babadeda | 6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89

General

Target

6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe
Size

9.8MB
MD5

d6377909699a6a022d422028c9f4f3e2
SHA1

86f72055b86de2a61b51779f75ac2c30a88416a7
SHA256

6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89
SHA512

8d3e071e4259bfd48d7f5b2157b1d0c57ab93ad9749e42845938a4e27e9e07dd1c85c8e31b73c00ea79f0c8d1a599300b7c56a3be2045673fd7c421f27d2bbbc

Score

10^/10

babadeda remcos remotehost crypter loader rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

hoefeynacia.xyz:2299

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-I8SK9W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000134d9-107.dat	family_babadeda
behavioral1/memory/1364-114-0x0000000008170000-0x000000000D270000-memory.dmp	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
888	mspdbcmf.exe
1364	link.exe

Loads dropped DLL 23 IoCs

pid	Process
1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe
1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe
1364	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Detects BABADEDA Crypter 2 IoCs

Detects BABADEDA Crypter.

resource	yara_rule
behavioral1/files/0x00060000000134d9-107.dat	BABADEDA_Crypter
behavioral1/memory/1364-114-0x0000000008170000-0x000000000D270000-memory.dmp	BABADEDA_Crypter

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1364	link.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1616 wrote to memory of 1612	1616	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	27
PID 1612 wrote to memory of 888	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	28
PID 1612 wrote to memory of 888	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	28
PID 1612 wrote to memory of 888	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	28
PID 1612 wrote to memory of 888	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	28
PID 1612 wrote to memory of 1364	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	30
PID 1612 wrote to memory of 1364	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	30
PID 1612 wrote to memory of 1364	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	30
PID 1612 wrote to memory of 1364	1612	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	30

C:\Users\Admin\AppData\Local\Temp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe
"C:\Users\Admin\AppData\Local\Temp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\is-ARSTO.tmp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ARSTO.tmp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp" /SL5="$4014E,9445066,826880,C:\Users\Admin\AppData\Local\Temp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\mspdbcmf.exe
    "C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\mspdbcmf.exe"
    3⤵
    - Executes dropped EXE
    PID:888
- - C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\link.exe
    "C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\link.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-108-0x0000000005E10000-0x0000000005E8B000-memory.dmp

Filesize
492KB

Download
memory/1364-114-0x0000000008170000-0x000000000D270000-memory.dmp

Filesize
81.0MB

Download
memory/1612-62-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1612-61-0x0000000000720000-0x0000000000860000-memory.dmp

Filesize
1.2MB

Download
memory/1612-63-0x00000000746C1000-0x00000000746C3000-memory.dmp

Filesize
8KB

Download
memory/1616-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/1616-56-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download

Analysis

Sharing