babadeda | ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937 | Triage

Submit
Reports

Overview

overview

Static

static

ca64b1e995...37.msi

windows7_x64

ca64b1e995...37.msi

windows10-2004_x64

Sharing

General

Target

ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937
Size

22.0MB
Sample

220626-xkb8yseab4
MD5

9c1c49947a2cb029af26cb301d936974
SHA1

1a4450f3719b505904c6b36de8c13ea6f838bb4a
SHA256

ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937
SHA512

5f0c89d766980857285fff9dc8293f60b82624ef0e51a9b647f03f192433338437320db42062fa8494d63dd9ef65ac1cc1b6bef47cd1da858e0568346d90553a

Score

10^/10

babadeda remcos win32lux crypter loader rat

Static task

static1

Behavioral task

behavioral1

Sample

ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937.msi

Resource

win7-20220414-en

babadeda remcos win32lux crypter loader rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937.msi

Resource

win10v2004-20220414-en

babadeda remcos win32lux crypter loader rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Botnet

Win32LUX

C2

144.91.79.86:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Win32_64.exe
copy_folder
Logs
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%UserProfile%
keylog_crypt
false
keylog_file
log.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
GDSGFDS42424FSAF-RP31EK
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Targets

- Target
  
  ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937
- Size
  
  22.0MB
- MD5
  
  9c1c49947a2cb029af26cb301d936974
- SHA1
  
  1a4450f3719b505904c6b36de8c13ea6f838bb4a
- SHA256
  
  ca64b1e99580e69332a4ab3075c51f39880f6e291e802535a887b52b626f1937
- SHA512
  
  5f0c89d766980857285fff9dc8293f60b82624ef0e51a9b647f03f192433338437320db42062fa8494d63dd9ef65ac1cc1b6bef47cd1da858e0568346d90553a
Score

10^/10

babadeda remcos win32lux crypter loader rat
- Babadeda
  Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
  loader crypter babadeda
- Babadeda Crypter
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

babadedaremcoswin32luxcrypterloaderrat

behavioral2

babadedaremcoswin32luxcrypterloaderrat

© 2018-2024

Terms | Privacy