Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Download

habe_fun.exe

PE32 executable (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386, for MS Windows
Entropy:	6.8588715881325495
Filename:	habe_fun.exe
Filesize:	99328
MD5:	86faa03faca5764b65096940604a1390
SHA1:	f0e183789ae06266195cbe11200e830c011388b4
SHA256:	1fb08d6dc54e057419e21ca6c5aa959c2f9833eebd6e8998843a737c009de5c1
SHA512:	8366618f8595456ec5a839994b5bf3f0d80345b18f63313a3d191124a2835f3b6ec3a4067503d0ffe14d8e6ad0209c1eb597e6f753c0a82263b3edf9214f56ab
SSDEEP:	1536:j7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfVwWq8X4NoOj:/7DhdC6kzWypvaQ0FxyNTBfVnq8y
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....l...............0....@........................................................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
PE file contains sections with non-standard names	Data Obfuscation
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sleep loop found (likely to delay execution)	Malware Analysis System Evasion
Uses 32bit PE files	Compliance, System Summary	Masquerading
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Enumerates the file system	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Executes batch files	System Summary	Scripting
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat

Unicode text, UTF-8 text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat
Category:	dropped
Dump:	45D6.bat.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\habe_fun.exe
Type:	Unicode text, UTF-8 text, with CRLF line terminators
Entropy:	4.536653918114644
Encrypted:	false
Ssdeep:	96:i/3HXLj/3HXum4LIS3jCAaLWAuRtT//bM3ZM0srTHabw9w:i/3HXn/3HXUcS3jjzvrTcr
Size:	6273
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\habe_fun.exe

"C:\Users\user\Desktop\habe_fun.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7360
Target ID:	0
Parent PID:	3964
Name:	habe_fun.exe
Path:	C:\Users\user\Desktop\habe_fun.exe
Commandline:	"C:\Users\user\Desktop\habe_fun.exe"
Size:	99328
MD5:	86FAA03FACA5764B65096940604A1390
Time:	14:03:10
Date:	26/03/2025
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Babadeda	Data Obfuscation
PE file contains sections with non-standard names	Data Obfuscation
Uses 32bit PE files	Compliance, System Summary
Executes batch files	System Summary	Scripting
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7368
Target ID:	1
Parent PID:	7360
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:03:10
Date:	26/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff62fc20000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat C:\Users\user\Desktop\habe_fun.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7412
Target ID:	2
Parent PID:	7360
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\System32\cmd.exe
Commandline:	"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\45D4.tmp\45D5.tmp\45D6.bat C:\Users\user\Desktop\habe_fun.exe"
Size:	289792
MD5:	8A2122E8162DBEF04694B9C3E0B6CDEE
Time:	14:03:10
Date:	26/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7cad00000
Modulesize:	421888
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Executes batch files	System Summary	Scripting
Spawns processes	System Summary	Process Injection

C:\Windows\System32\chcp.com

chcp 65001

Details

Is windows:	true
Is dropped:	false
PID:	7428
Target ID:	3
Parent PID:	7412
Name:	chcp.com
Path:	C:\Windows\System32\chcp.com
Commandline:	chcp 65001
Size:	14848
MD5:	33395C4732A49065EA72590B14B64F32
Time:	14:03:10
Date:	26/03/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff608aa0000
Modulesize:	36864
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://workupload.com/file/9Ha2YGuhADX

unknown

Details

Name:	https://workupload.com/file/9Ha2YGuhADX
TargetID:	-1
From Memory:	true
Source:	habe_fun.exe, 00000000.00000002.3576629478.0000000002157000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576812757.00000000023F0000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576629478.0000000002150000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576711227.0000000002280000.00000004.00000020.00020000.00000000.sdmp, 45D6.bat.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://discord.gg/cometrs

unknown

Details

Name:	https://discord.gg/cometrs
TargetID:	-1
From Memory:	true
Source:	habe_fun.exe, 00000000.00000002.3576629478.0000000002157000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576812757.00000000023F0000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576629478.0000000002150000.00000004.00000020.00020000.00000000.sdmp, habe_fun.exe, 00000000.00000002.3576711227.0000000002280000.00000004.00000020.00020000.00000000.sdmp, 45D6.bat.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

Download

21C33A50000

heap

page read and write

6ACD17F000

stack

page read and write

21C33990000

heap

page read and write

590000

heap

page read and write

21C338B0000

heap

page read and write

400000

unkown

page readonly

59A000

heap

page read and write

6ACD07C000

stack

page read and write

920000

heap

page read and write

417000

unkown

page write copy

470000

heap

page read and write

401000

unkown

page execute read

9B000

stack

page read and write

21C33A58000

heap

page read and write

19D000

stack

page read and write

420000

heap

page read and write

2157000

heap

page read and write

417000

unkown

page read and write

59E000

heap

page read and write

450000

heap

page read and write

21C33CE5000

heap

page read and write

23E0000

heap

page read and write

401000

unkown

page execute read

413000

unkown

page readonly

23F0000

heap

page read and write

400000

unkown

page readonly

21C33A5A000

heap

page read and write

413000

unkown

page readonly

2210000

heap

page read and write

430000

heap

page read and write

21C33CE0000

heap

page read and write

2150000

heap

page read and write

419000

unkown

page readonly

419000

unkown

page readonly

21C339B0000

heap

page read and write

6ACD0FE000

stack

page read and write

2280000

heap

page read and write

There are 27 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
habe_fun.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthabe_fun.exe

Files

Processes

URLs

Memdumps

IOC Report
habe_fun.exe