babadeda | 642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-01-2022 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
Size

5.7MB
MD5

ddd5bb53200e40fc5b34fd7e6448e815
SHA1

0e55418801977101a01d86661b91708dcbeb77a3
SHA256

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5
SHA512

69251a229641307125d41cb15533384b2bea21713d4b78312bba0a9fdcf772fd238ba78f8f99a4f8a4aa031e0177a6319d740213d6176b2f829ca0bd865da823

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

185.163.45.132:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Direct Search\menu.xml	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 3 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmpadminsentry.exe

pid	process
1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
304	adminsentry.exe

Loads dropped DLL 5 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmpadminsentry.exe

pid	process
976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
304	adminsentry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

pid	process
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

pid process

872 642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp

C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
"C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp" /SL5="$70152,5153887,831488,C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
"C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe" /VERYSILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp" /SL5="$80152,5153887,831488,C:\Users\Admin\AppData\Local\Temp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe
"C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
C:\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe
MD5
298a9a9ed40fb6ca3bdeebcce0264f40

SHA1
c04728f7b70a1ac89754ad93470cee19943f0bdd

SHA256
055859fa37ea4b1344c575b02975bac8b87adc667e3674aaa010d6c5ad4a840a

SHA512
26aeb9c9ecace8dba902a687a06ef925d22a66e86e96a5dc750ea576228932a58419afbb0c561c0bbcbd965c7dc18e1eeda892ea0a5f1a24bc4dbc09c923b66c

Download Submit
C:\Users\Admin\AppData\Roaming\Direct Search\libvorbisenc-2.dll
MD5
4b818c47ec6801a6bb166a317af2c96e

SHA1
e1b21af50829d4b937d16f9406381c183c2a7faf

SHA256
585fa2834094efea7ed8fe2c9597394f1fdd3cae75e1f8cc1a8ce9bf3206b62f

SHA512
1aecb53c24f802615fc375e75d484d220ce81b32c8a48aaa992440b44e3486adb74e40967988cf934a2579809dd0099e5384e38a79beae4ca751cfb7b110e90d

Download Submit
C:\Users\Admin\AppData\Roaming\Direct Search\menu.xml
MD5
fb538dc26cbcc346b34059f360373f1a

SHA1
5058bd28c88abb61f7d734477f809d6d6cee8afb

SHA256
14059b988a302a0b180c73c6707ea63f85fdee827b1fa35330467a2974a0ab63

SHA512
f31420098ce181d1c6debe9cfd098fd0a9485230bcc5e970b0b70368afa9c9850a32f5cecc0b8da44673d658b033c9ae043b430a04ab1fb96c2fa2d93b4e87cb

Download Submit
\Users\Admin\AppData\Local\Temp\is-ASEER.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
\Users\Admin\AppData\Local\Temp\is-GQHPQ.tmp\642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
MD5
0b5f6afebd00a69abd16c9f663b4ae11

SHA1
1539cafe14971109dda8c1fb5fab81770e649e2e

SHA256
2acf8c741447feae0cefa3be0e83b06af6f2e6ef8d7a16c6712b3bf029ec8433

SHA512
50196bdbc3b860f1340b6177f14bb2ef8a310f29cffd25a044f9f63096fcbfea908cedc31246a4505b648a5fdb112c10827bf35cf1181a9bde7fe3c311471d91

Download Submit
\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe
MD5
298a9a9ed40fb6ca3bdeebcce0264f40

SHA1
c04728f7b70a1ac89754ad93470cee19943f0bdd

SHA256
055859fa37ea4b1344c575b02975bac8b87adc667e3674aaa010d6c5ad4a840a

SHA512
26aeb9c9ecace8dba902a687a06ef925d22a66e86e96a5dc750ea576228932a58419afbb0c561c0bbcbd965c7dc18e1eeda892ea0a5f1a24bc4dbc09c923b66c

Download Submit
\Users\Admin\AppData\Roaming\Direct Search\adminsentry.exe
MD5
298a9a9ed40fb6ca3bdeebcce0264f40

SHA1
c04728f7b70a1ac89754ad93470cee19943f0bdd

SHA256
055859fa37ea4b1344c575b02975bac8b87adc667e3674aaa010d6c5ad4a840a

SHA512
26aeb9c9ecace8dba902a687a06ef925d22a66e86e96a5dc750ea576228932a58419afbb0c561c0bbcbd965c7dc18e1eeda892ea0a5f1a24bc4dbc09c923b66c

Download Submit
\Users\Admin\AppData\Roaming\Direct Search\libvorbisenc-2.dll
MD5
4b818c47ec6801a6bb166a317af2c96e

SHA1
e1b21af50829d4b937d16f9406381c183c2a7faf

SHA256
585fa2834094efea7ed8fe2c9597394f1fdd3cae75e1f8cc1a8ce9bf3206b62f

SHA512
1aecb53c24f802615fc375e75d484d220ce81b32c8a48aaa992440b44e3486adb74e40967988cf934a2579809dd0099e5384e38a79beae4ca751cfb7b110e90d

Download Submit
memory/304-75-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/576-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/872-66-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/872-65-0x0000000074F11000-0x0000000074F13000-memory.dmp

Filesize
8KB

Download
memory/976-53-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

description	pid	process	target process
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 976 wrote to memory of 1164	976	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 1164 wrote to memory of 576	1164	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 576 wrote to memory of 872	576	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.exe	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe
PID 872 wrote to memory of 304	872	642c7333927b2581ffc854f55793677a203788fb55a53e8916ae58d4cd0828f5.tmp	adminsentry.exe