Overview

overview

10

Static

static

3dd172bf8a...27.iso

windows7-x64

3

3dd172bf8a...27.iso

windows10-2004-x64

3

CLFSECUR.exe

windows7-x64

10

CLFSECUR.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3dd172bf8a7e2985f8387ffc4b6f2fc3ee05435b69a43d714d3137d9a5147127

  • Size

    35.9MB

  • Sample

    230112-d7gx6sfa86

  • MD5

    93a4fdd473320d37ae59ed875632e4ef

  • SHA1

    288603f501926756c236e368a1fdc7d128f4f9a1

  • SHA256

    3dd172bf8a7e2985f8387ffc4b6f2fc3ee05435b69a43d714d3137d9a5147127

  • SHA512

    4b6a2b4120fa996c1b054f9672efb0caf2ee0c8efa1f8ed4f83830622ca1a4592851d4be9c857666bd6cb626876a333686de7d74e94c9052452582d2fb474afa

  • SSDEEP

    786432:rQRwdPcRZMRDY8X9XRTuCpZD7U4qRVOtIqNi0f9jphU7oDM8ETp9an3aZ:cRwdPcRZuDYg1pZfUNRctpNi0f9dhU7L

Score
10/10
babadedanetsupportcrypterdiscoveryevasionloaderpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      3dd172bf8a7e2985f8387ffc4b6f2fc3ee05435b69a43d714d3137d9a5147127

    • Size

      35.9MB

    • MD5

      93a4fdd473320d37ae59ed875632e4ef

    • SHA1

      288603f501926756c236e368a1fdc7d128f4f9a1

    • SHA256

      3dd172bf8a7e2985f8387ffc4b6f2fc3ee05435b69a43d714d3137d9a5147127

    • SHA512

      4b6a2b4120fa996c1b054f9672efb0caf2ee0c8efa1f8ed4f83830622ca1a4592851d4be9c857666bd6cb626876a333686de7d74e94c9052452582d2fb474afa

    • SSDEEP

      786432:rQRwdPcRZMRDY8X9XRTuCpZD7U4qRVOtIqNi0f9jphU7oDM8ETp9an3aZ:cRwdPcRZuDYg1pZfUNRctpNi0f9dhU7L

    Score
    3/10
    behavioral1behavioral2

    • Target

      CLFSECUR.EXE

    • Size

      35.1MB

    • MD5

      edde1633579f5e1f0543140cfbfa50fb

    • SHA1

      4233ff7941da62b86fc2c2d92be0572c9ab534c8

    • SHA256

      23b14288d49610a8eef61977b7fc49a963f1261fe29b1668b4443a04eaf493cb

    • SHA512

      e03a1575824ea04d30e3c3290d87e73be689014970e94ddc56f157766bc048faa5129e4589be0b8a404ce75c0fdf4301973c21cb5593a9c6006f26709507bf5c

    • SSDEEP

      786432:SQRwdPcRZMRDY8X9XRTuCpZD7U4qRVOtIqNi0f9jphU7oDM8ETp9an3aZO:1RwdPcRZuDYg1pZfUNRctpNi0f9dhU7a

    Score
    10/10
    babadedanetsupportcrypterdiscoveryevasionloaderpersistenceratspywarestealertrojan

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

      loadercrypterbabadeda

    • Babadeda Crypter

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Registers COM server for autorun

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks