{
	"id": "894d6bab-6ee0-479b-bdc5-14206b733920",
	"created_at": "2026-04-10T03:19:55.596226Z",
	"updated_at": "2026-04-10T03:22:17.545861Z",
	"deleted_at": null,
	"sha1_hash": "25e7f8734139e8753f7063e05bb457c50b0c5502",
	"title": "Babble Babble Babble Babble Babble Babble BabbleLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2259312,
	"plain_text": "Babble Babble Babble Babble Babble Babble BabbleLoader\r\nBy Ryan Robinson\r\nPublished: 2024-11-17 · Archived: 2026-04-10 03:07:42 UTC\r\nLoaders, an Ever Evolving Market\r\nThe pace of innovation and development in the malware detection market is relentless, the same goes for the\r\ndevelopment of malware itself. Constantly charging and adapting to create ever more evasive and capable\r\npayloads. \r\nOne such sector of this market is the loader (also called crypter or packer) market. In today’s threat landscape,\r\nloaders have become a critical tool in cybercrime operations, serving as the backbone for delivering a range of\r\nmalicious payloads. Loaders are often the first stage in an attack chain, designed to stealthily execute or inject\r\nmalware, such as info-stealers or ransomware, into a target system. Their prevalence reflects an evolution in\r\ntactics, allowing threat actors to evade traditional antivirus defenses through techniques like in-memory execution\r\nand anti-analysis features. Widely available for purchase or lease on underground markets, loaders are now a\r\ncommodity in malware distribution, making sophisticated attack methods accessible to a broader range of actors\r\nand adaptable across diverse campaigns and targets.\r\nIn this blog, we will introduce “BabbleLoader”, an extremely evasive loader, packed with defensive mechanisms,\r\nthat is designed to bypass antivirus and sandbox environments to deliver stealers into memory. \r\nBabbleLoader’s Techniques to Evade Traditional and AI Systems\r\nBabbleLoader stands out for its array of sophisticated evasion techniques that challenge both traditional and AI-based detection systems. Key features include junk code insertion and metamorphic transformations, which alter\r\nthe loader’s structure and flow, effectively evading signature-based, Artificial Intelligence, and behavioral\r\ndetections. Through dynamic API resolution, the loader sidesteps common API monitoring by resolving necessary\r\nfunctions only at runtime, preventing static analysis from identifying telltale Windows APIs. Also bypassing\r\nsandbox injected DLLs that hook API calls. Shellcode loading and decryption further obfuscate the payload by\r\nembedding and decrypting malicious code in memory, bypassing file-based scanning. Additionally, anti-sandboxing and anti-analysis measures detect virtual environments, impeding sandbox analysis and automated AI\r\ndefenses. Together, these techniques make this loader a versatile tool, capable of subverting both static and\r\ndynamic security layers.\r\nWhen investigating this loader, we have seen it used across multiple campaigns, targeting both English and\r\nRussian speaking individuals. Lure themes suggest it is targeting a vast range of users, from users looking to\r\ndownload generic cracked software, such as video editing, gaming, VPN, browsers, and utilities. We have also\r\nnoticed campaigns that target with a particular focus on business professionals in finance and administration,\r\nmasquerading as accounting software, and forms for filling out eligibility checks often used by HR or payroll\r\nprofessionals.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 1 of 20\n\nTechnical Analysis\r\nThe sample used in this analysis is: a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87\r\nJunk Code/Metamorphism\r\nBabbleLoader makes diabolical use of junk code. This is done in an effort to hamper analysis by confusing the\r\nanalyst. This is achieved through multiple means. There are many paths of code that are never actually accessed,\r\nbut use random imports with randomly generated hardcoded strings.\r\nJunk Code making rubbish calls\r\nThe loader also makes excessive use of random instructions, adding values to local variables and moving data\r\naround registers for no particular functionality. \r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 2 of 20\n\nJunk Code\r\nThe amount of junk code added into the sample greatly increases the amount of code to the point where it starts to\r\ncrash disassembly or decompilation tools through its sheer mass alone. In the case of IDA needs to collapse nodes\r\ndue to them being so large.\r\nCollapsed Node in IDA\r\nIn Ghidra the function graph view will freeze and there are too many instructions for the decompiler to show.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 3 of 20\n\nDecompilation output in Ghidra\r\nWe have even checked in Binary Ninja to see the effects of the junk code. The user is required to manually force\r\nanalysis of the function due to the size.\r\nBinary Ninja showing large function\r\nEach of these techniques also serve the purpose of making the loader metamorphic. Each build of the loader will\r\nhave unique strings, unique metadata, unique code, unique hashes, unique encryption, and a unique control flow.\r\nEach sample is structurally unique with only a few snippets of shared code. Below is a very small snippet of the\r\nmain method of two different samples, showing very different control flow.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 4 of 20\n\nComparison of structure of two BabbleLoader samples\r\nEven the metadata of the file is randomized for each sample.\r\nJunk Metadata\r\nWhat This Means for AI-Based Analysis Techniques\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 5 of 20\n\nThese techniques also have large implications for AI based analysis techniques. This constant variation in code\r\nstructure forces AI models to continuously re-learn what to look for—a process that often leads to missed\r\ndetections or false positives. By filling the code with junk instructions, the loader can trick AI into interpreting\r\nirrelevant actions as meaningful ones, leading it to predict that the malware will perform operations that it never\r\nactually executes. Junk code also generates a large volume of “noise” in the program flow, overwhelming the AI’s\r\npattern-recognition capabilities and forcing it to sift through thousands of extraneous actions that mask the true\r\nbehavior of the malware.\r\nAdditionally, the inclusion of countless junk variables adds another layer of complexity. AI models analyzing\r\nvariable behavior to understand data flow must now track thousands of decoy variables, each potentially\r\nobfuscated or dynamically transformed to further confuse the analysis. This variable noise, combined with the\r\never-shifting structure from metamorphism, makes it extremely difficult for AI to reliably determine which\r\nvariables are integral to the malware’s function and which are simply junk. \r\nThe sheer volume of junk code and variables also makes analyzing this loader exceptionally costly. The sheer\r\nnumber of tokens AI must process to parse and interpret the junk alone leads to high computational and financial\r\ncosts, effectively weaponizing the malware’s complexity against AI-driven defenses. This combination of\r\noverwhelming data volume, misleading patterns, and high processing requirements creates significant challenges\r\nin detecting and analyzing the malware accurately.\r\nDynamic API Resolution\r\nOne of the first operations of the loader is to start the process of dynamically resolving API calls. It will achieve\r\nthis through API hashing. It will first get a module handle for ntdll.dll . The string for the DLL is decrypted\r\nusing a rolling XOR cipher. \r\nDecoding of NTDLL string\r\nUsing the returned handle, the loader will start to read the PE header of ntdll.dll and it will locate the export\r\ndirectory and start parsing out values that it will need to dynamically resolve the functions by hash. The loader\r\nbuilds up the following struct. \r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 6 of 20\n\nstruct _NtDllExportInfo {\r\nDWORD* AddressOfFunctions;\r\n  DWORD* AddressOfNames;\r\n  DWORD* AddressOfNameOrdinals;\r\n  DWORD NumberOfNames;\r\n  HMODULE NtdllModuleHandle;\r\n}\r\nThe parsed values can be seen easily from viewing the export directory in CFF explorer.\r\nParsed fields shown in CFF Explorer\r\nOnce the struct has been built up, it can then proceed to iterate through the export names, hashing the names to\r\ncompare to hardcoded values in the binary.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 7 of 20\n\nResolution of functions by hash\r\nThe following calls are resolved, getting pointers for imports. Whilst the exports will remain the same for each\r\nbuild of the malware, the hashing will be unique per each build. \r\nHash Call\r\n1ABEC790 NtCreateSection\r\n993C0058 NtMapViewOfSection\r\n92263458 NtUnmapViewOfSection\r\n9DA1D253 NtClose\r\n6AF3F390 NTQuerySystemInformation\r\n0A96AB0E4 RtlAllocateHeap\r\n8A21A480 RtlFreeHeap\r\nShellcode Loading and Payload Decryption\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 8 of 20\n\nOnce the loader resolves pointers for the imports, it first calls NtCreateSection , followed by\r\nNtMapViewOfSection . This approach allows the malware to allocate and manage memory outside the standard\r\nprocess space. The decryption process begins with the loader rearranging the randomly stored encrypted chunks of\r\nthe payload into their correct order within the mapped memory, before proceeding to decrypt each block.\r\nDecryption stages\r\nBefore calling the decrypted code, the loader will perform one of a number of anti sandboxing checks.\r\nAntiSandboxing/Analysis\r\nDirectX DLL\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 9 of 20\n\nOne of the anti-sandboxing checks involves checking the installed graphics adapters to see if it is running in a\r\nsandboxed environment or not.  This is achieved by importing the DLL dxgi.dll . The DLL is the DirectX\r\nGraphics Infrastructure library and is a core Windows DLL that provides functionality for interfacing with\r\ngraphics hardware.  \r\nThe exported function CreateDXGIFactory is called giving the loader a IDXGIFactory object. This allows the\r\nloader to enumerate information from the installed graphics adapters by calling EnumAdapters , followed by\r\nGetDesc from the IDXGIAdapter object to give a DXGI_ADAPTER_DESC struct. \r\ntypedef struct DXGI_ADAPTER_DESC\r\n  {\r\n  WCHAR Description[ 128 ];\r\n  UINT VendorId;\r\n  UINT DeviceId;\r\n  UINT SubSysId;\r\n  UINT Revision;\r\n  SIZE_T DedicatedVideoMemory;\r\n  SIZE_T DedicatedSystemMemory;\r\n  SIZE_T SharedSystemMemory;\r\n  LUID AdapterLuid;\r\n  } DXGI_ADAPTER_DESC;\r\nFrom these structs is parsed the VendorId , and it is compared against three values that form a vendor whitelist. \r\nID Vendor\r\n8086 Intel\r\n10DE Nvidia\r\n1002 AMD\r\nThis anti-sandboxing technique has been observed in previous malwares, namely Furtim in 2016 and Invalid\r\nPrinter Loader in 2023. BabbleLoader takes additional measures to hide the vendor ID numbers through using a\r\nsimple XOR key and a few assembly instructions. The instructions are separated by a large amount of junk code\r\nso as to hide the values when statically analyzing the sample in a disassembler. \r\nmov   [rsp+1FF48h+nvidiaId], 0E8185136h\r\n...\r\n//Junk\r\n...\r\nmmov   eax, [rsp+1FF48h+nvidiaId]\r\nxor   eax, 0E81841E8h\r\nmov   [rsp+1FF48h+nvidiaId], eax\r\n...\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 10 of 20\n\n//Junk\r\n...\r\nmov   eax, [rsp+1FF48h+nvidiaId]\r\ncmp   [rsp+1FF48h+vendorId], eax\r\nThe decoded value (Nvidia Vendor ID) is shown below:\r\nXOR to derive VendorID\r\nVDLL Function\r\nAnother form of anti-sandboxing comes in the form of a VDLL check to combat Windows Defender’s Antivirus\r\nEmulator. To start this check, BabbleLoader, in a similar manner to how it deobfuscates strings to dynamically\r\nresolve functions, will decode two DLLs with exports.\r\nThe first check is to get kernel32.dll and look for the proc address for MpSwitchToNextThread_WithCheck . The\r\nsecond check is ntdll.dll with the export of MpDispatchException .\r\nCall of emulated function\r\nIf any of the GetProcAddress calls are successful, it will set a variable for the loader to exit later. A successful\r\nimport of any of these calls will indicate that the loader is being emulated by Windows Defender. This is because\r\nthese exports only exist in VDLLs, which are modified Windows system DLLs available only in the emulator for\r\nDefender. This technique has been used by Raspberry Robin previously, and suggests that the loader developer is\r\nable to incorporate new technical research around antivirus and sandboxing internals.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 11 of 20\n\nUnique process count\r\nWhen the shellcode payload that is stored in the mapped memory of the newly created section is executed, it\r\nperforms another anti sandboxing check, this time based on the running processes in the machine. \r\nThis is achieved first by calling NtQuerySystemInformation , previously dynamically resolved from ntdll.dll .\r\nGetting the SystemProcessInformation class. This returns an array of SYSTEM_PROCESS_INFORMATION structures,\r\none for each process running in the system. \r\nThe process name for each process in the array is gathered and hashed as a checksum, and compared with the hash\r\nof the name of the process next in the array. A counter is incremented with each iteration, but if the checksums\r\nmatch, the counter is reduced by one. Giving the number of processes with unique names running. \r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 12 of 20\n\nChecksum counter\r\nThe counter is compared to check if there are at least 85 unique processes running on the machine. With the\r\nassumption that a true infected computer would have more running processes rather than a sandbox or emulator\r\nthat is trying to be as lightweight as possible to reduce noise and costs. This technique has been employed by other\r\nmalware also, such as Latrodectus. \r\nWhen the check has passed, the next stage of the payload will be decoded and executed.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 13 of 20\n\nSecond stage of decryption\r\nDonut Loader and Payload\r\nThe next stage in this chain is a Donut loader. This is used to unpack and execute the final payload in memory.\r\nDonut loaders have been used by many different malware and threat groups in their operations. The payload in\r\nthis sample is a WhiteSnake stealer. \r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 14 of 20\n\nWhiteSnake Payload\r\nThis payload has a very interesting method of communication with its Command and Control (C2) server over\r\nTOR. The C2 communication is described in further detail in a blog from JFrog in 2023, but instead of\r\ndownloading from the official TOR Project website. The payload is downloaded from this github repository.\r\nOpen source project downloaded by WhiteSnake\r\nIn other samples, Meduza stealer has also been observed. There may be other stealer payloads delivered that have\r\nnot been observed yet.\r\nConsiderations for Defense\r\nThe use of loaders is a long-standing technique incorporated by threat actors. In order for modern day threat actors\r\nto have any success against the many layers of detection employed by security vendors, they too must incorporate\r\nmultiple layers of defense within their own builds. It is a never ending arms race between attacker and defender.\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 15 of 20\n\nEach side imposing increasing costs on the other in a frantic effort to come out on top, no matter how short that\r\ntime period may be.\r\nThe better that the loaders can protect the ultimate payloads, the less resources threat actors will need to expend in\r\norder to rotate burned infrastructure. BabbleLoader takes measures to protect against as many forms of detection\r\nthat it can, in order to compete in a crowded loader/crypter market. The types of protection utilized protect the\r\nloader against hash, rule, genetic, static, dynamic, and AI forms of detection, imposing costs upon security\r\nvendors in the hope that the cost of detection will be so high that it will cause security vendors to overlook\r\nanalyzing these files. \r\nThe developer behind this loader demonstrates an active engagement with current security research, rapidly\r\nintegrating new techniques to enhance evasion capabilities. For instance, recent anti-sandboxing features reflect\r\ninsights from research on Windows Defender presented by white-hat experts at Black Hat, allowing the loader to\r\nbetter evade detection by Microsoft’s defenses. This adaptability shows a strategic commitment to keeping the\r\nloader ahead of evolving security tools by adopting the latest innovations in bypass techniques, making it more\r\nresilient and harder to detect with each new build.\r\nMany security vendors will look at using AI to help in future cases with combating these loaders. The loaders of\r\nthe future are already well equipped in this fight. The loader’s layered obfuscation tactics pose a formidable\r\nchallenge for AI-based defenses. These techniques flood the AI with irrelevant tokens and misleading patterns,\r\nmaking it difficult to distinguish meaningful actions from noise. Each layer of complexity forces the AI to process\r\nmassive amounts of data, drastically increasing computational and financial costs. By weaponizing this volume\r\nand variability, the loader effectively undermines AI’s pattern recognition and analysis capabilities, pushing the\r\nlimits of automated detection systems.\r\nThere is no signs of slowing down in the pace in the thriving loader market.\r\nIOCs\r\nBabbleLoader:\r\n052c776fdc9700dfb37f964a73d461a57efad30a01bcf54505d7abcd601e6ff3\r\n0ad8513b62a778d7e426627be3ed2dbaf00d99b9802a1f566dc9203e3d311fc3\r\n0f6847d33cb38b0ed6dc1d8cfe3dc5d2e293d91c4880e3b4f5ddb77fd9d4cd1f\r\n114b868f319162c5d6ff92796e41910f54de0e89f895a066fd4980c6dba2e323\r\n1367fb270f35512b17fe5e73cc0233ace272daafe15cf94e45f696431f52332f\r\n1537965c7722a9886d542688fcbafecd1248b2fbd56e9a90a803a50e880e1bb8\r\n16200bbe4646fe8cefeee5be20ce55c50300485f3356ab181fb930bd02536709\r\n1da4de2b4b87bff7f9f1a3208c5c663a06f7f9b67f918e5a5e8e860e759b7075\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 16 of 20\n\n200289d5a408a2e49a894228edb3324548ca5c5c0283d09486aa287df41f15bc\r\n217d7501287ae894f47bd04253bd184d1901dd131b0cd15bcbbeba5158049d5d\r\n22866e6ded40916de8002606f82e44ee141f27c3340fa2c4d16514624ee05a72\r\n237812322bbbcf47feeb79b8e91b97d00453ffd5deb52c819c183b45d18b0b5a\r\n25923b822e9a1374817caf79375170b944f2762b1e3f2add921008ffec702740\r\n2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d\r\n2b6bff7b8c23f1fa526e116c7577c32845d5b969c68a66850c305a351adc9726\r\n2d6b50003436ed489d1b46566eb879e317e1b9a5b6edb12f3cbb4c8a8d932a08\r\n2eab850166944175e5fac4c89706328a58dcef55dbc22ff20342d1d246ba76b9\r\n2ee32c46207119f6851f2869203124c104c72cfdf9622416252ae3405f485cd2\r\n328d92b71034d74c016b1f8e70217be3f432a2ade8fe44522f84980fd0dbb1f9\r\n33e42e7828cda7987d17342e0eb8134f590cd3d291dbc75f13334259a4908ba1\r\n3bf5f07059a24fb803c6fefb874f000e9c300372b1b870e48b4935bd0219fe2b\r\n401209ec9dda222984fd5cb775a6b6c2e651d88c04a506c9058cb1decdce869d\r\n451e1bec8476a89c7d2b526071fa2918187f2f5b3ba9362e6999114993a74da5\r\n455cd0db2de92ee348295780f8fc7a32a5406a5986a4d162761680f11b6346b1\r\n466a8af8d0b51ed82aec35b17b845e6baf77ada259aa2fd5591024a01d8e31b5\r\n46b355d25b95d7f9d7029f1ee1a346028e3c5bdec9e6c9245c12d1607cb1c686\r\n46f0e190cd346d1eb6d0c27386bb3aceebf4ad44b25d253cac4063e2ccde9028\r\n478eb22a1f1be2ef6e70625cf42ca61c716389135acbb705c0e21f0cf330bf46\r\n47a71eb078b14a92eb5fb990f606aa48e535860af90ebc5e075c8b2e4d829633\r\n4b7fa864007357e3e799eeb4a9630425652178551a9c37181fc6ea86660af814\r\n4ba95478ea0ac78e038d30693fabf95244bd70e40b36b2a928f3854551d6fa78\r\n4bed4960a896ebeafa9a9421d7ecf389205a2f0216ad911bdcd80f28237159e6\r\n4e40aaddf718b70f397d449f8ca9a577ef0106f281ccb50f0b5cde531b758881\r\n5305556bee271232973a9e09c4776a3b386964112785db638b225b2cc61d9af7\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 17 of 20\n\n53e451750c099f33f80a3652d9f2a804390de0f867af13ae22ad0fbf4b15f8c3\r\n5493fa6f2ab69da66352532b2c13e7e461bcde6cc2810a6f6af88e139dde1ae7\r\n5665c96975c959b5e8057b7aed46f7c203335aefa35f5e290c538e9300e3e293\r\n5b9481d9022b0efcaed04513d338048de4aa3e1328bacc0966486ef322c0d086\r\n5eb3bb67656d990ceec07f55c78dcd8032a7cf00ac919a399e3642b177f68381\r\n60ecef2d0a966db913bff15872c072175b895e16271351c43e5a0cf9e4018f22\r\n643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2\r\n69ad389722dd8b49590b2aa014f703b39737894073c7339ea44c94d296e00273\r\n78f6c822cee2b0587df145d67478cce5bbeb76147a7846d08b7b6fd09aa36ce2\r\n796c245c5bb1e7c1dcd52c4e8f83e1c707e391f6409ee9b5e1dd18658ff0e05f\r\n7df313618a02e8e9961ddb1c3289956eb18361f1ca9fb639d64a00fae7568a4b\r\n7e5ba9e3ccc1cb52d24c21c6d378a32bb540a8519789d8cf796e5dd351fc6958\r\n8907a8454ef56d64bf788b9c8c64bbaaf187be7a9666d8d8331fd187c49c6031\r\n8a28e457b19060678d5d007b291722e1dea92f69249e1588ca5b97eb1fe10807\r\n8cc2e1104480875ee237bf4ca9f3d83e46ca213f5c88df95be0d78e05c7c2d71\r\n8cf8bea6842219e565720919372e4aa530942b28d533231043ee57e7bb424cbe\r\n8d8c3b6be212ce645566311ce95ad9ad3aad37795042882adefda9716deb2eab\r\n8e63b1f7f8e29b9a714f796e2e8ca0cd1094086e2d0a5de21601e23e1792a906\r\n9125c13250a14905a4fd97978a3a6dbba80df01e73d98f8d4fa2d19b49d9fda0\r\n9314ea889f93da5cd39129840a42bd5f228538686a2345f56e757e5a5d956dee\r\n9bf7a01254fed809e0f564f28a3cf54156ea98f85d3b633ae3a213a87f9db143\r\n9dfb8ed499b667d782ae3a4ce40472893a789ed973f48884b47358536b6a76e8\r\n9fa7574f35fae3d309c8cefe0e8a43d07afb6cefaee0caa3b2538263bd4a7ec5\r\na01ac4244102e3958296c70d71e3d951f11abcc355458d1918d081587b151d90\r\na08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87\r\na29e108e912c77ed565873bd205da01ed0e6001d18b442139c06827428d2eba1\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 18 of 20\n\na3b45619606d4c3c487047786e3d51a98fdcc1fdc43dc7b6f6e80974fd0a9c97\r\na695cb493631962a4c2fd61a094cb0b952ce708a99af714772cddd4991f32df0\r\nae6ee6bf2f9890ed83922e5c80770dd88faa9b32b2211462ea2eed29bf1bf6c5\r\nb14af38c4230de20c7c4fefc1e3c5fffb1562bacedfebc56a508f55182a6fe88\r\nb1ebe1794e091fd82a34d6806f18f64ebadb5d3b2343a661c481fb7c54cb872f\r\nb2a91277e5fb40a0a38215142f683554b4e7c03ccd439e0d056c56b031a5bec5\r\nb72d9ae8484b91ec9c6167e6707617f495622f3b684f6b3e30b29106891c778b\r\nbb4f812f8bb4e7b33d7b583407370a5351d079f63b26956adc7ab317b3d90601\r\nbdd6bd29937059dd944fb09163a24e4482c5ce420d3de749e5e46c6c25b2ea86\r\nc2a95f22cfee1f4df67a424e30425b59c23db265bff611f2ee653d71b30a70d8\r\nca67f61b5f8d20ec3f45dbbfc355045a8ceee15396f1cad032850a3ee23a42b3\r\ncd3f064d088a3a6a6ad03da148701fb6b660866b8aac2a808359505620166641\r\nd7967661947ca835deddec30ae6e62d580718cbdeafb42cd6d0f038a407edcf0\r\nd9cea34db0d1dc016dd4007d8cd11416f095c41b0639f13af1eb6ad675651df2\r\ndb282cae419ed5af3338f65f170ecd7b312cac2500b5cb2c8824721ba981c361\r\ndb41e032193becc097d0da85cac74cf1f519b85cf731f783ccea11c1e20ad23f\r\ne09c36993e1c29b6ef0f1c73e02aee54686c0df49b6d87b577e70f261313acaf\r\ne13f20752f6298728ac0463a3f4b0657d5657ca7710e63a27ac1179078ac71f6\r\ne1448680114cb3dd06aa81a3b1037f77e6d5b3f6dce213aa38cffdec72d59e74\r\nf2f23a963952c1a822484382bf4c68cd8b7278400ad2d8bacf3235ba2fc42a89\r\nfa292bfcf81223bab0f79d4ce08187e37d68960005629df0241ea22f0b95d7a8\r\nfc589aa3529a057fee52a1c9bd9bb19fa42bbfd291b7dbb3791e77eced376640\r\nffcae0093d509563b47b1d0cef3aa455a4358de3a1d2c2b84c298a927aa238e8\r\nWhiteSnake Stealer:\r\n6dce9024ec032390ca4294f62cb282a09291cf141cb003f7e0ef23bb7a34bfae\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 19 of 20\n\nSource: https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nhttps://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intezer.com/blog/research/babble-babble-babble-babble-babble-babble-babbleloader/"
	],
	"report_names": [
		"babble-babble-babble-babble-babble-babble-babbleloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775791195,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25e7f8734139e8753f7063e05bb457c50b0c5502.pdf",
		"text": "https://archive.orkl.eu/25e7f8734139e8753f7063e05bb457c50b0c5502.txt",
		"img": "https://archive.orkl.eu/25e7f8734139e8753f7063e05bb457c50b0c5502.jpg"
	}
}