babadeda | 642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-01-2022 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
Size

5.7MB
MD5

ddd5bb53200e40fc5b34fd7e6448e815
SHA1

0e55418801977101a01d86661b91708dcbeb77a3
SHA256

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5
SHA512

69251a229641307125d41cb15533384b2bea21713d4b78312bba0a9fdcf772fd238ba78f8f99a4f8a4aa031e0177a6319d740213d6176b2f829ca0bd865da823

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

185.163.45.132:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Direct Search\menu.xml	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 3 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmpadminsentry.exe

pid	process
1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
304	adminsentry.exe

Loads dropped DLL 5 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmpadminsentry.exe

pid	process
976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
304	adminsentry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

pid	process
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

pid process

872 642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
"C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp" /SL5="$70152,5153887,831488,C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
    "C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp" /SL5="$80152,5153887,831488,C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe
        
        "C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe

MD5
298a9a9ed40fb6ca3bdeebcce0264f40

SHA1
c04728f7b70a1ac89754ad93470cee19943f0bdd

SHA256
055859fa37ea4b1344c575b02975bac8b87adc667e3674aaa010d6c5ad4a840a

SHA512
26aeb9c9ecace8dba902a687a06ef925d22a66e86e96a5dc750ea576228932a58419afbb0c561c0bbcbd965c7dc18e1eeda892ea0a5f1a24bc4dbc09c923b66c

Download Submit
C:\Users\Admin\AppData\Roaming\Direct Search\libvorbisenc-2.dll

MD5
4b818c47ec6801a6bb166a317af2c96e

SHA1
e1b21af50829d4b937d16f9406381c183c2a7faf

SHA256
585fa2834094efea7ed8fe2c9597394f1fdd3cae75e1f8cc1a8ce9bf3206b62f

SHA512
1aecb53c24f802615fc375e75d484d220ce81b32c8a48aaa992440b44e3486adb74e40967988cf934a2579809dd0099e5384e38a79beae4ca751cfb7b110e90d

Download Submit
C:\Users\Admin\AppData\Roaming\Direct Search\menu.xml

MD5
fb538dc26cbcc346b34059f360373f1a

SHA1
5058bd28c88abb61f7d734477f809d6d6cee8afb

SHA256
14059b988a302a0b180c73c6707ea63f85fdee827b1fa35330467a2974a0ab63

SHA512
f31420098ce181d1c6debe9cfd098fd0a9485230bcc5e970b0b70368afa9c9850a32f5cecc0b8da44673d658b033c9ae043b430a04ab1fb96c2fa2d93b4e87cb

Download Submit
\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe

MD5
298a9a9ed40fb6ca3bdeebcce0264f40

SHA1
c04728f7b70a1ac89754ad93470cee19943f0bdd

SHA256
055859fa37ea4b1344c575b02975bac8b87adc667e3674aaa010d6c5ad4a840a

SHA512
26aeb9c9ecace8dba902a687a06ef925d22a66e86e96a5dc750ea576228932a58419afbb0c561c0bbcbd965c7dc18e1eeda892ea0a5f1a24bc4dbc09c923b66c

Download Submit
\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe

MD5
298a9a9ed40fb6ca3bdeebcce0264f40

SHA1
c04728f7b70a1ac89754ad93470cee19943f0bdd

SHA256
055859fa37ea4b1344c575b02975bac8b87adc667e3674aaa010d6c5ad4a840a

SHA512
26aeb9c9ecace8dba902a687a06ef925d22a66e86e96a5dc750ea576228932a58419afbb0c561c0bbcbd965c7dc18e1eeda892ea0a5f1a24bc4dbc09c923b66c

Download Submit
\Users\Admin\AppData\Roaming\Direct Search\libvorbisenc-2.dll

MD5
4b818c47ec6801a6bb166a317af2c96e

SHA1
e1b21af50829d4b937d16f9406381c183c2a7faf

SHA256
585fa2834094efea7ed8fe2c9597394f1fdd3cae75e1f8cc1a8ce9bf3206b62f

SHA512
1aecb53c24f802615fc375e75d484d220ce81b32c8a48aaa992440b44e3486adb74e40967988cf934a2579809dd0099e5384e38a79beae4ca751cfb7b110e90d

Download Submit
memory/304-75-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/576-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/872-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/872-65-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/976-53-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

description	pid	process	target process
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe