babadeda | dda791ae03a40c12c7f67a0398be23a9334766aa82fd49145cf62072b922b9f8

Analysis

max time kernel
138s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085b11ab52a6865e3b14734f517cac42.exe
Size

7.3MB
MD5

085b11ab52a6865e3b14734f517cac42
SHA1

02770b5a346b7bea9703cf1a0647934d4642ca76
SHA256

dda791ae03a40c12c7f67a0398be23a9334766aa82fd49145cf62072b922b9f8
SHA512

e4edb2abc1c74905332bc7d0d535eb2b46e8b6e8434e4fbfd418fe4dfd01f44e17747cf208309511907c9e3e8852c4a97d51c1f2c6c9aaeb7bd7c2e2e8873d00
SSDEEP

196608:XPGZKb8Eo5RnrX33haMwT97EKgDVD0Yet1wJcskt:+oo3nThPm7ExVrJcX

Score

10^/10

babadeda redline sectoprat augmy crypter discovery infostealer loader rat trojan upx

Malware Config

Extracted

Family

redline

Botnet

AUGMY

185.140.53.142:82

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Network WinSparkle\manual.pdf	family_babadeda
behavioral1/memory/2788-552-0x0000000002950000-0x0000000005950000-memory.dmp	family_babadeda
behavioral1/memory/2788-557-0x0000000002950000-0x0000000005950000-memory.dmp	family_babadeda

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp	family_redline
behavioral1/memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp	family_sectoprat
behavioral1/memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp	family_sectoprat

Executes dropped EXE 2 IoCs

Processes:

irsetup.exelunassets.exe

pid process

2772 irsetup.exe
2788 lunassets.exe

pid	process
2772	irsetup.exe
2788	lunassets.exe

Loads dropped DLL 11 IoCs

Processes:

085b11ab52a6865e3b14734f517cac42.exeirsetup.exelunassets.exe

pid	process
2220	085b11ab52a6865e3b14734f517cac42.exe
2220	085b11ab52a6865e3b14734f517cac42.exe
2220	085b11ab52a6865e3b14734f517cac42.exe
2220	085b11ab52a6865e3b14734f517cac42.exe
2772	irsetup.exe
2772	irsetup.exe
2772	irsetup.exe
2772	irsetup.exe
2772	irsetup.exe
2772	irsetup.exe
2788	lunassets.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/2220-5-0x0000000002D60000-0x0000000003148000-memory.dmp	upx
behavioral1/memory/2772-17-0x0000000001350000-0x0000000001738000-memory.dmp	upx
behavioral1/memory/2772-548-0x0000000001350000-0x0000000001738000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

lunassets.exe

description pid process

Token: SeDebugPrivilege 2788 lunassets.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

2772 irsetup.exe
2772 irsetup.exe

description	pid	process
Token: SeDebugPrivilege	2788	lunassets.exe

pid	process
2772	irsetup.exe
2772	irsetup.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

085b11ab52a6865e3b14734f517cac42.exeirsetup.exe

description	pid	process	target process
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2220 wrote to memory of 2772	2220	085b11ab52a6865e3b14734f517cac42.exe	irsetup.exe
PID 2772 wrote to memory of 2788	2772	irsetup.exe	lunassets.exe
PID 2772 wrote to memory of 2788	2772	irsetup.exe	lunassets.exe
PID 2772 wrote to memory of 2788	2772	irsetup.exe	lunassets.exe
PID 2772 wrote to memory of 2788	2772	irsetup.exe	lunassets.exe

C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe
"C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
"C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\COPYING.txt
Filesize
3KB

MD5
cedef94f5701b0f14e5d358caf023480

SHA1
fc717140a9dd390068bad40a70f55e502f7c66e8

SHA256
54327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a

SHA512
bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Lang\en\Phototheca EULA.rtf
Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Lang\fr\searchhelp.rtf
Filesize
56KB

MD5
520077fd6d03c64c735258d4d87921d8

SHA1
1b8d82d7da2d85527ce91e72f179fb8a418d47de

SHA256
6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598

SHA512
8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\RELEASE_NOTES.html
Filesize
87KB

MD5
77db64e395175649374d32e386fd1033

SHA1
1e26bbd5055d3717e7f57219f2b7c1a305f84678

SHA256
7d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163

SHA512
238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Uninstall\uninstall.xml
Filesize
40KB

MD5
6bb017fd0eb36d878eeb2b517dbdd2d4

SHA1
a19baf92c23af80461f9d3df65c631e77033b6fa

SHA256
ec8b1f09f5bdc681a517c3d456c6def4f96e22306ad32e4e498df3da90cbc34a

SHA512
357caf2c863aeda03a1dd230479205f697fade1f760805ee63f3e909820fb9528be2e7a99e73321f4d91a0f3b6bca1a4eefce4d64ddc68ad1ef659b46464492a

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Uninstall\uninstall.xml
Filesize
48KB

MD5
8b1be6fd7fd378c367d148dfd467ecc7

SHA1
e443c97169c255b8ce210cebd170031b002a65a3

SHA256
99bc31b06fc1855a98cf0b0a39e2b338ddb3209ee199d014747f72f588c97cf2

SHA512
7ccc65eb2280231ffaa3cd869889443d2a0fa7399b3cd807158bc42f3549823864498fbe7cbf7bd05cca6f397142fd67c8038cdbe8a2f54a4af0e3f0a47a8bef

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\libGLES-v2.dll
Filesize
320KB

MD5
232a9b18e9d2bffdd1fb5f636331d936

SHA1
8d0770c54a3d0a05735c36fe1b879bd7de0bb8dc

SHA256
f94f936883a8ea7c4c49e136eea16a22f5354ef58689b0cfcc138918b05960cb

SHA512
ea30653033ce37719bb42019f8f284b9e289f376ddf2334cd0b45b06e71f281f636eebb82eaa1d16d1212b67861511eaa9c6f250bdd62ae1b20c31fbf56e8926

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
Filesize
2.9MB

MD5
b3618a806089c54e05511e7708201842

SHA1
970e5cb2d1bc00fc8f8453b3ea5cd5a00d412a97

SHA256
13d70fd4e7d28dad80e25308f32f034b4053dfff737b8f336f872f68ae33669b

SHA512
f6d805092b966c4837c9d8b692ff046d9992a15ee42f9c5862b4e3ee0f54a81c0d49fb34f64405444e982a7f53f1259edc575e236e52fbd0535bd675e339d41a

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
Filesize
1.3MB

MD5
67e3de63a83fe58f1d7b83197324d071

SHA1
a2fbe5b95f4428c585ad718d4e983ba36111a495

SHA256
f3f5880ac2058ba3730ef5920118b05d6feb2e0af5411daff3bb50fbaf885a7a

SHA512
52dcfc054ea9d9386bea1f8298d58f851c436a11ea211de81a016925420bdc18197f00840cd9519578051677b5ca8dfc8228a74a03edd5301bef3ca643a828c8

Download Submit
C:\Users\Admin\AppData\Roaming\Network WinSparkle\manual.pdf
Filesize
304KB

MD5
5d67aa7bae8d8e7e18c7dcf36a1c676c

SHA1
6a07aa8262bb378a8a643b191bd3a1deb0c6c461

SHA256
a28e1667ef79438cd9ad0bdafa495727c8a67eddf48f8c99c20e75f3c35ad1c9

SHA512
f45395b1a3495eaf4c74c01c76f24d159ed9792b273b2d44ea12806391d3adc6756ed2348aa43e7a2e178d39ceba5419ea9cb16912b283737803602dae459302

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
\Users\Admin\AppData\Roaming\Network WinSparkle\libGLES-v2.dll
Filesize
1.6MB

MD5
cd5f7a36c869ec4c3beb68777b1c1c84

SHA1
e6eaea2763e5409e2289d42beb5c891ca978b403

SHA256
073d93ff0e38aad002d697d3a3cf494f0bd69ee6a1827b40321e31b9fac3484f

SHA512
6edaf5c17334cb353019d20ae8954e498709429f9e7b6570e53a12703df25acee4f2292f4f702d06362e097531dadceab8d50312cb86089518503593eb58da00

Download Submit
\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
Filesize
576KB

MD5
4a4b365835f66abd4384f34f20b05388

SHA1
2044b61947e2b1ca7985af5b5dec38bca64959e6

SHA256
2d659d7401e8a8ad797bb0dd67d54c7f2b6107d76b67771c8deae3901f7dbce2

SHA512
007e030767a1b12019a630ecdda8a01e4617e6993fcf1387eb412fe045e0d2a8d2a1d11327c5771c1892da35a12df52671e7b4f6e1b68ba2f2bd72f0b7f5f854

Download Submit
\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
Filesize
2.1MB

MD5
b77eb61d1c2ac930a29181721d826c15

SHA1
67a902ea14f29d2b9cff3e9db5c9175ba94a3301

SHA256
0eee7d66cc0e2f307e4887797438037deb6b8f79364fc2b1d8c348a2847726aa

SHA512
dabba7fe84b768ca3fa7af52721d528bbc8b8269f8eab24cda401270aadf6d405847e80f8036d7aba2b97e4af7e2cf45ca9b5741183e4d3015bb1bd40274c1ef

Download Submit
\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
Filesize
2.3MB

MD5
3989192312e7c6f4c092b24edee547f7

SHA1
e6964ed839a155faa8989395f9693a7583981a79

SHA256
987298b1b45ccc87ce319fa6b0fb7b1216dc3302563a4c660202ddddac5f7e51

SHA512
23d84b1ce2c60ab950de4e4a83fbd0d1d4feebb2f44f8d325c0a615e73e00c28b71d7e4ef5f731bcaa8f2429a7dd828d19a9e800bae673dc178511e4aa9bcdcf

Download Submit
memory/2220-15-0x0000000002D60000-0x0000000003148000-memory.dmp

Filesize
3.9MB

Download
memory/2220-5-0x0000000002D60000-0x0000000003148000-memory.dmp

Filesize
3.9MB

Download
memory/2772-531-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2772-17-0x0000000001350000-0x0000000001738000-memory.dmp

Filesize
3.9MB

Download
memory/2772-548-0x0000000001350000-0x0000000001738000-memory.dmp

Filesize
3.9MB

Download
memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/2788-552-0x0000000002950000-0x0000000005950000-memory.dmp

Filesize
48.0MB

Download
memory/2788-554-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp

Filesize
256KB

Download
memory/2788-556-0x00000000082A0000-0x00000000082E0000-memory.dmp

Filesize
256KB

Download
memory/2788-557-0x0000000002950000-0x0000000005950000-memory.dmp

Filesize
48.0MB

Download
memory/2788-558-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-559-0x00000000082A0000-0x00000000082E0000-memory.dmp

Filesize
256KB

Download