babar | 57437a675cae8e71ac33cd2e001ca7ef1b206b028f3c810e884223a0369d2f8a

Resubmissions

26-12-2023 16:24

231226-twbvsaccf4 3

26-12-2023 16:15

231226-tqnx6ahgal 10

29-01-2022 23:00

220129-2yznmabeg7 1

Sharing

Copy URL

Twitter E-mail

General

Target

57437a675cae8e71ac33cd2e001ca7ef1b206b028f3c810e884223a0369d2f8a
Size

585KB
MD5

4582d9d2120fb9c80ef01e2135fa3515
SHA1

5da5079754d975d5b04342abf9d60bd0bae181a0
SHA256

57437a675cae8e71ac33cd2e001ca7ef1b206b028f3c810e884223a0369d2f8a
SHA512

9817c5a643bae89340dc4900851291866a3607e84c446f690032e64818c2a08483d056436206c55ea0eeb8b8f0c47761dcc976d08d75dee0df6580a8f18a6319
SSDEEP

12288:n1YswqlXRo/XlXSL4Fw+jo8x0cnmZMLU5tBgF8:1llXW/XRSL4Fw+jDx0cmT5DgF8

Score

10^/10

spyware babar

Malware Config

Signatures

Babar 1 IoCs

Babar is a fully blown espionage tool, built to excessively spy on its victims.

spyware

resource	yara_rule
sample	family_babar

Babar family
babar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
57437a675cae8e71ac33cd2e001ca7ef1b206b028f3c810e884223a0369d2f8a

Files

57437a675cae8e71ac33cd2e001ca7ef1b206b028f3c810e884223a0369d2f8a
.dll windows:5 windows x86 arch:x86

caf7624af4696ebede0878f506c8cc01

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateMutexA
ReleaseMutex
WaitForMultipleObjects
SetEvent
WriteFile
ReadFile
LeaveCriticalSection
EnterCriticalSection
WaitNamedPipeA
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ConnectNamedPipe
DisconnectNamedPipe
CancelIo
GetOverlappedResult
CreateNamedPipeA
CreateEventA
TerminateThread
ResumeThread
CreateThread
FreeLibraryAndExitThread
CreateFileW
VirtualQuery
VirtualProtect
VirtualAlloc
InterlockedCompareExchange
GetCurrentThreadId
FlushInstructionCache
GetThreadContext
SetThreadContext
SuspendThread
GetCurrentThread
SetLastError
GlobalFree
GlobalUnlock
GlobalAlloc
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
UnmapViewOfFile
GetProcAddress
GetExitCodeThread
VirtualFreeEx
WaitForSingleObject
InterlockedIncrement
GlobalLock
GlobalSize
RemoveDirectoryA
FlushFileBuffers
SetFilePointer
GetFileSize
SetEndOfFile
MultiByteToWideChar
GetUserDefaultLangID
GetSystemDefaultLangID
GetComputerNameA
FindClose
FindNextFileA
GetDriveTypeA
FindFirstFileA
GetLogicalDriveStringsA
ExpandEnvironmentStringsA
HeapFree
HeapAlloc
GetProcessHeap
FreeLibrary
LoadLibraryA
DeleteFileW
GetShortPathNameA
DeleteFileA
GetEnvironmentVariableA
GlobalGetAtomNameA
SetEnvironmentVariableA
CompareStringW
CompareStringA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GlobalAddAtomA
SetStdHandle
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetStringTypeW
GetStringTypeA
InitializeCriticalSectionAndSpinCount
CreateDirectoryA
GetTickCount
GetCurrentProcessId
GetCurrentProcess
GetLastError
LocalAlloc
CloseHandle
InterlockedDecrement
LocalFree
GlobalAddAtomW
InterlockedExchange
Sleep
GlobalDeleteAtom
GlobalFindAtomA
GetModuleFileNameA
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetTimeZoneInformation
GetFullPathNameW
GetConsoleMode
GetVersionExA
GetModuleHandleA
GetStartupInfoA
GetSystemTimeAsFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
RtlUnwind
GetDriveTypeW
FindFirstFileW
HeapReAlloc
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RaiseException
GetCommandLineA
GetModuleHandleW
ExitProcess
GetFullPathNameA
GetCurrentDirectoryA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
HeapCreate
HeapDestroy
VirtualFree
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringA
WideCharToMultiByte
LCMapStringW
GetStdHandle
SetHandleCount
GetFileType
GetConsoleCP

user32

GetWindowTextA
GetWindowTextLengthA
GetWindowThreadProcessId
EnumWindows
CreateWindowExA
GetMessageA
DispatchMessageA
GetWindowTextLengthW
GetWindowTextW
wsprintfW
IsWindow
GetDC
GetWindowDC
ReleaseDC
GetClientRect
GetWindowRect
UnhookWindowsHookEx
SendMessageTimeoutA
SetWindowsHookExA
PostMessageA
DestroyWindow
PeekMessageA
TranslateMessage
CallNextHookEx

gdi32

GetDeviceCaps
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
DeleteDC
GetDIBits
CreateCompatibleDC

advapi32

RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegCloseKey
GetUserNameA
FreeSid
CheckTokenMembership
RegDeleteValueA
RegSetValueExA
RegCreateKeyExA

ole32

CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CreateStreamOnHGlobal
CoCreateInstance

oleaut32

VariantClear

Exports

Exports

DllInstall
FindCtxSectionGuidA
FindCtxSectionStringA
FindCtxSectionStringW

Sections

.text
Size: 408KB - Virtual size: 408KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 126KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ss
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

caf7624af4696ebede0878f506c8cc01

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 408KB - Virtual size: 408KB

.rdata Size: 126KB - Virtual size: 126KB

.data Size: 27KB - Virtual size: 58KB

.ss Size: 512B - Virtual size: 84B

.reloc Size: 20KB - Virtual size: 20KB

.text
Size: 408KB - Virtual size: 408KB

.rdata
Size: 126KB - Virtual size: 126KB

.data
Size: 27KB - Virtual size: 58KB

.ss
Size: 512B - Virtual size: 84B

.reloc
Size: 20KB - Virtual size: 20KB