babadeda | 642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5

General

Target

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
Size

5.7MB
MD5

ddd5bb53200e40fc5b34fd7e6448e815
SHA1

0e55418801977101a01d86661b91708dcbeb77a3
SHA256

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5
SHA512

69251a229641307125d41cb15533384b2bea21713d4b78312bba0a9fdcf772fd238ba78f8f99a4f8a4aa031e0177a6319d740213d6176b2f829ca0bd865da823

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

C2

185.163.45.132:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000013a0f-73.dat	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 3 IoCs

pid	Process
1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
304	adminsentry.exe

Loads dropped DLL 5 IoCs

pid	Process
976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
304	adminsentry.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	27
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	28
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	29
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	30
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	30
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	30
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	30

C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
"C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp" /SL5="$70152,5153887,831488,C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
    "C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp" /SL5="$80152,5153887,831488,C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe
        
        "C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-75-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/576-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/872-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/872-65-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/976-53-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing