babadeda | 19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2

General

Target

1b6a482264775b5ab5b792c89f4cb272.exe
Size

6.9MB
MD5

1b6a482264775b5ab5b792c89f4cb272
SHA1

c265d55a702cb0323f7347bea2915e8c63d89983
SHA256

19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2
SHA512

5afaf1a5671962f752a28972d8b8fc348c1c1cc126d3ced48a0647eb37fb83d0910d7f4cacd31e17e9fb6a9dede8554be28fb48de275251440e30fe3b8a67113
SSDEEP

196608:kPGZKb8Ehfrm4JYKtjADXsuIwDO+tkw06y2:VoJrzaKtjADVIUdR

Score

10^/10

babadeda vidar 953 crypter discovery loader stealer upx

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

953

C2

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
953

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral2/memory/2028-386-0x0000000002DD0000-0x0000000005DD0000-memory.dmp	family_babadeda
behavioral2/memory/2028-398-0x0000000002DD0000-0x0000000005DD0000-memory.dmp	family_babadeda

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/2028-384-0x0000000000400000-0x0000000000B07000-memory.dmp	family_vidar
behavioral2/memory/2028-396-0x0000000000400000-0x0000000000B07000-memory.dmp	family_vidar

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	1b6a482264775b5ab5b792c89f4cb272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 2 IoCs

pid	Process
4688	irsetup.exe
2028	smartmap.exe

Loads dropped DLL 2 IoCs

pid	Process
4688	irsetup.exe
2028	smartmap.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000f000000023138-4.dat	upx
behavioral2/files/0x000f000000023138-10.dat	upx
behavioral2/memory/4688-13-0x00000000005D0000-0x00000000009B8000-memory.dmp	upx
behavioral2/files/0x000f000000023138-14.dat	upx
behavioral2/memory/4688-382-0x00000000005D0000-0x00000000009B8000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2780	2028	WerFault.exe	93
1872	2028	WerFault.exe	93

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4688	irsetup.exe
4688	irsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4688	4968	1b6a482264775b5ab5b792c89f4cb272.exe	89
PID 4968 wrote to memory of 4688	4968	1b6a482264775b5ab5b792c89f4cb272.exe	89
PID 4968 wrote to memory of 4688	4968	1b6a482264775b5ab5b792c89f4cb272.exe	89
PID 4688 wrote to memory of 2028	4688	irsetup.exe	93
PID 4688 wrote to memory of 2028	4688	irsetup.exe	93
PID 4688 wrote to memory of 2028	4688	irsetup.exe	93

C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe
"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
    "C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 992
      4⤵
      Program crash
      PID:2780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1588
      4⤵
      Program crash
      PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2028 -ip 2028
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2028 -ip 2028
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.0MB

MD5
629837597bfa4fcb7a124907c1e404d8

SHA1
426777b49fa754dc17522f645f05351b2fb09d58

SHA256
dedf77699b799afb2eb9c30f33a7a026cad3459c294af54008f38269c6e874e3

SHA512
3b8ea64df085e222eb758e76de45f4863c78edcdb5440ce28792e7f021f12f14d1636178431e14d54e9e33b7af5fa1f7e132b01b268f83f35c6f5265407dbfa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
381KB

MD5
d2f4bc357b954f71c563f6073387bbe1

SHA1
1fc41b50de9baa6d8ecb05636a21fbb2fcd3abf0

SHA256
898a40625625818e0c7134a5c2d20213681038c336e45b1454bb7b0920d1496b

SHA512
e62abeb786aec2facb5a1adf0a25b48a670469f71184a8fdb5b7fd1cb7d04df9cec15287992f29c71198f78000fa1d863de3aea7bc821750bd826fc32974b46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\it\Phototheca EULA.rtf

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
memory/2028-384-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/2028-386-0x0000000002DD0000-0x0000000005DD0000-memory.dmp

Filesize
48.0MB

Download
memory/2028-396-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/2028-398-0x0000000002DD0000-0x0000000005DD0000-memory.dmp

Filesize
48.0MB

Download
memory/4688-13-0x00000000005D0000-0x00000000009B8000-memory.dmp

Filesize
3.9MB

Download
memory/4688-382-0x00000000005D0000-0x00000000009B8000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing