Overview

overview

10

Static

static

10

Babuk.exe

windows7-x64

10

Babuk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21455636188.zip

  • Size

    196KB

  • Sample

    250219-m265jszlaq

  • MD5

    484f2c6ce34fc47996931ca220ea7924

  • SHA1

    75d16219b24a0edcd0b97849f51e56fcf21a8975

  • SHA256

    11ad4ca7c9fa415283e0c81563b0e0f900b3afabf2384f50387f5f5bef0b45f3

  • SHA512

    f5850fcf7d35debb828d534d6ec8a760b93300759a6e21f3cac6a6f01df326d62bbd78bc54c21e23b690f47b69d40f12b8fcadbeb9bbdf6e817d4ee00e02e844

  • SSDEEP

    3072:LpQq47JHuhw/u/+Sk+uFO1LskrcCzQgTXDmVX9C0l+Unrsai0Hjus8+LADvm8:LaqtWyJugCKXTTmi0lRwai0HzHkvl

Score
10/10
lockbitdefense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\3OYkmrLQx.README.txt

Ransom Note
Your System Hacked By Orion Hackers! >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these tox id =32C12B278912E26E5EAC57AEBB3F4FF16F0E31603C7B9D46AC02E9D993EE14351CEC3AB5945C with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: https://utox.org/ https://utox.org/uTox_win64.exe If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID : 6F902E0A889E60D47FB305E2EE4B72926A4A68297F2364285E2CB005DE53B377F76934FF16AB >>>> Your personal DECRYPTION ID: 87224CD760355F2D611F42B96E52A138 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

https://utox.org/

https://utox.org/uTox_win64.exe

Extracted

Path

C:\3OYkmrLQx.README.txt

Ransom Note
Your System Hacked By Orion Hackers! >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these tox id =32C12B278912E26E5EAC57AEBB3F4FF16F0E31603C7B9D46AC02E9D993EE14351CEC3AB5945C with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: https://utox.org/ https://utox.org/uTox_win64.exe If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. Tox ID : 6F902E0A889E60D47FB305E2EE4B72926A4A68297F2364285E2CB005DE53B377F76934FF16AB >>>> Your personal DECRYPTION ID: 87224CD760355F2D21E3B1546345C2EE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

https://utox.org/

https://utox.org/uTox_win64.exe

Targets

    • Target

      Babuk.exe

    • Size

      147KB

    • MD5

      2a12f8be64c05a4b1961409b872db68d

    • SHA1

      3dc78907b4fc64cb6fcde3186ae60e0fb92834a7

    • SHA256

      8f46b1fea15369e70b8b3919db81d2cd4d7428c75a5208aa0313a03e8b938e21

    • SHA512

      1644815bb6ebbf913a3bafbab597f5f482fdf1dd16e2ed70a30b464db28ef4d69ae5b46058e416ba4378d70e28595b64cb9afe847e8402a3f52f9643df32200c

    • SSDEEP

      3072:kqJogYkcSNm9V7D4TEkRPNK3ZYuF33QT:kq2kc4m9tD4XJIZX5

    Score
    10/10
    defense_evasiondiscoveryransomwarespywarestealer

    • Renames multiple (315) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks