder.exe

windows10-2004-x64

1

babyk/decryptor.exe

windows7-x64

3

babyk/decryptor.exe

windows10-2004-x64

3

conti/decryptor.exe

windows7-x64

1

conti/decryptor.exe

windows10-2004-x64

1

conti/locker.exe

windows7-x64

7

conti/locker.exe

windows10-2004-x64

7

Resubmissions

11-03-2023 15:20

230311-sqvv2abh7w 7

11-03-2023 13:56

230311-q8tpksbf8y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.zip

  • Size

    441KB

  • Sample

    230311-q8tpksbf8y

  • MD5

    9939ec0b4762cb5f5aef3116ec62763d

  • SHA1

    b6571f2c205412d9c7b2cf0a5aabda448844b634

  • SHA256

    45438e0d6a47a90beea24d4bb1d0a4387032a12a9b7d64b2e08986cbfb264406

  • SHA512

    d3a1314e0f44de3f20aae125851173e36a704daf0fcf14327b1c9341059311c3174e5aad274f5cbad08e8b71bbdaa93f590f2480f5c3ec6b7d0fe2c546125a6f

  • SSDEEP

    12288:FCK5maH/V4sBXIxzv1C0sSihBVW6CDg1K1on61UDhG:T7C5S072BlCk14on61kG

Score
10/10
babukransomwarespywarestealer

Malware Config

Targets

    • Target

      Desktop.zip

    • Size

      441KB

    • MD5

      9939ec0b4762cb5f5aef3116ec62763d

    • SHA1

      b6571f2c205412d9c7b2cf0a5aabda448844b634

    • SHA256

      45438e0d6a47a90beea24d4bb1d0a4387032a12a9b7d64b2e08986cbfb264406

    • SHA512

      d3a1314e0f44de3f20aae125851173e36a704daf0fcf14327b1c9341059311c3174e5aad274f5cbad08e8b71bbdaa93f590f2480f5c3ec6b7d0fe2c546125a6f

    • SSDEEP

      12288:FCK5maH/V4sBXIxzv1C0sSihBVW6CDg1K1on61UDhG:T7C5S072BlCk14on61kG

    Score
    1/10
    behavioral1behavioral2

    • Target

      babyk/babyk.exe

    • Size

      79KB

    • MD5

      dd82341bde54c2d34496523a463d2771

    • SHA1

      a193b2770d17a6405e92f6e28840e1b87db45356

    • SHA256

      4b5438ad0818c9fe1e9aa6d43bca9ef0bced418365e71340e44dd3cc5a2ad54a

    • SHA512

      c027bcc7ecd1761c6c4cbb32d528f40b123f80c6aa498c22e35aeddd064d4533fbf31fc93915bb29d5f3fc72811452fe988b9524ae01b3d630f5ccffc98525f8

    • SSDEEP

      1536:rKkWBeG/vEbmsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:yBeQsmsrQLOJgY8Zp8LHD4XWaNH71dLc

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      babyk/builder.exe

    • Size

      72KB

    • MD5

      24b900f5b1ddde73743bd5f974e3dd26

    • SHA1

      bb767c8fae9dec637d20611d5bb77e5e2cb6061a

    • SHA256

      2ff8bc1c9154579a490fc26601713873e8ecd1af824a72c5eff514ce75fe0641

    • SHA512

      85ea92fd49bb9cfd28544c786c1352254d045dbafa150ff9d884152d7a988adc5355135ef28b79b8c37fbbe51f7a4914d1c8ffb37bbcfc95ef395f4011525b67

    • SSDEEP

      768:l8LRzRDRzR/KXsMQ1aUHhlvVMSOBBanNb+6Y9Luwizgevrj3maLhsIijSCDzyU:luK8MyxMSOBQoawSgejj1Lhs9IU

    Score
    1/10
    behavioral5behavioral6

    • Target

      babyk/decryptor.exe

    • Size

      69KB

    • MD5

      e1b2cfa88cc03d30a6f6268b72babbc4

    • SHA1

      f75c083f9fef28ca9cd5d05c9172dc44477712d6

    • SHA256

      4192105a7de1145b81bf2debf8940f3d3afe02f8237d57fbeaf108179b922f35

    • SHA512

      2ac7011bb28a1cd53d6ff793923f0b9879b830154e9a0dd1c86406e1fd33507398b4575ffc11df08e6c27305e2ca69022594dc711a83a4f6c75f760f0ab495c2

    • SSDEEP

      1536:Ei6+W1BBsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2wARxYTs88:y+WhsrQLOJgY8Zp8LHD4XWaNH71dLdGo

    Score
    3/10
    behavioral7behavioral8

    • Target

      conti/decryptor.exe

    • Size

      155KB

    • MD5

      04dce97942dfb520fb4c12527c82164b

    • SHA1

      0f25bf233a3e6b4a84aad701fc8d50e28d2766f0

    • SHA256

      142cf75bc8dbfbd76f21f48b86ecbe11297e94071c9c55c1ee280d95c6ac6814

    • SHA512

      dd9b1189f6baa3e2a345c4ad233438bb1af46e5d8c1ea4280676d4115ca51da9400672f70bf9bc5d7320798244f489c972fb0ce1420eea94368e4fe1285a1e93

    • SSDEEP

      1536:THCXKoIcuow+zOOm3gQgXAcDAaX1fWgQhoSyg4b+3nmvJmu:TSRuoGOm3gQgXAOAaX1ugQhoSV4uUn

    Score
    1/10
    behavioral10behavioral9

    • Target

      conti/locker.exe

    • Size

      1.4MB

    • MD5

      f9f2b0dca4ff4365b98599afb5c1e14e

    • SHA1

      9cac04b31f29b81c89cfd840e160a1185768c699

    • SHA256

      2b19e130390bf1a65c40a909a3dc5ce2af96d921d2bb4949724be9085e0abbe7

    • SHA512

      52d586efaeea2e3350e08ce53b3b8fef63c4cd22eab757aa7d42a6534011d505ad14c39b59d70f45a17ed0035bc234fd0dffef209739a81cae8841b214d1308a

    • SSDEEP

      12288:GZH7AAO2VRbDEsLC3L79iiauuxJ8QahIha4B7ByfdoiUriupSezaVm:GZH7Hc3L7yJGhIha4B1yfui8b2m

    Score
    7/10
    spywarestealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks