Sunday, July 5, 2020

Overview of Babax Stealer

File detail:
MD5: 74a5c6f02814aa7f5a624681d61952d0
SHA1: 5f78e534d7e70fff9e8353cc8afa9c221a1209f3
SHA256: 939b2ae76b674d4fde311eb4374a5f0eaaf3d154a038fdd5febb84bec0734a77

File Creation time found in the future date: 
Creation Time 2095-02-22 21:13:32

File Name:
ProxyON.exe 
crypted_babax.exe

Babax stealer
Babax stealer code was initially found in the Github but currently taken down. The main idea of this stealer is to steal the saved credentials and propagate via the network. To avoid detection of the malware, it is crypted.

During the execution, it creates the mutex as Babax. The highlighted calls are:
  • GetTickCount 
  • IsDebuggerPresent 
  • GetSystemMetrics 
  • GetTickCount64
Interesting files, it tried to open:
C:\Users\<USER>\Downloads\crypted_babax.exe.config 
C:\Users\<USER>\Downloads\crypted_babax.exe
C:\Windows\system32\ucrtbase_clr0400.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\ProxyON\ 
C:\Users\<USER>\Downloads\crypted_babax.INI
C:\Users\<USER>\Downloads\Babyt3.dll 
C:\Users\<USER>\Downloads\Babyt3\Babyt3.dll 
C:\Users\<USER>\Downloads\Babyt3.exe 
C:\Users\<USER>\Downloads\Babyt3\Babyt3.exe


Process Tree
Processes Tree
 3068 - crypted_babax.exe



Additional screenshots and content collected from deleted Github page:
p

"Logs will get delivered in an encrypted archive to the telegram bot used and as I said before you will get the whole project so you can change the whole system if you want. Note: cvshost.exe is a utility that decrypt firefox data from the dbs files (logins.json and key3.db). You will not get it with the project but you still can use the json and key file in your firefox clients to get the credentials or look for tools that do that." - Copied from Github.

p2


Post made by

No comments:

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...