Static task
static1
Behavioral task
behavioral1
Sample
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe
Resource
win10v2004-20240412-en
General
-
Target
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer
-
Size
79KB
-
MD5
d5eaa5c4f55781bc3f161e7c583e45c4
-
SHA1
d3796032c80f40cd7e1c6c8b5896ac8945c3eee1
-
SHA256
adb10da10d9e2cc882bfadf2210a6cb2fdc62308470200401ffe869c01405995
-
SHA512
5ae0af58d804e8f1ec624d1f4ea68a625d75373d14c73ea7ce8f0a988c0427a69138fa8ceeab978f7db3c246a44169fa33aa79107897c94b483cd657bde176ff
-
SSDEEP
1536:apoUyFydC/ZbtsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2ncf:1UyFydC/NtsrQLOJgY8Zp8LHD4XWaNHY
Malware Config
Signatures
-
Detects command variations typically used by ransomware 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_GENRansomware -
Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs
resource yara_rule sample INDICATOR_SUSPICOUS_EXE_References_VEEAM -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer
Files
-
2024-04-19_d5eaa5c4f55781bc3f161e7c583e45c4_babuk_destroyer.exe windows:6 windows x86 arch:x86
202fa14f574c71c2f95878e40a79322d
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
OpenProcess
GetTickCount
GetModuleHandleA
GetProcAddress
LoadLibraryA
lstrcmpW
lstrlenW
SetVolumeMountPointW
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
CreateFileW
WriteFile
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
lstrlenA
GetCommandLineW
FindClose
FindFirstFileW
FindNextFileW
GetFileSizeEx
GetCurrentProcess
ReadFile
SetFileAttributesW
SetFilePointerEx
WaitForSingleObject
CreateMutexA
WaitForMultipleObjects
GetCurrentProcessId
ExitProcess
CreateThread
ExitThread
SetProcessShutdownParameters
GetSystemInfo
lstrcmpiW
lstrcpyW
lstrcatW
OpenMutexA
MoveFileExW
WideCharToMultiByte
HeapAlloc
HeapFree
GetProcessHeap
ReleaseSemaphore
CreateSemaphoreA
TerminateProcess
Sleep
GetLastError
CloseHandle
GetVolumePathNamesForVolumeNameW
GetDriveTypeW
FindVolumeClose
FindNextVolumeW
GetLogicalDrives
FindFirstVolumeW
user32
wsprintfA
advapi32
QueryServiceStatusEx
OpenSCManagerA
EnumDependentServicesA
ControlService
CloseServiceHandle
CryptAcquireContextW
CryptReleaseContext
CryptGenRandom
OpenServiceA
shell32
SHEmptyRecycleBinA
CommandLineToArgvW
ShellExecuteW
netapi32
NetShareEnum
NetApiBufferFree
rstrtmgr
RmGetList
RmStartSession
RmEndSession
RmRegisterResources
mpr
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WNetGetConnectionW
Sections
.text Size: 73KB - Virtual size: 72KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 616B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 2KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.CRT Size: 512B - Virtual size: 8B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ