Malware Analysis Report

2024-09-22 16:37

Sample ID 231230-ana4qsadf7
Target 085b11ab52a6865e3b14734f517cac42
SHA256 dda791ae03a40c12c7f67a0398be23a9334766aa82fd49145cf62072b922b9f8
Tags
babadeda redline sectoprat augmy crypter discovery infostealer loader rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dda791ae03a40c12c7f67a0398be23a9334766aa82fd49145cf62072b922b9f8

Threat Level: Known bad

The file 085b11ab52a6865e3b14734f517cac42 was found to be: Known bad.

Malicious Activity Summary

babadeda redline sectoprat augmy crypter discovery infostealer loader rat trojan upx

RedLine

Babadeda

SectopRAT payload

Babadeda Crypter

RedLine payload

SectopRAT

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-30 00:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 00:21

Reported

2023-12-30 20:38

Platform

win7-20231215-en

Max time kernel

138s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2220 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 2772 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
PID 2772 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
PID 2772 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
PID 2772 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

Processes

C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe

"C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"

C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

"C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe"

Network

Country Destination Domain Proto
DE 185.140.53.142:82 tcp
DE 185.140.53.142:82 tcp
DE 185.140.53.142:82 tcp
DE 185.140.53.142:82 tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 ac23d03c4b8d531016a3c1ebfa2bc91c
SHA1 11383627d5515ed2257f594db7fbce3a4b9106f8
SHA256 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512 bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

memory/2220-5-0x0000000002D60000-0x0000000003148000-memory.dmp

memory/2220-15-0x0000000002D60000-0x0000000003148000-memory.dmp

memory/2772-17-0x0000000001350000-0x0000000001738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 e7a789232ef503dcb4929791673009a3
SHA1 8bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA256 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA512 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

C:\Users\Admin\AppData\Roaming\Network WinSparkle\Lang\en\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\Network WinSparkle\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

C:\Users\Admin\AppData\Roaming\Network WinSparkle\COPYING.txt

MD5 cedef94f5701b0f14e5d358caf023480
SHA1 fc717140a9dd390068bad40a70f55e502f7c66e8
SHA256 54327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a
SHA512 bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5

C:\Users\Admin\AppData\Roaming\Network WinSparkle\RELEASE_NOTES.html

MD5 77db64e395175649374d32e386fd1033
SHA1 1e26bbd5055d3717e7f57219f2b7c1a305f84678
SHA256 7d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163
SHA512 238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0

C:\Users\Admin\AppData\Roaming\Network WinSparkle\Uninstall\uninstall.xml

MD5 6bb017fd0eb36d878eeb2b517dbdd2d4
SHA1 a19baf92c23af80461f9d3df65c631e77033b6fa
SHA256 ec8b1f09f5bdc681a517c3d456c6def4f96e22306ad32e4e498df3da90cbc34a
SHA512 357caf2c863aeda03a1dd230479205f697fade1f760805ee63f3e909820fb9528be2e7a99e73321f4d91a0f3b6bca1a4eefce4d64ddc68ad1ef659b46464492a

C:\Users\Admin\AppData\Roaming\Network WinSparkle\Uninstall\uninstall.xml

MD5 8b1be6fd7fd378c367d148dfd467ecc7
SHA1 e443c97169c255b8ce210cebd170031b002a65a3
SHA256 99bc31b06fc1855a98cf0b0a39e2b338ddb3209ee199d014747f72f588c97cf2
SHA512 7ccc65eb2280231ffaa3cd869889443d2a0fa7399b3cd807158bc42f3549823864498fbe7cbf7bd05cca6f397142fd67c8038cdbe8a2f54a4af0e3f0a47a8bef

memory/2772-531-0x00000000004C0000-0x00000000004D0000-memory.dmp

\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

MD5 4a4b365835f66abd4384f34f20b05388
SHA1 2044b61947e2b1ca7985af5b5dec38bca64959e6
SHA256 2d659d7401e8a8ad797bb0dd67d54c7f2b6107d76b67771c8deae3901f7dbce2
SHA512 007e030767a1b12019a630ecdda8a01e4617e6993fcf1387eb412fe045e0d2a8d2a1d11327c5771c1892da35a12df52671e7b4f6e1b68ba2f2bd72f0b7f5f854

\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

MD5 b77eb61d1c2ac930a29181721d826c15
SHA1 67a902ea14f29d2b9cff3e9db5c9175ba94a3301
SHA256 0eee7d66cc0e2f307e4887797438037deb6b8f79364fc2b1d8c348a2847726aa
SHA512 dabba7fe84b768ca3fa7af52721d528bbc8b8269f8eab24cda401270aadf6d405847e80f8036d7aba2b97e4af7e2cf45ca9b5741183e4d3015bb1bd40274c1ef

\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

MD5 3989192312e7c6f4c092b24edee547f7
SHA1 e6964ed839a155faa8989395f9693a7583981a79
SHA256 987298b1b45ccc87ce319fa6b0fb7b1216dc3302563a4c660202ddddac5f7e51
SHA512 23d84b1ce2c60ab950de4e4a83fbd0d1d4feebb2f44f8d325c0a615e73e00c28b71d7e4ef5f731bcaa8f2429a7dd828d19a9e800bae673dc178511e4aa9bcdcf

C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

MD5 b3618a806089c54e05511e7708201842
SHA1 970e5cb2d1bc00fc8f8453b3ea5cd5a00d412a97
SHA256 13d70fd4e7d28dad80e25308f32f034b4053dfff737b8f336f872f68ae33669b
SHA512 f6d805092b966c4837c9d8b692ff046d9992a15ee42f9c5862b4e3ee0f54a81c0d49fb34f64405444e982a7f53f1259edc575e236e52fbd0535bd675e339d41a

C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe

MD5 67e3de63a83fe58f1d7b83197324d071
SHA1 a2fbe5b95f4428c585ad718d4e983ba36111a495
SHA256 f3f5880ac2058ba3730ef5920118b05d6feb2e0af5411daff3bb50fbaf885a7a
SHA512 52dcfc054ea9d9386bea1f8298d58f851c436a11ea211de81a016925420bdc18197f00840cd9519578051677b5ca8dfc8228a74a03edd5301bef3ca643a828c8

C:\Users\Admin\AppData\Roaming\Network WinSparkle\libGLES-v2.dll

MD5 232a9b18e9d2bffdd1fb5f636331d936
SHA1 8d0770c54a3d0a05735c36fe1b879bd7de0bb8dc
SHA256 f94f936883a8ea7c4c49e136eea16a22f5354ef58689b0cfcc138918b05960cb
SHA512 ea30653033ce37719bb42019f8f284b9e289f376ddf2334cd0b45b06e71f281f636eebb82eaa1d16d1212b67861511eaa9c6f250bdd62ae1b20c31fbf56e8926

memory/2772-548-0x0000000001350000-0x0000000001738000-memory.dmp

\Users\Admin\AppData\Roaming\Network WinSparkle\libGLES-v2.dll

MD5 cd5f7a36c869ec4c3beb68777b1c1c84
SHA1 e6eaea2763e5409e2289d42beb5c891ca978b403
SHA256 073d93ff0e38aad002d697d3a3cf494f0bd69ee6a1827b40321e31b9fac3484f
SHA512 6edaf5c17334cb353019d20ae8954e498709429f9e7b6570e53a12703df25acee4f2292f4f702d06362e097531dadceab8d50312cb86089518503593eb58da00

C:\Users\Admin\AppData\Roaming\Network WinSparkle\manual.pdf

MD5 5d67aa7bae8d8e7e18c7dcf36a1c676c
SHA1 6a07aa8262bb378a8a643b191bd3a1deb0c6c461
SHA256 a28e1667ef79438cd9ad0bdafa495727c8a67eddf48f8c99c20e75f3c35ad1c9
SHA512 f45395b1a3495eaf4c74c01c76f24d159ed9792b273b2d44ea12806391d3adc6756ed2348aa43e7a2e178d39ceba5419ea9cb16912b283737803602dae459302

memory/2788-552-0x0000000002950000-0x0000000005950000-memory.dmp

memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp

memory/2788-554-0x0000000073350000-0x0000000073A3E000-memory.dmp

memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp

memory/2788-556-0x00000000082A0000-0x00000000082E0000-memory.dmp

memory/2788-557-0x0000000002950000-0x0000000005950000-memory.dmp

memory/2788-558-0x0000000073350000-0x0000000073A3E000-memory.dmp

memory/2788-559-0x00000000082A0000-0x00000000082E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 00:21

Reported

2023-12-30 20:38

Platform

win10v2004-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A