babadeda | f3be2e863702dbf427638492c35ac59f43f05bc451d667ba88798de67227ea79

General

Target

GitCoin-dApp-2.1.2-installer.exe
Size

118.6MB
MD5

53700031ae88e5c268791f39d4cda497
SHA1

4a43ebfc2c9aa93e977010779923bbcac160c38a
SHA256

f3be2e863702dbf427638492c35ac59f43f05bc451d667ba88798de67227ea79
SHA512

1356548c3fc862894f1e30997910f8f44e2928a38fa132749e2ce9a9ea95126557798304fb6833d603962979405f21f8a8225b2bb0d42a594ae5e1722a47f5ea

Score

10^/10

babadeda remcos crypter loader rat

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001404e-109.dat	family_babadeda
behavioral1/memory/1040-110-0x00000000052C0000-0x00000000092C0000-memory.dmp	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 3 IoCs

pid	Process
1412	GitCoin-dApp-2.1.2-installer.tmp
1160	makecat.exe
1040	link.exe

Loads dropped DLL 23 IoCs

pid	Process
1148	GitCoin-dApp-2.1.2-installer.exe
1412	GitCoin-dApp-2.1.2-installer.tmp
1412	GitCoin-dApp-2.1.2-installer.tmp
1412	GitCoin-dApp-2.1.2-installer.tmp
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe
1040	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1412	GitCoin-dApp-2.1.2-installer.tmp
1412	GitCoin-dApp-2.1.2-installer.tmp

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1048	AUDIODG.EXE
Token: 33	1048	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1048	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1412	GitCoin-dApp-2.1.2-installer.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1040	link.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1148 wrote to memory of 1412	1148	GitCoin-dApp-2.1.2-installer.exe	29
PID 1412 wrote to memory of 1160	1412	GitCoin-dApp-2.1.2-installer.tmp	30
PID 1412 wrote to memory of 1160	1412	GitCoin-dApp-2.1.2-installer.tmp	30
PID 1412 wrote to memory of 1160	1412	GitCoin-dApp-2.1.2-installer.tmp	30
PID 1412 wrote to memory of 1160	1412	GitCoin-dApp-2.1.2-installer.tmp	30
PID 1412 wrote to memory of 1040	1412	GitCoin-dApp-2.1.2-installer.tmp	32
PID 1412 wrote to memory of 1040	1412	GitCoin-dApp-2.1.2-installer.tmp	32
PID 1412 wrote to memory of 1040	1412	GitCoin-dApp-2.1.2-installer.tmp	32
PID 1412 wrote to memory of 1040	1412	GitCoin-dApp-2.1.2-installer.tmp	32

C:\Users\Admin\AppData\Local\Temp\GitCoin-dApp-2.1.2-installer.exe
"C:\Users\Admin\AppData\Local\Temp\GitCoin-dApp-2.1.2-installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\is-H59RN.tmp\GitCoin-dApp-2.1.2-installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H59RN.tmp\GitCoin-dApp-2.1.2-installer.tmp" /SL5="$E0150,123558640,875520,C:\Users\Admin\AppData\Local\Temp\GitCoin-dApp-2.1.2-installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe"
    3⤵
    - Executes dropped EXE
    PID:1160
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1040-110-0x00000000052C0000-0x00000000092C0000-memory.dmp

Filesize
64.0MB

Download
memory/1148-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1148-56-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1412-64-0x0000000074BA1000-0x0000000074BA3000-memory.dmp

Filesize
8KB

Download
memory/1412-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing