babuk | 0b9e8dfe1179223d1d3974917362d94a826dcf7080e8df277610fe1dc21bc4cf | Triage

Submit
Reports

Overview

overview

Static

static

3

79a67070f0...ac.exe

windows10-ltsc 2021-x64

Sharing

General

Target

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.zip
Size

11.8MB
Sample

250110-k7xrysslen
MD5

888eccc62786302f9fbf9d4cdf327a72
SHA1

eb075199f8d42db0d40279147e8d64ee01312112
SHA256

0b9e8dfe1179223d1d3974917362d94a826dcf7080e8df277610fe1dc21bc4cf
SHA512

5b55e45417a4412fa8945761d7a8bb269f42325ca98834050a0da1e302191c791d4e508155e3271bd7f9a478e02522f0246a973e7c3ce72f2384d5fee7244a93
SSDEEP

196608:sXqr9zh/Gvw1Em4IR5uZaIYPtpr1F+LqxNCgQKvhAIM8mu1u:cqrPGtm7/S43+LqndQK48mAu

Score

10^/10

babuk defense_evasion discovery execution impact pyinstaller ransomware

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe

Resource

win10ltsc2021-20241211-en

babuk defense_evasion discovery execution impact pyinstaller ransomware

windows10-ltsc 2021-x64

16 signatures

300 seconds

Malware Config

Targets

- Target
  
  79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac.exe
- Size
  
  12.0MB
- MD5
  
  59d018958d77ee68568eac6250a4224e
- SHA1
  
  a5ac1b794b33da74b7d587b04394721f7aa96d0f
- SHA256
  
  79a67070f0fbff66cb39f3dadd3e3565b1b1b98ed9e079562aabd90d10ad75ac
- SHA512
  
  5f285f3920463646a77487c9e0b1c46ebe950f779fafb524d6064aa280ba84c3119cd19c2b88f3011e20a7f7b70a1341103d42baca28f1781d8670bca8737881
- SSDEEP
  
  393216:VobaG+ZUoC9EYeWJ8taL/d2otNCk2rszUXS:VMaG+Z7C9M+RJ2ontkXS
Score

10^/10

babuk defense_evasion discovery execution impact pyinstaller ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Babuk family
  babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (187) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

babukdefense_evasiondiscoveryexecutionimpactpyinstallerransomware

© 2018-2025

Terms | Privacy