General

  • Target

    aca68203af0b0d04226e4f0a90b7eb7e320c488b0e20a64872bfcea0f07b2096

  • Size

    319KB

  • Sample

    221210-kvk8dsfc43

  • MD5

    aad4844c41f3ecfa8237db11ae1e9124

  • SHA1

    7457cf6352a6124fa95f0f6764899462402fd7db

  • SHA256

    aca68203af0b0d04226e4f0a90b7eb7e320c488b0e20a64872bfcea0f07b2096

  • SHA512

    99b745c7e5f7c8c97c2cf73baf05e9bc2717bb591edcd59e396d325ffb3a2939c983ce654c293040ee123a10d3d7534394b775f92feac5bb243b8ce286a3a4eb

  • SSDEEP

    6144:z56jLzbORBEgTfR727E2AwGHH6dwwO0ZrrMC7C:z5G/bO3zjRJzwpRQEC

Malware Config

Targets

    • Target

      aca68203af0b0d04226e4f0a90b7eb7e320c488b0e20a64872bfcea0f07b2096

    • Size

      319KB

    • MD5

      aad4844c41f3ecfa8237db11ae1e9124

    • SHA1

      7457cf6352a6124fa95f0f6764899462402fd7db

    • SHA256

      aca68203af0b0d04226e4f0a90b7eb7e320c488b0e20a64872bfcea0f07b2096

    • SHA512

      99b745c7e5f7c8c97c2cf73baf05e9bc2717bb591edcd59e396d325ffb3a2939c983ce654c293040ee123a10d3d7534394b775f92feac5bb243b8ce286a3a4eb

    • SSDEEP

      6144:z56jLzbORBEgTfR727E2AwGHH6dwwO0ZrrMC7C:z5G/bO3zjRJzwpRQEC

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    • Babadeda Crypter

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks