babadeda | 6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89

General

Target

6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe
Size

9.8MB
MD5

d6377909699a6a022d422028c9f4f3e2
SHA1

86f72055b86de2a61b51779f75ac2c30a88416a7
SHA256

6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89
SHA512

8d3e071e4259bfd48d7f5b2157b1d0c57ab93ad9749e42845938a4e27e9e07dd1c85c8e31b73c00ea79f0c8d1a599300b7c56a3be2045673fd7c421f27d2bbbc

Score

10^/10

babadeda remcos crypter loader rat

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ab64-134.dat	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
2832	mspdbcmf.exe
4048	link.exe

Loads dropped DLL 6 IoCs

pid	Process
4048	link.exe
4048	link.exe
4048	link.exe
4048	link.exe
4048	link.exe
4048	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Detects BABADEDA Crypter 1 IoCs

Detects BABADEDA Crypter.

resource	yara_rule
behavioral2/files/0x000500000001ab64-134.dat	BABADEDA_Crypter

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4048	link.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3672	3500	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	68
PID 3500 wrote to memory of 3672	3500	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	68
PID 3500 wrote to memory of 3672	3500	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe	68
PID 3672 wrote to memory of 2832	3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	69
PID 3672 wrote to memory of 2832	3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	69
PID 3672 wrote to memory of 2832	3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	69
PID 3672 wrote to memory of 4048	3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	71
PID 3672 wrote to memory of 4048	3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	71
PID 3672 wrote to memory of 4048	3672	6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp	71

C:\Users\Admin\AppData\Local\Temp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe
"C:\Users\Admin\AppData\Local\Temp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Local\Temp\is-K1GR3.tmp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-K1GR3.tmp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.tmp" /SL5="$3005E,9445066,826880,C:\Users\Admin\AppData\Local\Temp\6c649004f8b888d4c72ce40cc8e0b722c545093d949b36507fd4a77ebfcbab89.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\mspdbcmf.exe
    "C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\mspdbcmf.exe"
    3⤵
    - Executes dropped EXE
    PID:2832
- - C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\link.exe
    "C:\Users\Admin\AppData\Roaming\Auslogics File Recovery\link.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3500-114-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/3672-117-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing