Windows Analysis Report
habe_fun.exe

Overview

General Information

Sample name:	habe_fun.exe
Analysis ID:	1649416
MD5:	86faa03faca5764b65096940604a1390
SHA1:	f0e183789ae06266195cbe11200e830c011388b4
SHA256:	1fb08d6dc54e057419e21ca6c5aa959c2f9833eebd6e8998843a737c009de5c1
Tags:	exeuser-edv
Infos:

Detection

Babadeda

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Babadeda

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: habe_fun.exe	Virustotal: Detection: 26%			Perma Link
Source: habe_fun.exe	ReversingLabs: Detection: 33%

Uses 32bit PE files

Source: habe_fun.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\Temp\45D4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.tmp	Jump to behavior

Source: habe_fun.exe, 00000000.00000002.3576629478.0000000002157000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576812757.00000000023F0000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576629478.0000000002150000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576711227.0000000002280000.00000004.00000020.00020000.00000000.sdmp, 45D6.bat.0.dr	String found in binary or memory: https://discord.gg/cometrs
Source: habe_fun.exe, 00000000.00000002.3576629478.0000000002157000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576812757.00000000023F0000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576629478.0000000002150000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576711227.0000000002280000.00000004.00000020.00020000.00000000.sdmp, 45D6.bat.0.dr	String found in binary or memory: https://workupload.com/file/9Ha2YGuhADX

Detected potential crypto function

Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00411079	0_2_00411079
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00411C20	0_2_00411C20
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00411033	0_2_00411033
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00410C80	0_2_00410C80
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00410CA0	0_2_00410CA0
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_0040B9C7	0_2_0040B9C7
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_0040FA68	0_2_0040FA68
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_0040CF18	0_2_0040CF18
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_0040EFF0	0_2_0040EFF0
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00410FB0	0_2_00410FB0

Uses 32bit PE files

Source: habe_fun.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.troj.winEXE@6/1@0/0

Source: C:\Users\user\Desktop\habe_fun.exe

Code function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,

0_2_00402664

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\Desktop\do_not_delete

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03

Source: C:\Users\user\Desktop\habe_fun.exe

File created: C:\Users\user\AppData\Local\Temp\45D4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\habe_fun.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat C:\Users\user\Desktop\habe_fun.exe"

Source: C:\Users\user\Desktop\habe_fun.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: habe_fun.exe	Virustotal: Detection: 26%
Source: habe_fun.exe	ReversingLabs: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\habe_fun.exe "C:\Users\user\Desktop\habe_fun.exe"
Source: C:\Users\user\Desktop\habe_fun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\habe_fun.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat C:\Users\user\Desktop\habe_fun.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\Desktop\habe_fun.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat C:\Users\user\Desktop\habe_fun.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior

Source: C:\Users\user\Desktop\habe_fun.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior

Data Obfuscation

Yara detected Babadeda

Source: Yara match	File source: habe_fun.exe, type: SAMPLE
Source: Yara match	File source: 0.0.habe_fun.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.habe_fun.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\habe_fun.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

PE file contains sections with non-standard names

Source: habe_fun.exe

Static PE information: section name: .code

Source: C:\Users\user\Desktop\habe_fun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\habe_fun.exe

Window / User API: threadDelayed 9999

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\habe_fun.exe TID: 7364

Thread sleep time: -99990s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\habe_fun.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\Desktop\habe_fun.exe

Thread sleep count: Count: 9999 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\Temp\45D4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\habe_fun.exe	File opened: C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.tmp	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\habe_fun.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00409FD0 SetUnhandledExceptionFilter,		0_2_00409FD0
Source: C:\Users\user\Desktop\habe_fun.exe	Code function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		0_2_00409FB0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\chcp.com chcp 65001

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\habe_fun.exe

Code function: 0_2_00405573 GetVersionExW,GetVersionExW,

0_2_00405573

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1649416
Product:	CloudBasic
Start time:	19:02:16
Start date:	26.03.2025
Sample:	habe_fun.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	86faa03faca5764b65096940604a1390
SHA1:	f0e183789ae06266195cbe11200e830c011388b4
SHA256:	1fb08d6dc54e057419e21ca6c5aa959c2f9833eebd6e8998843a737c009de5c1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Windows Analysis Report
habe_fun.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report habe_fun.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
habe_fun.exe

Malware Threat Intel
Provided by