General

  • Target

    75c776cde19a4520608cc886704eb2623b274c6d7662079a292370d03a82c61e

  • Size

    319KB

  • Sample

    221210-jxfv1sfb39

  • MD5

    7e41f5753ed8d35687df470f3409bad1

  • SHA1

    43080c7f6bd0c2458342d6f92c58e9491f5b5d02

  • SHA256

    75c776cde19a4520608cc886704eb2623b274c6d7662079a292370d03a82c61e

  • SHA512

    8de8644976af6fc6a0c3e9515f1e9c9419390bb12583ea63b8945a502963637e02ff87e7f081323a5eb09fe24af138a70a325f0cc13e20353198eb3917d41185

  • SSDEEP

    3072:wXuWAqqLvVZePF6CcL5mRR9pmePA0qabKZXwqTiKdwTeB9yyOYW6Al2IYInW:klA1LSPF6CcAfVPTKFdDwTO9iflXYCW

Malware Config

Targets

    • Target

      75c776cde19a4520608cc886704eb2623b274c6d7662079a292370d03a82c61e

    • Size

      319KB

    • MD5

      7e41f5753ed8d35687df470f3409bad1

    • SHA1

      43080c7f6bd0c2458342d6f92c58e9491f5b5d02

    • SHA256

      75c776cde19a4520608cc886704eb2623b274c6d7662079a292370d03a82c61e

    • SHA512

      8de8644976af6fc6a0c3e9515f1e9c9419390bb12583ea63b8945a502963637e02ff87e7f081323a5eb09fe24af138a70a325f0cc13e20353198eb3917d41185

    • SSDEEP

      3072:wXuWAqqLvVZePF6CcL5mRR9pmePA0qabKZXwqTiKdwTeB9yyOYW6Al2IYInW:klA1LSPF6CcAfVPTKFdDwTO9iflXYCW

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    • Babadeda Crypter

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks