babar | aa73634ca325022dperf585dll[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

aa73634ca325022dperf585dll.exe
Size

585KB
MD5

4525141d9e6e7b5a7f4e8c3db3f0c24c
SHA1

efbe18eb8a66e4b6289a5c53f22254f76e3a29bd
SHA256

aa73634ca325022dd6daff2df30484ec9031939044cf4c2a004cbdb66108281d
SHA512

122ec1390afd8cb9af85882c66a01a0bbef90a9962cf025368d8521d7e548b639c21c4cf1661fc6564e109b62d0e16999221560a3c95224c074130a4f6d117f8
SSDEEP

12288:SiTsYIHkC6xTp5SjYqwLTh8T4Ijx9xLIzLU5zCaH:BkkC6xLSjYqwLT6T4I9/L5zCaH

Score

10^/10

spyware babar

Malware Config

Signatures

Babar 1 IoCs

Babar is a fully blown espionage tool, built to excessively spy on its victims.

spyware

resource	yara_rule
sample	family_babar

Babar family
babar

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
aa73634ca325022dperf585dll.exe

Files

aa73634ca325022dperf585dll.exe
.dll windows:5 windows x86 arch:x86

caf7624af4696ebede0878f506c8cc01

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateMutexA
ReleaseMutex
WaitForMultipleObjects
SetEvent
WriteFile
ReadFile
LeaveCriticalSection
EnterCriticalSection
WaitNamedPipeA
CreateFileA
InitializeCriticalSection
DeleteCriticalSection
ConnectNamedPipe
DisconnectNamedPipe
CancelIo
GetOverlappedResult
CreateNamedPipeA
CreateEventA
TerminateThread
ResumeThread
CreateThread
FreeLibraryAndExitThread
CreateFileW
VirtualQuery
VirtualProtect
VirtualAlloc
InterlockedCompareExchange
GetCurrentThreadId
FlushInstructionCache
GetThreadContext
SetThreadContext
SuspendThread
GetCurrentThread
SetLastError
GlobalFree
GlobalUnlock
GlobalAlloc
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
UnmapViewOfFile
GetProcAddress
GetExitCodeThread
VirtualFreeEx
WaitForSingleObject
InterlockedIncrement
GlobalLock
GlobalSize
RemoveDirectoryA
FlushFileBuffers
SetFilePointer
GetFileSize
SetEndOfFile
MultiByteToWideChar
GetUserDefaultLangID
GetSystemDefaultLangID
GetComputerNameA
FindClose
FindNextFileA
GetDriveTypeA
FindFirstFileA
GetLogicalDriveStringsA
ExpandEnvironmentStringsA
HeapFree
HeapAlloc
GetProcessHeap
FreeLibrary
LoadLibraryA
DeleteFileW
GetShortPathNameA
DeleteFileA
GetEnvironmentVariableA
GlobalGetAtomNameA
SetEnvironmentVariableA
CompareStringW
CompareStringA
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
GlobalAddAtomA
SetStdHandle
GetLocaleInfoW
IsValidLocale
EnumSystemLocalesA
GetLocaleInfoA
GetUserDefaultLCID
GetStringTypeW
GetStringTypeA
InitializeCriticalSectionAndSpinCount
CreateDirectoryA
GetTickCount
GetCurrentProcessId
GetCurrentProcess
GetLastError
LocalAlloc
CloseHandle
InterlockedDecrement
LocalFree
GlobalAddAtomW
InterlockedExchange
Sleep
GlobalDeleteAtom
GlobalFindAtomA
GetModuleFileNameA
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
GetTimeZoneInformation
GetFullPathNameW
GetConsoleMode
GetVersionExA
GetModuleHandleA
GetStartupInfoA
GetSystemTimeAsFileTime
FileTimeToSystemTime
FileTimeToLocalFileTime
RtlUnwind
GetDriveTypeW
FindFirstFileW
HeapReAlloc
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RaiseException
GetCommandLineA
GetModuleHandleW
ExitProcess
GetFullPathNameA
GetCurrentDirectoryA
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
HeapCreate
HeapDestroy
VirtualFree
HeapSize
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
LCMapStringA
WideCharToMultiByte
LCMapStringW
GetStdHandle
SetHandleCount
GetFileType
GetConsoleCP

user32

GetWindowTextA
GetWindowTextLengthA
GetWindowThreadProcessId
EnumWindows
CreateWindowExA
GetMessageA
DispatchMessageA
GetWindowTextLengthW
GetWindowTextW
wsprintfW
IsWindow
GetDC
GetWindowDC
ReleaseDC
GetClientRect
GetWindowRect
UnhookWindowsHookEx
SendMessageTimeoutA
SetWindowsHookExA
PostMessageA
DestroyWindow
PeekMessageA
TranslateMessage
CallNextHookEx

gdi32

GetDeviceCaps
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
DeleteDC
GetDIBits
CreateCompatibleDC

advapi32

RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegCloseKey
GetUserNameA
FreeSid
CheckTokenMembership
RegDeleteValueA
RegSetValueExA
RegCreateKeyExA

ole32

CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoSetProxyBlanket
CreateStreamOnHGlobal
CoCreateInstance

oleaut32

VariantClear

Exports

Exports

DllInstall
FindCtxSectionGuidA
FindCtxSectionStringA
FindCtxSectionStringW

Sections

.text
Size: 408KB - Virtual size: 408KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 126KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 27KB - Virtual size: 58KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ss
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

caf7624af4696ebede0878f506c8cc01

Headers

File Characteristics

Imports

kernel32

user32

gdi32

advapi32

ole32

oleaut32

Exports

Exports

Sections

.text Size: 408KB - Virtual size: 408KB

.rdata Size: 126KB - Virtual size: 126KB

.data Size: 27KB - Virtual size: 58KB

.ss Size: 512B - Virtual size: 84B

.reloc Size: 20KB - Virtual size: 20KB

.text
Size: 408KB - Virtual size: 408KB

.rdata
Size: 126KB - Virtual size: 126KB

.data
Size: 27KB - Virtual size: 58KB

.ss
Size: 512B - Virtual size: 84B

.reloc
Size: 20KB - Virtual size: 20KB