babuk | 47cec57e5be41ddf98899613141e3f36897ba4f1f149ffb504759b64d686e52d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

2_args_f_1..._2.exe

windows7-x64

2_args_f_1..._2.exe

windows10-2004-x64

Sharing

General

Target

2_args_f_1_multibabyk_ST_2.bin
Size

79KB
Sample

250307-j2a6bsxly9
MD5

5ca5e790a7e823e3b890646f1c84d274
SHA1

a566e024202c0b115d96645975555d0a74e0a492
SHA256

47cec57e5be41ddf98899613141e3f36897ba4f1f149ffb504759b64d686e52d
SHA512

0fc9690f608f6ff1e41d8e630d60d0200cbec65646b870ad201e5810b84b8eb5aa0c6b4a6d5b17c3eb5b8248d404a2ef25885d6fdabc0e8c9158e2df5281023b
SSDEEP

1536:wavdRu8frEb9srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:9dRuys9srQLOJgY8Zp8LHD4XWaNH71dg

Score

10^/10

babuk defense_evasion discovery execution impact ransomware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2_args_f_1_multibabyk_ST_2.exe

Resource

win7-20240903-en

babuk defense_evasion discovery execution impact ransomware

windows7-x64

12 signatures

300 seconds

Behavioral task

behavioral2

Sample

2_args_f_1_multibabyk_ST_2.exe

Resource

win10v2004-20250217-en

babuk defense_evasion discovery execution impact ransomware

windows10-2004-x64

13 signatures

300 seconds

Malware Config

Targets

- Target
  
  2_args_f_1_multibabyk_ST_2.bin
- Size
  
  79KB
- MD5
  
  5ca5e790a7e823e3b890646f1c84d274
- SHA1
  
  a566e024202c0b115d96645975555d0a74e0a492
- SHA256
  
  47cec57e5be41ddf98899613141e3f36897ba4f1f149ffb504759b64d686e52d
- SHA512
  
  0fc9690f608f6ff1e41d8e630d60d0200cbec65646b870ad201e5810b84b8eb5aa0c6b4a6d5b17c3eb5b8248d404a2ef25885d6fdabc0e8c9158e2df5281023b
- SSDEEP
  
  1536:wavdRu8frEb9srQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2nsf:9dRuys9srQLOJgY8Zp8LHD4XWaNH71dg
Score

10^/10

babuk defense_evasion discovery execution impact ransomware
- Babuk Locker
  RaaS first seen in 2021 initially called Vasa Locker.
  ransomware babuk
- Babuk family
  babuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (203) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

Indicator Removal

File Deletion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

babukdefense_evasiondiscoveryexecutionimpactransomware

behavioral2

babukdefense_evasiondiscoveryexecutionimpactransomware

© 2018-2025

Terms | Privacy