babadeda | fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e

General

Target

fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe
Size

8.8MB
MD5

d33c96fb7da2d99335f17ef258aaf38f
SHA1

16f8536b284f5b1805fa1225772f530a5d10e32c
SHA256

fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e
SHA512

464d63809197f3652a0a44bd5ebb3745a6be6fd38bd5d0441694308b402ce75e141c97e992fa604c41a136b30d6dea18774ce9e32debdb14d6fbe14b77632354

Score

10^/10

babadeda bitrat crypter discovery loader trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

185.157.162.75:443

Attributes

communication_password
9a08a0de8505c164e6416807e8627aba
tor_process
tor

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\cds.xml	family_babadeda

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

ImageTuner.exe

pid process

1928 ImageTuner.exe
Loads dropped DLL 2 IoCs

Processes:

fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exeImageTuner.exe

pid process

1736 fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe
1928 ImageTuner.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

ImageTuner.exe

pid process

1928 ImageTuner.exe
1928 ImageTuner.exe
1928 ImageTuner.exe
1928 ImageTuner.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ImageTuner.exe

description pid process

Token: SeDebugPrivilege 1928 ImageTuner.exe
Token: SeShutdownPrivilege 1928 ImageTuner.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ImageTuner.exe

pid process

1928 ImageTuner.exe
1928 ImageTuner.exe

pid	process
1928	ImageTuner.exe

pid	process
1736	fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe
1928	ImageTuner.exe

pid	process
1928	ImageTuner.exe
1928	ImageTuner.exe
1928	ImageTuner.exe
1928	ImageTuner.exe

description	pid	process
Token: SeDebugPrivilege	1928	ImageTuner.exe
Token: SeShutdownPrivilege	1928	ImageTuner.exe

pid	process
1928	ImageTuner.exe
1928	ImageTuner.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe

description	pid	process	target process
PID 1736 wrote to memory of 1928	1736	fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe	ImageTuner.exe
PID 1736 wrote to memory of 1928	1736	fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe	ImageTuner.exe
PID 1736 wrote to memory of 1928	1736	fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe	ImageTuner.exe
PID 1736 wrote to memory of 1928	1736	fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe	ImageTuner.exe

C:\Users\Admin\AppData\Local\Temp\fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe
"C:\Users\Admin\AppData\Local\Temp\fc1d1af6949a3478a4624ea89cc63cd5d6f2e95c45f687992073b5fddd54293e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe
"C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe

Filesize
7.9MB

MD5
fd342536ab9fe7e42f422a77a2b271d4

SHA1
f083f2281fa60fdc9e80966701e6437386e20cd9

SHA256
d7681dc0bacb86a5e2feebfc48d1f060a1dc4749ca1c48cf5a9d3125fae236c2

SHA512
324a0dd8f94e8d7138418a52548b3017350b1921a6f7f4afdfec94c368cb31e5eae663c96764565ba682a6e3aa8ff92534e9785a88307e6de039463c1753fd45

Download Submit
C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\cds.xml

Filesize
9.0MB

MD5
5f0a41ab686de22e1834eb9a01dd0ecd

SHA1
d78312c7b35b192d1a57ae8e2308371cc1251d3a

SHA256
28b5efd92a22241d1bdc6bd0fe27fd61052fa0331528d1a19970a023f9a2fbda

SHA512
374132d4fae3860f3ca66a780f4ff9e7e284173a917b6fd5fb5a3a96be29ab867e419968df56572f060ec5ed94021b1e6072587e3520d694a3143071596d4c69

Download Submit
C:\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\libintl-8.dll

Filesize
4.1MB

MD5
108065b072b922ffa3e269423fce2a07

SHA1
83905c9282cd27cd591a5204b622d59153315e30

SHA256
81e9e18f628287e0081e551ba2e7ce1fbcf2d6530710888f78a49584f16fce09

SHA512
ca2720b452fca6f01f5b1a692c4eab50c66549883a94c638039b4dfd5d7bcdfadf4fdac266e9b14cc7e0a3499096371cece3781cd21350a1c27cf67ffb84e640

Download Submit
\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\ImageTuner.exe

Filesize
7.9MB

MD5
fd342536ab9fe7e42f422a77a2b271d4

SHA1
f083f2281fa60fdc9e80966701e6437386e20cd9

SHA256
d7681dc0bacb86a5e2feebfc48d1f060a1dc4749ca1c48cf5a9d3125fae236c2

SHA512
324a0dd8f94e8d7138418a52548b3017350b1921a6f7f4afdfec94c368cb31e5eae663c96764565ba682a6e3aa8ff92534e9785a88307e6de039463c1753fd45

Download Submit
\Users\Admin\AppData\Roaming\Glorylogic\Image Tuner\libintl-8.dll

Filesize
4.1MB

MD5
108065b072b922ffa3e269423fce2a07

SHA1
83905c9282cd27cd591a5204b622d59153315e30

SHA256
81e9e18f628287e0081e551ba2e7ce1fbcf2d6530710888f78a49584f16fce09

SHA512
ca2720b452fca6f01f5b1a692c4eab50c66549883a94c638039b4dfd5d7bcdfadf4fdac266e9b14cc7e0a3499096371cece3781cd21350a1c27cf67ffb84e640

Download Submit
memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1736-58-0x00000000030D0000-0x00000000038FB000-memory.dmp

Filesize
8.2MB

Download
memory/1928-56-0x0000000000000000-mapping.dmp

Download
memory/1928-62-0x00000000013D0000-0x0000000001BFB000-memory.dmp

Filesize
8.2MB

Download
memory/1928-64-0x00000000013D0000-0x0000000001BFB000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing