Overview

overview

10

Static

static

3

builder.exe

windows7-x64

1

builder.exe

windows10-2004-x64

1

d_esxi.out

ubuntu-18.04-amd64

1

d_nas_arm.out

debian-9-armhf

3

d_nas_x86.out

ubuntu-18.04-amd64

3

d_win.exe

windows7-x64

6

d_win.exe

windows10-2004-x64

7

e_esxi.out

ubuntu-18.04-amd64

1

e_nas_arm.out

debian-9-armhf

3

e_nas_x86.out

ubuntu-18.04-amd64

3

e_win.exe

windows7-x64

10

e_win.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    82e560a078cd7bb4472d5af832a04c4bc8f1001bac97b1574efe9863d3f66550

  • Size

    4.8MB

  • Sample

    240325-zp5r6shd34

  • MD5

    aee27a5ebedadf12beed294f59026162

  • SHA1

    fa5153b6011c578ce85c8c6d2a431ee9b8be03ec

  • SHA256

    82e560a078cd7bb4472d5af832a04c4bc8f1001bac97b1574efe9863d3f66550

  • SHA512

    74548443d979e4b07904ca6232df1d787fa7481bfb52dfdd0331882cb407ba73c0548ef8544c02ed2cb2d11401ae86c546875db4408127d30b862cb383da921a

  • SSDEEP

    98304:a7TUPOmgWEeBcQVltn58PsCYBy7PJUhfTJ2RMOMA8vNFDf8NCE3njOSLQJ0TsYnY:rFgaBcKltnOE7MPJUhLCMhN8NnjBEJYY

Score
10/10
babuklinuxransomwarespywarestealer

Malware Config

Targets

    • Target

      builder.exe

    • Size

      121KB

    • MD5

      5dfa998f62612e10d5d28d26948dd50f

    • SHA1

      05618b47ccf5aba595fba60feb30969b5500abb3

    • SHA256

      4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af

    • SHA512

      83a0f6b9b43d88ea704f0d006937e020a2dd7c207bc84937d2ca6d80f808b0b583a555082eb529c902f2194cb872a23d5666302908f3ed0418f061e50c56defa

    • SSDEEP

      3072:FGLXPggYI4tRE/UAhW9SOsRHor5bHVZ3D1Lowg0p53NTz0cKzWZH28wjJ5Pq+ZoR:F2XIgYxZxPT53NjK2H6PSDlu9sYtC0gF

    Score
    1/10
    behavioral1behavioral2

    • Target

      d_esxi.out

    • Size

      53KB

    • MD5

      64b8e75e76283e034e134c128e9a405a

    • SHA1

      cd19c2741261de97e91943148ba8c0863567b461

    • SHA256

      930760c00de1b9a4bc2eefcd96173f1e9a906b11a9566c517fcb87a13acaa327

    • SHA512

      8e9e0ceafc88504a408ed9a91514675b7e13e3f4ed5f3a2c0208f441c55d783e3708427fc49489bdd9f74804a00a093c6e28c5a012d483b502bee09995f6a84d

    • SSDEEP

      1536:2sIH3ny6iOyCNx3SBqzMhpScQLBrdE2T2wETjSeQPH:2LXy6WCNiPYcQLBrjTkTPw

    Score
    1/10
    behavioral3

    • Target

      d_nas_arm.out

    • Size

      2.0MB

    • MD5

      7de2173c75f9778b9c9c20447ad4c1f8

    • SHA1

      0bea740c49e30d3c8d58976951331068f181c453

    • SHA256

      2cd6d4a52dbaf9e79d93492ad73dc229e06d0cee9e3327cc3bef165fae06f918

    • SHA512

      666387bea53b85ccb8d6f5925f2c4fa69530836a58834234f6c9c5c0034997dad2270f270bea138796f7bb2010bcf2c4430bbaf10fa8a6f50b52323b84b21e18

    • SSDEEP

      24576:T138npoIXekt5RAg6hjRofWxTRLgHykaWm/kC4szj05oFVps5RThELC7ox0Yulo7:TNWdJxNxuGWsRlW011vfH6/E6tRb

    Score
    3/10
    behavioral4

    • Target

      d_nas_x86.out

    • Size

      1.9MB

    • MD5

      29efe5693da727cdca8c637d343b07cd

    • SHA1

      a5ee4e8a413ea03639721f31de5f42d4b0968039

    • SHA256

      51fe57795105eb1e618d35bd99fcc096ee3687455cd4e330396c0d701bc3a6a1

    • SHA512

      5f19057919b4018114fcb58e0d848960acbf26d461077a85a935b64e7ec161f45047e6dc6c4664058b36902bc39b297c292eb8af2557dddd5bbdfdc975e6f377

    • SSDEEP

      49152:Emsq5TJqKK8XhjTyUCWU1pWmUYkfhtpmXNb:EmswTJqURIUtfhtoB

    Score
    3/10
    behavioral5

    • Target

      d_win.bin

    • Size

      68KB

    • MD5

      ca8dcb4c02f5b3b09b0bc49452f05bd6

    • SHA1

      0e0001da7e198da8e3e82252d5414dbcb8bee9d1

    • SHA256

      eb22f22fedb24ef3d06d2ba6ac9bc53528f8d1e489fefeac9501b926a0be6097

    • SHA512

      9221c98a0ad3179725fd66de3fcfbc0f97af300431d82645ee0b9d8e16a756b7881a91f661a569156bf0d5984e54703d513d753329bffd382327cc7a194ffc48

    • SSDEEP

      1536:yHjUeTD0DsbEmDx1xhiBsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2hyqM8EQ:yDUeTD0gbrDx1xusrQLOJgY8Zp8LHD4D

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral6behavioral7

    • Target

      e_esxi.out

    • Size

      69KB

    • MD5

      ce73b00417464190d7fb9b36af74968a

    • SHA1

      885a734c7869b52aa125674cb430199b2645cda0

    • SHA256

      dc90560d7198bf824b65ba2cfbe403d84d38113f41a1aa2f37f8d827fd9e0ceb

    • SHA512

      7710eb3c601f0b6066606f7a098811efa8e411b12164e7bcb2ab289920156367ee53e6c243937d89ccf17af9c207856fbd2f125982e5242938cd189965a3556d

    • SSDEEP

      1536:OgsIH3ny6nOyCNTs0BMScQLBrdE2TUwELzzhZaBHU2eQP:OgLXy6pCNLpcQLBrjTqloOw

    Score
    1/10
    behavioral8

    • Target

      e_nas_arm.out

    • Size

      2.1MB

    • MD5

      28249fc247a858d9727c860e4a484392

    • SHA1

      37b2ee4c3f6b9976e2335421a05e4b480c09ff9d

    • SHA256

      e8cee8eab4020e1aadd4631ed626ab54d8733f8b14d683ca943cd4e124eeef55

    • SHA512

      af4109064b524761fc3b0b5b27ab634e9eda7c8897fe5fb5b2d39dd1b620a402eb97ce5e76d99f9a959c2c6a162a2037c398c2181d2f66d029b46d73ec7f43e4

    • SSDEEP

      49152:RJZuecSwpeH2LTBnW01NEXTY4TumnwM7UB3:nZueanLjSumnJ70

    Score
    3/10
    behavioral9

    • Target

      e_nas_x86.out

    • Size

      2.0MB

    • MD5

      1453c8123be53bf4458b1a8e7e54ddbb

    • SHA1

      a1064f1393e4d548c27f1a4b5fb1a5cf9f5267e7

    • SHA256

      e505b24de50b14aed35cf40725dc0185cab06fed90269d445ec7a4b36de124b6

    • SHA512

      2eeffbcf1b8161f3f61a5654213004212042ca95b87393052a54b0a28416ee82eef113891488cc272581d6c2a557b1283712f8658ad48c219823b204724bc150

    • SSDEEP

      49152:Tx8AK8iCuL2j/WU1jMEYaCQ4esXSdq8J3:t87Rc5CQ4eXdqS

    Score
    3/10
    behavioral10

    • Target

      e_win.bin

    • Size

      79KB

    • MD5

      e5adc80639046a5c69bcfeee458e0833

    • SHA1

      d9e3f9edda5df290b5be6fb1d335b750dd7c6758

    • SHA256

      ea95f131bd9b49104d9e7ae83335254549ded9d71d557c6e4746740aecca2c85

    • SHA512

      c11a24e14ba5fa2b0e2c2b544dd4218ce4c8caae3db7cebd5b0305223f96bde09c9bd237cb8d32768f30118f7be73240971e772f7a89db7c0fba5c6105107e3a

    • SSDEEP

      1536:H6UhZM4hubesrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2zs4:7hZ5YesrQLOJgY8Zp8LHD4XWaNH71dLI

    Score
    10/10
    babukransomware

    • Babuk Locker

      RaaS first seen in 2021 initially called Vasa Locker.

      ransomwarebabuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (185) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

9
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks