Malware Analysis Report

2024-09-22 16:40

Sample ID 230508-nq3tesad58
Target 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff
SHA256 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff
Tags
upx babadeda bitrat crypter loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff

Threat Level: Known bad

The file 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff was found to be: Known bad.

Malicious Activity Summary

upx babadeda bitrat crypter loader trojan

Babadeda Crypter

BitRAT

Babadeda

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-05-08 11:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-08 11:36

Reported

2023-05-08 11:39

Platform

win7-20230220-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

BitRAT

trojan bitrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe

"C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

"C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe"

Network

Country Destination Domain Proto
GB 145.239.202.9:4598 tcp
GB 145.239.202.9:4598 tcp
GB 145.239.202.9:4598 tcp
GB 145.239.202.9:4598 tcp

Files

memory/1984-54-0x0000000000400000-0x000000000072F000-memory.dmp

memory/1984-55-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\Lang\it\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

memory/1984-345-0x0000000002580000-0x0000000002590000-memory.dmp

memory/1984-346-0x0000000003660000-0x0000000003CA3000-memory.dmp

memory/1624-348-0x00000000012A0000-0x00000000018E3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\menu.xml

MD5 bacfa288e5c0f18a8f2c94d208d7c760
SHA1 912bd515c26f794cc65fa066ac01216cc7d35893
SHA256 080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8
SHA512 329e88c703ede60b537a94cc4b64e890048552de05a4a26530a770ead698644d38c34ece53ee4027ecc994613465cba76d15a5c560d586b3579465bb2e17637a

\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

MD5 e653f13bf4b225f1c7dce0e6404fc52a
SHA1 6e2ba578d8c14967a5ff2abbcce67a0e732c43d9
SHA256 ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
SHA512 96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

MD5 e653f13bf4b225f1c7dce0e6404fc52a
SHA1 6e2ba578d8c14967a5ff2abbcce67a0e732c43d9
SHA256 ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
SHA512 96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

memory/1984-352-0x0000000000400000-0x000000000072F000-memory.dmp

memory/1624-353-0x00000000012A0000-0x00000000018E3000-memory.dmp

memory/1624-354-0x00000000012A0000-0x00000000018E3000-memory.dmp

memory/1624-356-0x00000000012A0000-0x00000000018E3000-memory.dmp

memory/1624-360-0x00000000012A0000-0x00000000018E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-08 11:36

Reported

2023-05-08 11:39

Platform

win10v2004-20230220-en

Max time kernel

76s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe

"C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

"C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.189.173.13:443 tcp
GB 145.239.202.9:4598 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
GB 145.239.202.9:4598 tcp

Files

memory/1188-133-0x0000000000400000-0x000000000072F000-memory.dmp

memory/1188-140-0x0000000002730000-0x0000000002731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\Lang\it\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe

MD5 ec538ff191a52b5ca9f67ae5d5d56908
SHA1 fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512 ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787

memory/1940-428-0x0000000000060000-0x00000000006A3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

MD5 e653f13bf4b225f1c7dce0e6404fc52a
SHA1 6e2ba578d8c14967a5ff2abbcce67a0e732c43d9
SHA256 ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
SHA512 96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\menu.xml

MD5 bacfa288e5c0f18a8f2c94d208d7c760
SHA1 912bd515c26f794cc65fa066ac01216cc7d35893
SHA256 080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8
SHA512 329e88c703ede60b537a94cc4b64e890048552de05a4a26530a770ead698644d38c34ece53ee4027ecc994613465cba76d15a5c560d586b3579465bb2e17637a

C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\libfont-0.6.dll

MD5 e653f13bf4b225f1c7dce0e6404fc52a
SHA1 6e2ba578d8c14967a5ff2abbcce67a0e732c43d9
SHA256 ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
SHA512 96ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd

memory/1188-433-0x0000000000400000-0x000000000072F000-memory.dmp

memory/1940-434-0x0000000000060000-0x00000000006A3000-memory.dmp

memory/1940-435-0x0000000074D00000-0x0000000074D39000-memory.dmp

memory/1940-436-0x00000000750A0000-0x00000000750D9000-memory.dmp

memory/1940-437-0x0000000000060000-0x00000000006A3000-memory.dmp

memory/1940-439-0x00000000750A0000-0x00000000750D9000-memory.dmp

memory/1940-440-0x0000000000060000-0x00000000006A3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-08 11:36

Reported

2023-05-08 11:37

Platform

win7-20230220-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-05-08 11:36

Reported

2023-05-08 11:37

Platform

win10v2004-20230220-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp

Files

N/A