Trojan.Babar.TC
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Babar.TC |
|---|---|
| Packers: | UPX |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
85b25ee6f24a061c98917ad8ee1d9643
SHA1:
4d6ec038e57bfc749cb48c700f0682863848d576
File Size:
840.64 KB, 840641 bytes
|
|
MD5:
15a54a637b99469e8f720326fab539bc
SHA1:
736568abded83fa153245c35c3aced141d1136bb
File Size:
1.22 MB, 1216587 bytes
|
|
MD5:
13e741aff846cdd0d0f4913ae13fb579
SHA1:
1935f14e93a49d9ae682be774edd4166a5ce2013
File Size:
1.58 MB, 1580127 bytes
|
|
MD5:
f927a804b3d9b5213b9158a25d34fe46
SHA1:
247ef34fa48fe548298d22fb12321e47493cf1b7
File Size:
5.87 MB, 5871383 bytes
|
|
MD5:
7c8e7d668968cf463404ce110792af6f
SHA1:
fc8f97216308a5ca6ea75b970b073dd195f49d75
SHA256:
984DF9582028C64106A53E154937DCA00FD040231963E2AE8CB06C8678AA2879
File Size:
3.00 MB, 3000332 bytes
|
Show More
|
MD5:
7963bfc4fb681552ca39d16b723702c7
SHA1:
33f15e7258467d02ee0d123e318091261f6e8177
SHA256:
48C6F7E527D215255F462C54EE138C0B4AA286C42BCE285F1857DF140CCDCA5D
File Size:
5.27 MB, 5271159 bytes
|
|
MD5:
ed81016dc11f82429d94e3b44d0c6227
SHA1:
cd9c33bd565794cf7389164513ddd293e8c30612
SHA256:
E0A98FE28816FFED4A28AC293FBC00FADF1D6FC73CAD99C40A586895F3CA6AA8
File Size:
195.53 KB, 195531 bytes
|
|
MD5:
22ee79012d4a0c265d85e45ab36a86d1
SHA1:
8487c01907861f1e3423168e33132cf1415fecc6
SHA256:
997C8E8AFB30F5EF8FEF1B7ACCFC199DBB5A7BECAA91C4AF5E31B2C14C511DCF
File Size:
3.36 MB, 3359009 bytes
|
|
MD5:
ccae0ee546ba1adc95b9d0bc8f881d4e
SHA1:
2d0c84c42d7680dd684c87778d9c9da822a7d65d
SHA256:
F5DD1FF6134CBFCA9CD0DDD644B8CDE85055273456BE0872CDB2F8721B21C5DC
File Size:
5.13 MB, 5129525 bytes
|
|
MD5:
d4dd81bc24fe8bb1d22d03333bb5d7d4
SHA1:
6c9985c4234fb15b82e969d1e71989720b0d2c62
SHA256:
9CBD3AB6763354F0F2DF1670B2CAE31FA63D1F278452B7E8E487F61425895E52
File Size:
1.98 MB, 1981341 bytes
|
|
MD5:
06f44c6e01f4a11cf81876ff913184ba
SHA1:
1332b56c81d2d6c3d0d122002a4ba01db3ab9e09
SHA256:
70A800B3D8A15E5B22EDB7DBE20F9B33C0A8F0DDCEC34C3B3571C1F21CC72BE7
File Size:
3.56 MB, 3564915 bytes
|
|
MD5:
2152e1a2db6cb0fe26865e014d3c3708
SHA1:
8535f6823116a242fa1f1b17d5cf310f7b9ed702
SHA256:
6B44A1331EFDA59B1BB7CB30E1ECDFE5525176B5138419E1EA8B4200D9781AED
File Size:
5.10 MB, 5099153 bytes
|
|
MD5:
8ee506242bda67dfc311dbacc4988849
SHA1:
584b317dc5a2a21d468c76285703f536e50a78ac
SHA256:
FB2FFB23E00C8C073FDCE9F86EA61CD7215FB899A46BEEF74B7DF5740C596967
File Size:
1.54 MB, 1543125 bytes
|
|
MD5:
a24c72433d0f359bf9d1f9c29f6fe893
SHA1:
31007efa939e48d702c7fed186b407eb81f3bda6
SHA256:
6E59449D29B0F0E9353338641D746DAF7175E3E72B9404B03594C4BF4A71BFED
File Size:
3.04 MB, 3037059 bytes
|
|
MD5:
6fd3ff4f5f004f1a9b5a176bc5463695
SHA1:
21c26c543cb8fd392c8e85b2b8e8aade0ca053a3
SHA256:
EAACF977A2FE3246572A419557250297EF30504B921E877B55450E43687F9DA9
File Size:
3.34 MB, 3343204 bytes
|
|
MD5:
b51d466c33b491663bdee86e3f9c20a2
SHA1:
83c35028ebcbf4238473de9ce8f5f6730258d86b
SHA256:
0F585073C685E58F2C7D689E2F3EF588F54D4F3A5DE4B6158D0B912EC097BF43
File Size:
5.30 MB, 5300224 bytes
|
|
MD5:
cdd08760f69ed36d388b8ca71e8a512b
SHA1:
d3be43686ee587463005de24afe683748abf651b
SHA256:
E1F2B45BCB2A5F25988315AD679199E5AC948655F40676D181E5D68464396A3D
File Size:
1.28 MB, 1276891 bytes
|
|
MD5:
86e32cb2ac07ef11b776276cecd5f656
SHA1:
e52e209a010f7facae299ea2e6c0b4a9307b4b20
SHA256:
F10103F8046D1ED39D9E6A7C27C8AE91CA0D2ED896CD4D2F9BB0FA6C451E37EE
File Size:
1.50 MB, 1499336 bytes
|
|
MD5:
a725b4221644408c9289f979c02b6555
SHA1:
39533338475ee7060e4a7d0e9a7f1abfad9a1be8
SHA256:
B6578A9AD76D85467E17C0A375CA1FCFD6AA3328076F9D575193BECD4676DA0D
File Size:
2.64 MB, 2642428 bytes
|
|
MD5:
703e3a0a35715e114856c0c72785e1a1
SHA1:
89435e5d31012d156da75b151510f8ae83d8ad51
SHA256:
0F693C051724F75BE77BFC771B7FF7C3DFC84C15D23910B96F0D772392006D1A
File Size:
5.71 MB, 5707821 bytes
|
|
MD5:
fa261725859125ecff86cb52215d8690
SHA1:
77f3654de924e62ae566a91fad1da7d6e6ac56e9
SHA256:
CE1DD77F6749EA4056AC2DFB4DC26B9F088A76E8A42BC2994FF6C64F26E23CB8
File Size:
4.89 MB, 4892472 bytes
|
|
MD5:
44061f5d45d8ea7ee24c9039025a26ab
SHA1:
3f3efb79fec88ab0b12d77de72fd40cb19a72a39
SHA256:
4FCA1B4F7184D0153C4322BBACA3293B792649D82A7C2FE2154C07C5245848E8
File Size:
828.67 KB, 828666 bytes
|
|
MD5:
406b5a400dca1ead3603ea44722ec557
SHA1:
1901462354b05335347dd9d7d3790a6d4927465d
SHA256:
87DFF60AB7CC783E3156FD2DEE89DB9CDC09B4C2B408E806829590376911E4C6
File Size:
496.79 KB, 496793 bytes
|
|
MD5:
f27882e126d3911e92f69ace63ecf27a
SHA1:
735389c7f12b54449f19377b8f6312b13b204388
SHA256:
BB643D973D5DF9182BA331FD072F0B6F2F9F55675D4F73E265963A40233AB9CF
File Size:
1.37 MB, 1370686 bytes
|
|
MD5:
4f5cb3d91d11eb4b5f7c165c48eb3989
SHA1:
76e8ea2bc6c43b3302d8df82748a6b3e5625b59c
SHA256:
51F9C37A28120BAEE9C8B38E986DCA8199D81C4D8D0A8DFBD6DF0B619967771E
File Size:
1.40 MB, 1401765 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
File Traits
- big overlay
- No Version Info
- packed
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 318 |
|---|---|
| Potentially Malicious Blocks: | 146 |
| Whitelisted Blocks: | 172 |
| Unknown Blocks: | 0 |
Visual Map
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
0
0
x
0
0
0
0
x
x
x
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Babar.TC
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\_if11c2.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if11c4.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if421f.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if4221.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if45cf.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if45d1.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if4c16.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if4c28.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if54a8.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if54ba.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Show More
| c:\users\user\appdata\local\temp\_if56cb.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if56dd.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if5709.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if571b.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if5d6e.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if5d70.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if6cbe.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if6ccf.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if7330.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if7332.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_if85d8.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_if85da.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_ifb828.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_ifb82a.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_ifcb52.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_ifcb54.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_ifd776.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_ifd788.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\_iffd51.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\_iffd53.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\windows\ifinst27.exe | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Anti Debug |
|
| User Data Access |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\4d6ec038e57bfc749cb48c700f0682863848d576_0000840641.exe
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\736568abded83fa153245c35c3aced141d1136bb_0001216587.exe
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\1935f14e93a49d9ae682be774edd4166a5ce2013_0001580127.exe
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\247ef34fa48fe548298d22fb12321e47493cf1b7_0005871383
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\fc8f97216308a5ca6ea75b970b073dd195f49d75_0003000332
|
Show More
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\33f15e7258467d02ee0d123e318091261f6e8177_0005271159
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\cd9c33bd565794cf7389164513ddd293e8c30612_0000195531
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\8487c01907861f1e3423168e33132cf1415fecc6_0003359009
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\2d0c84c42d7680dd684c87778d9c9da822a7d65d_0005129525
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\6c9985c4234fb15b82e969d1e71989720b0d2c62_0001981341
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\1332b56c81d2d6c3d0d122002a4ba01db3ab9e09_0003564915
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\8535f6823116a242fa1f1b17d5cf310f7b9ed702_0005099153
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\584b317dc5a2a21d468c76285703f536e50a78ac_0001543125
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\31007efa939e48d702c7fed186b407eb81f3bda6_0003037059
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\21c26c543cb8fd392c8e85b2b8e8aade0ca053a3_0003343204
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\83c35028ebcbf4238473de9ce8f5f6730258d86b_0005300224
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\d3be43686ee587463005de24afe683748abf651b_0001276891
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\e52e209a010f7facae299ea2e6c0b4a9307b4b20_0001499336
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\39533338475ee7060e4a7d0e9a7f1abfad9a1be8_0002642428
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\89435e5d31012d156da75b151510f8ae83d8ad51_0005707821
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\77f3654de924e62ae566a91fad1da7d6e6ac56e9_0004892472
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\3f3efb79fec88ab0b12d77de72fd40cb19a72a39_0000828666
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\1901462354b05335347dd9d7d3790a6d4927465d_0000496793
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\735389c7f12b54449f19377b8f6312b13b204388_0001370686
|
"C:\WINDOWS\IFinst27.exe" -Ic:\users\user\downloads\76e8ea2bc6c43b3302d8df82748a6b3e5625b59c_0001401765
|
