Overview of Babax Stealer
File Creation time found in the future date:
Creation Time 2095-02-22 21:13:32
Babax stealer code was initially found in the Github but currently taken down. The main idea of this stealer is to steal the saved credentials and propagate via the network. To avoid detection of the malware, it is crypted.
During the execution, it creates the mutex as Babax. The highlighted calls are:
Interesting files, it tried to open:
3068 - crypted_babax.exe
Additional screenshots and content collected from deleted Github page:
"Logs will get delivered in an encrypted archive to the telegram bot used and as I said before you will get the whole project so you can change the whole system if you want. Note: cvshost.exe is a utility that decrypt firefox data from the dbs files (logins.json and key3.db). You will not get it with the project but you still can use the json and key file in your firefox clients to get the credentials or look for tools that do that." - Copied from Github.
Post made by