babadeda | 86be6338e4d75689fc329804b275191df2707927e8d0424d0eb08eb7014f5148

General

Target

SushiSwap-dApp-3.1.0-installer.exe
Size

118.7MB
MD5

6d18c493a8795bd7ee7d25577b40ca14
SHA1

50c8c47bd149db109d79ccee985eb20b52abbb87
SHA256

86be6338e4d75689fc329804b275191df2707927e8d0424d0eb08eb7014f5148
SHA512

b275a81ea6953b09c622c43edba117790c737f8cf92f0e8a6275d1ea879ad4e9a0c776360bc1d199cc5b14a6468f985d4991485d89c0a63e9b23170ae90b4996

Score

10^/10

babadeda remcos sys32 crypter loader rat

Malware Config

Extracted

Family

remcos

Botnet

Sys32

C2

157.90.1.54:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
Sys-PVUZ63
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000141f8-107.dat	family_babadeda
behavioral1/memory/1688-114-0x0000000004EC0000-0x0000000008EC0000-memory.dmp	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
592	SushiSwap-dApp-3.1.0-installer.tmp
884	makecat.exe
1688	link.exe

Loads dropped DLL 24 IoCs

pid	Process
808	SushiSwap-dApp-3.1.0-installer.exe
592	SushiSwap-dApp-3.1.0-installer.tmp
592	SushiSwap-dApp-3.1.0-installer.tmp
592	SushiSwap-dApp-3.1.0-installer.tmp
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe
1688	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
592	SushiSwap-dApp-3.1.0-installer.tmp
592	SushiSwap-dApp-3.1.0-installer.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1688	link.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
592	SushiSwap-dApp-3.1.0-installer.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	link.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 808 wrote to memory of 592	808	SushiSwap-dApp-3.1.0-installer.exe	29
PID 592 wrote to memory of 884	592	SushiSwap-dApp-3.1.0-installer.tmp	30
PID 592 wrote to memory of 884	592	SushiSwap-dApp-3.1.0-installer.tmp	30
PID 592 wrote to memory of 884	592	SushiSwap-dApp-3.1.0-installer.tmp	30
PID 592 wrote to memory of 884	592	SushiSwap-dApp-3.1.0-installer.tmp	30
PID 592 wrote to memory of 1688	592	SushiSwap-dApp-3.1.0-installer.tmp	32
PID 592 wrote to memory of 1688	592	SushiSwap-dApp-3.1.0-installer.tmp	32
PID 592 wrote to memory of 1688	592	SushiSwap-dApp-3.1.0-installer.tmp	32
PID 592 wrote to memory of 1688	592	SushiSwap-dApp-3.1.0-installer.tmp	32

C:\Users\Admin\AppData\Local\Temp\SushiSwap-dApp-3.1.0-installer.exe
"C:\Users\Admin\AppData\Local\Temp\SushiSwap-dApp-3.1.0-installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\is-E76TK.tmp\SushiSwap-dApp-3.1.0-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E76TK.tmp\SushiSwap-dApp-3.1.0-installer.tmp" /SL5="$7014A,123591408,908288,C:\Users\Admin\AppData\Local\Temp\SushiSwap-dApp-3.1.0-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe"
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-62-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/592-60-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/808-55-0x0000000000400000-0x00000000004EB000-memory.dmp

Filesize
940KB

Download
memory/808-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1688-108-0x0000000002480000-0x00000000024F7000-memory.dmp

Filesize
476KB

Download
memory/1688-114-0x0000000004EC0000-0x0000000008EC0000-memory.dmp

Filesize
64.0MB

Download

Analysis

Sharing