Malware Analysis Report

2024-09-22 16:42

Sample ID 231231-lbfn8scad7
Target 30a64c61e75d116f706c23f451abaca5
SHA256 4af4a3e76358c3a932e5fa2bd23af3f73880a0f24d0841c299bea7f35dec8283
Tags
babadeda crypter discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4af4a3e76358c3a932e5fa2bd23af3f73880a0f24d0841c299bea7f35dec8283

Threat Level: Known bad

The file 30a64c61e75d116f706c23f451abaca5 was found to be: Known bad.

Malicious Activity Summary

babadeda crypter discovery loader

Babadeda

Babadeda Crypter

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-31 09:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 09:21

Reported

2024-01-10 04:09

Platform

win7-20231215-en

Max time kernel

46s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe

"C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

"C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:80 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp

Files

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libpsl-5.dll

MD5 fd00771af3ab0eabf852f9be957e5366
SHA1 a5512ea201d5b88c947bc12b947938bf466af870
SHA256 266ac671513198a7d0692fd922ff66131e6b58a9025119492da449a4ec16bd53
SHA512 5a5507ff2ee7bc51d6d1ba426081e23c2c980fa8951690420ff2b2cd51aa9859d615d44b8fa4a9958abae4876e39301e27546da6f5b2262a8c7c72138d57a120

memory/1588-317-0x0000000000240000-0x0000000000783000-memory.dmp

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\ui.xml

MD5 7b351b01d5bcad78d584cfa5b33f250a
SHA1 dc012f34b65d2e0cab0ae56f9f0ad2cac52a6d75
SHA256 2609c15a8d9816b652c41d6b6ceb3fb0fa8f33a6890c3909ee17a5f967b92abe
SHA512 f3103b6e52b1913f87c00c5459be43ba67816f93ac1d6b836e15df744443a3ef2e1c85e031e4e5753f0568b093e9fc982f646cf395d2b1aed729d265a89c33a4

\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libpsl-5.dll

MD5 d757c706b4b1c74257a9bddb8d47cc3c
SHA1 e8575f46a0135d09b6f00b76cd8d6e4498a9db24
SHA256 ee0003f39b905829c1a12e1336c58bbab2cde8318a73e9ce30e0dc1c9bd832b4
SHA512 d831f0c65a7114bad18231467f302786eda5d17fb45bda7113e06d5c41b1eed5e1ef8b00cc8b336709a4302b6fc36476eabc1b2d0fa832123207d46c7ffc83ba

memory/2108-313-0x0000000003A70000-0x0000000003FB3000-memory.dmp

memory/2108-312-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

MD5 a91631ac1406c5622968a55d26ad44de
SHA1 1717cbfd6f0e70e337ef6c5060e216e5be825d4f
SHA256 496b71236ad5d0a3bfce18c30d54d44692a5b43ae4d1d5f33ed01462668df4e9
SHA512 d68a483835087d434479da212414d723cb629dbd1fbe8da6affdf139db86cc5c042c18684d03b8ed8fc4806a37d98915c7779101b5d23fcb6357468a4dcbc8d3

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

MD5 c8880b114430be25faa55750eeeeed9c
SHA1 d150a1f14a09e08cdcbac35339b136adbbc10d14
SHA256 2d2186b2c002701a00853f0102c14693c20a3dc9300785b07b17cb9f7ce26104
SHA512 4c6ae5f549f11c46b4155a123f912637002801351207bccb1ffc32759064e3e12829168342863fa7bdb6b9a3524d2996a92f91b672cc1b2283bf1ec191ea9b72

\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

MD5 d8cfb4060ce7dc7a3653b4c44ea1628a
SHA1 d8b74c77097b44f4ca8b18da642301ab16ecc329
SHA256 fa06ecbe97aebe109546e37fa05fe507d648d3261f943beb6622a20a3ea7907e
SHA512 2ad471c3a97ead1d6b677aa93311390308cd65d08bffd64d637408eff059e2965307fc3bc858e5708dd32aec3df136120c7b38db0918a46b57eff3a385250896

C:\Users\Admin\AppData\Local\Temp\CabCFEE.tmp

MD5 9c8aa70e91dbdcf789657e35eb982924
SHA1 7d453a137bff431cfcd579080f955e7e4ab516cc
SHA256 ec27ffa1e04b10cd8f3a089ee4649ffb38a1c9e7341510ad9fa3167e36b9237b
SHA512 3446c311fc82ebc7f86b25e2410c1867c914faca998cd956fbc4709ee9722225d13984cdf22460ac6d508b8e1a140d9cdd9d20bd7695563e06ac9d4472806779

C:\Users\Admin\AppData\Local\Temp\TarD1B6.tmp

MD5 85cdc4d7df0d4fb0e4e0bc3636608f6d
SHA1 dd747b71599752505b728f69e6eca6875e185b62
SHA256 370724bf5c51597effc8e9a49b6d0cf13ac0b237a7b11e02051d17a973ff8e6c
SHA512 f1f92a42473d3668969c4b7801273dcf9386504d67846328f7b0ebd73fd13fd1c080b52266ae0070586976a1f275f15cc164c77545b0afcec66f9118e2722209

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77b59e607a7befb44f6ba01c4225b38d
SHA1 2ce8fef8e47678a56f64132e25c45192dace88ad
SHA256 9f65636963deb701cd044b50aa795970aea0175c0bdbd3b95e8b35f3af5f3bf6
SHA512 b67df5e3335a4e0a8d158ab597fb8a7e17f586ddd593316615b72b1ff7f8a7ae68eff9ec4ab0ed01d928baba56e322bb9dbde3b87c3009cf9ee27a95493b4108

\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libqml2.dll

MD5 0433f58300126e6d479b86aab2e071bc
SHA1 53ffc13b3b4de8267a8bfb67daf483b39058146f
SHA256 69ef034f8a1856e7005b9bc424cf4db2b64de2c84d547143eb9fbf70c472dc51
SHA512 27e82df8d4a324bc63900bc46e4c1d48794b0ce6e41e7fbdcc8dcc3e3567e5705ad1cada1f67db36ffe6a2f3ca70921cbd865f232b221cd9ebe80c3fab4ddea7

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libqml2.dll

MD5 d12741d09587b9fa64d7a1eb3a963783
SHA1 2f6ee591f5b768c2063c749b509bcf0ff19d70f8
SHA256 5d993d667ce5c54651fa305dd36b6a849fb860a1d5502f72c8bae45d57c4415a
SHA512 36d15705518432e3fd6e9e7e44a6bf868a80a79fa9edd2f94fbc76711219300fc6b0667ff333c65a7be358e2986dd33dadfd3eb5519933e0aee8a464ded11fd4

memory/1588-441-0x0000000000A50000-0x0000000000A60000-memory.dmp

\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

MD5 46f2b501f9364eb37a3a70ff9a592e03
SHA1 9a7270006ac2602dabed32e2056e116d88bdc702
SHA256 8ca684a00cf34b77da0222e364abb9a4536eb303817cd4646d368a4653699139
SHA512 3b42129c89d5cd6e503fbcde0193fb59891260cdce24c840471837a455744cff292b7694d2d9b1f00caa97196162a2f0de7a33d6168aecd2bcb8741c7447f472

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

MD5 816be3cc25e44ce12257f51daf0cf92e
SHA1 a5b81497d0f29aac7bb52d17a4e7a7f8e6d55649
SHA256 b3f839f211dd83448ee17952d775837d108143aca664cc6a31c86ccad044c40d
SHA512 968d63baec21b957fc0eb78c1cd92637b66a110c17feb0c22108e7d1a80d3d2387f67ab9b007b4f983607ed7ce9c7283342db7a750e8d88b46698f62bcba756d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 09:21

Reported

2024-01-10 04:09

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"

Signatures

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe

"C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

"C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:80 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

MD5 ba31633f48d9d7803d1d426af03b992b
SHA1 8e15cdd54f2989a938632946a3507591c529bab0
SHA256 5bc3e789433e0da9b864124e2f8151ff43ff94a9f8b8813c5f79ed0c4414adfd
SHA512 e39d8f830a5ccf4d4fd47f7ba7d362fb5ee1aa21c83365dc434d770ad792cdec6a6bb8d48e392d607fee5a911154a6f6756704897ee5e4121659ff9a38eddff5

memory/3800-321-0x0000000000440000-0x0000000000983000-memory.dmp

C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libpsl-5.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2040-317-0x0000000000400000-0x0000000000433000-memory.dmp