babadeda | fa059ce2f6d88b5904965f6958d3ae4c6159bd788fb24debf2e463055ef77a1b

General

Target

448166ffa55d2d5fbf0cfaefb21826f6.exe
Size

118.6MB
MD5

448166ffa55d2d5fbf0cfaefb21826f6
SHA1

e946af3ab6614f0b20515a3fa8b5a73210e8932d
SHA256

a69ac6cbe1ce50215d3f6df173f38bb3f9de174d32c87afbb7146662214b570b
SHA512

d9147720d3e691091c8a376776429eee992ab7a1b656109b091892483200b71606242dff085ca705807f081703ac7d182150f631a657c6a2d568b67b9bb32d55

Score

10^/10

babadeda remcos sys32 crypter loader persistence rat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

Sys32

C2

157.90.1.54:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
Sys-PVUZ63
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000141ca-108.dat	family_babadeda
behavioral1/memory/304-115-0x0000000004F50000-0x0000000008F50000-memory.dmp	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp
268	makecat.exe
304	link.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cplinker.lnk	link.exe

Loads dropped DLL 25 IoCs

pid	Process
976	448166ffa55d2d5fbf0cfaefb21826f6.exe
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe
304	link.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cross Platform Linker = "C:\\Users\\Admin\\AppData\\Roaming\\MiPony Installer\\link.exe"	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
304	link.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
304	link.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 976 wrote to memory of 1192	976	448166ffa55d2d5fbf0cfaefb21826f6.exe	27
PID 1192 wrote to memory of 268	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	30
PID 1192 wrote to memory of 268	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	30
PID 1192 wrote to memory of 268	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	30
PID 1192 wrote to memory of 268	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	30
PID 1192 wrote to memory of 304	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	32
PID 1192 wrote to memory of 304	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	32
PID 1192 wrote to memory of 304	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	32
PID 1192 wrote to memory of 304	1192	448166ffa55d2d5fbf0cfaefb21826f6.tmp	32

C:\Users\Admin\AppData\Local\Temp\448166ffa55d2d5fbf0cfaefb21826f6.exe
"C:\Users\Admin\AppData\Local\Temp\448166ffa55d2d5fbf0cfaefb21826f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\is-TIGD9.tmp\448166ffa55d2d5fbf0cfaefb21826f6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TIGD9.tmp\448166ffa55d2d5fbf0cfaefb21826f6.tmp" /SL5="$5014A,123570416,887296,C:\Users\Admin\AppData\Local\Temp\448166ffa55d2d5fbf0cfaefb21826f6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe"
    3⤵
    - Executes dropped EXE
    PID:268
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/304-109-0x0000000000D40000-0x0000000000DB7000-memory.dmp

Filesize
476KB

Download
memory/304-115-0x0000000004F50000-0x0000000008F50000-memory.dmp

Filesize
64.0MB

Download
memory/976-56-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/976-55-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1192-63-0x00000000740F1000-0x00000000740F3000-memory.dmp

Filesize
8KB

Download
memory/1192-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing