BabLock

BabLock

• First seen: June 2022
• Aliases: Rorschach
• Samples:
  • 4874d336c5c7c2f558cfd5954655cacfc85bcfcb512a45fb0ff461ce9c38b86d | windows | ransom | pe
  • aa48acaef62a7bfb3192f8a7d6e5229764618ac1ad1bd1b5f6d19a78864eb31f | windows | ransom | pe
  • 82a7241d747864a8cf621f226f1446a434d2f98435a93497eafb48b35c12c180 | windows | ransom | pe

PA Cortex Dump Service Tool (cydump.exe)

Basic Properties

Property	Value
Size	144432 bytes
CRC32	0x653fca6e
MD5	2237ec542cdcd3eb656e86e43b461cd1
SHA1	09018e4ed935b25054760b910780822e2f2a0e02
SHA256	4874d336c5c7c2f558cfd5954655cacfc85bcfcb512a45fb0ff461ce9c38b86d
SHA512	19a6c1327e443f9d7c7e275e64c37f222025e8f722b3e1deaace1b5548a2159a6454ad31c1d495a5759f2ca8eb6d579a8415f2979e6645f9d0bc8d295cf74501
Ssdeep	1536:bI8uI/C6NESZE6H6mKuxPGjPCSl1qY7sMI97/aXOsWaldM9dljDGTQVL7:8fI/ChS4UPGbCSvqY7sMIFa1fk9DCQZ
Magic	PE32+ executable (GUI) x86-64, for MS Windows
Packer	PE+(64): compiler: Microsoft Visual C/C++(-)[-] PE+(64): linker: Microsoft Linker(14.26**)[EXE64,signed]
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)

Antivirus Scan

+ Avast: clean
+ Avira: clean
+ Clamav: clean
+ Comodo: clean
+ Drweb: clean
+ Eset: clean
+ Fsecure: clean
+ Mcafee: clean
+ Sophos: clean
+ Trendmicro: clean
+ Windefender: clean

Loader and injector into notepad.exe (winutils.dll)

Basic Properties

Property	Value
Size	81408 bytes
CRC32	0x63d5deec
MD5	88167052a74057a93e12673599451baa
SHA1	88e3a57c8d8919aed0200c04b19e08660ca3262e
SHA256	aa48acaef62a7bfb3192f8a7d6e5229764618ac1ad1bd1b5f6d19a78864eb31f
SHA512	cf03f34e8ffeaaaea3b2be654fd8f790f7e5e3fd0a55f31d5a02308925773bfa418ada23940060a40fad849e662e052bb290a4404e2cfd5992f5cb7e8b52dc61
Ssdeep	1536:NQamf3Yj6J94A32pIHFN2L66+cz5jZqJXJQPJBzuoTOHWRqH:6p326wA5T2LRloDUluPW
Magic	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Packer	PE+(64): packer: UPX(3.96)[NRV,brute] PE+(64): linker: Microsoft Linker(14.16, Visual Studio 2017 15.9*)[DLL64]
TrID	70.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 13.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) OS/2 Executable (generic) (2029/13) 5.2% (.EXE) Generic Win/DOS Executable (2002/3) 5.2% (.EXE) DOS Executable Generic (2000/1)

Antivirus Scan

- Avast: Win64:RansomX-gen [Ransom]
- Avira: TR/DLLhijack.uodcd
+ Clamav: clean
+ Comodo: clean
+ Drweb: clean
- Eset: Win64/Agent.CHA
- Fsecure: Trojan.TR/DLLhijack.uodcd
- Mcafee: Trojan-DarkLoader.a
+ Sophos: clean
+ Trendmicro: clean
+ Windefender: clean

Encrypted ransomware payload (config.ini)

Basic Properties

Property	Value
Size	731941 bytes
CRC32	0x800011a2
MD5	57880c0d50028600ed9557a1cb1f60f2
SHA1	edc9f4eded2c57dee14595a2fba6aa3a98ff7b45
SHA256	82a7241d747864a8cf621f226f1446a434d2f98435a93497eafb48b35c12c180
SHA512	e720db37a1073300756d24cf93b7f8fcf672edafca56f107fae18c0c82d69210f05de72d02d17b22f269912a74fc171e2c35c8b06560e251d85e37be8593eebb
Ssdeep	12288:VSJKjj/sn6UO3tcG4cI5igtXDA08TFOHbKb9HfErRV3HWXCQKa7a9UOe/9SCAS:VSEj/+lO3tMjTZ8EHObBgv3HuvK5KT/5
Magic	data
Packer	Binary: Nothing found
TrID	100.0% (.VC) VisiCalc spreadsheet (1000/1)

Antivirus Scan

+ Avast: clean
+ Avira: clean
+ Clamav: clean
+ Comodo: clean
+ Drweb: clean
+ Eset: clean
+ Fsecure: clean
- Mcafee: Ransom-EncodeDAT
+ Sophos: clean
+ Trendmicro: clean
+ Windefender: clean

References

• https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
• https://www.trendmicro.com/en_us/research/23/d/an-analysis-of-the-bablock-ransomware.html
• https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/bablock-rorschach-ransomware