babadeda | e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464

General

Target

a43be7341e3d13810d20b9e64e329c83.exe
Size

6.4MB
MD5

a43be7341e3d13810d20b9e64e329c83
SHA1

ad582a30ba365885be34fe503c744088d08b4baa
SHA256

e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
SHA512

cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877
SSDEEP

98304:oSilBhaEFMX+MEGi6OEJ0ehjDhGSib2RDWBXW4Gd72eg7GpAadkBlsr1SFF0:KhaIRMEXehxitdogqtqBq9

Score

10^/10

babadeda gozi 1001 banker crypter isfb loader trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

update1.avast.com

zilbon.ws

update2.avira.com

lumpet.co

emerald.ws

ferroun.in

Attributes

base_path
/sreamble/
build
250207
dga_season
10
exe_type
loader
extension
.sre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023268-196.dat	family_babadeda

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	a43be7341e3d13810d20b9e64e329c83.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation	a43be7341e3d13810d20b9e64e329c83.tmp

Executes dropped EXE 3 IoCs

pid	Process
2680	a43be7341e3d13810d20b9e64e329c83.tmp
3004	a43be7341e3d13810d20b9e64e329c83.tmp
4704	BouncyDotNET.exe

Loads dropped DLL 1 IoCs

pid	Process
4704	BouncyDotNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	a43be7341e3d13810d20b9e64e329c83.tmp
3004	a43be7341e3d13810d20b9e64e329c83.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	a43be7341e3d13810d20b9e64e329c83.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2680	3028	a43be7341e3d13810d20b9e64e329c83.exe	86
PID 3028 wrote to memory of 2680	3028	a43be7341e3d13810d20b9e64e329c83.exe	86
PID 3028 wrote to memory of 2680	3028	a43be7341e3d13810d20b9e64e329c83.exe	86
PID 2680 wrote to memory of 4268	2680	a43be7341e3d13810d20b9e64e329c83.tmp	88
PID 2680 wrote to memory of 4268	2680	a43be7341e3d13810d20b9e64e329c83.tmp	88
PID 2680 wrote to memory of 4268	2680	a43be7341e3d13810d20b9e64e329c83.tmp	88
PID 4268 wrote to memory of 3004	4268	a43be7341e3d13810d20b9e64e329c83.exe	89
PID 4268 wrote to memory of 3004	4268	a43be7341e3d13810d20b9e64e329c83.exe	89
PID 4268 wrote to memory of 3004	4268	a43be7341e3d13810d20b9e64e329c83.exe	89
PID 3004 wrote to memory of 4704	3004	a43be7341e3d13810d20b9e64e329c83.tmp	90
PID 3004 wrote to memory of 4704	3004	a43be7341e3d13810d20b9e64e329c83.tmp	90
PID 3004 wrote to memory of 4704	3004	a43be7341e3d13810d20b9e64e329c83.tmp	90

C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe
"C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\is-EVEHL.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EVEHL.tmp\a43be7341e3d13810d20b9e64e329c83.tmp" /SL5="$80064,5898797,953344,C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe
    "C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\is-69HCU.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-69HCU.tmp\a43be7341e3d13810d20b9e64e329c83.tmp" /SL5="$C021A,5898797,953344,C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe
        
        "C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EVEHL.tmp\a43be7341e3d13810d20b9e64e329c83.tmp

Filesize
3.1MB

MD5
8a24adf60923719e71306f56deb49ebc

SHA1
e098600fd5a98bc37d0d887e705a32a54bf4ae84

SHA256
221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085

SHA512
dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

Filesize
5.8MB

MD5
e70951807abdec39daefa9a8df9dec15

SHA1
15a7b0f9c04d5f6bba477d91b502b4e24c1127f6

SHA256
dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6

SHA512
bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\Lang\it\is-RDNK1.tmp

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\cds.xml

Filesize
304KB

MD5
2b622a85fd2b0b5531c86301818ceb2f

SHA1
5e1d127789e78683ce3deee1fd3e38f358bc50c2

SHA256
58489a55f9eb210b9e472ca21621ce544e03a2e026f0fa103c1a58102d39c025

SHA512
938d7ac9239568536a341c057a44142faad4921bbff5bcc76a89b0b4ed5343f324a46e6c533a9673434286673c4b5efbe4a8156d10c20a2760389ac785a34ce4

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dll

Filesize
3.8MB

MD5
4240767ecbcecd84f3c90d0ee889460c

SHA1
d390f9e165408864dda6c925dfe6627c557a6b24

SHA256
1d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3

SHA512
89fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61

Download Submit
memory/2680-10-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/2680-6-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3004-199-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/3028-13-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3028-1-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4268-9-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4268-201-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4704-197-0x00000000005A0000-0x0000000000BBE000-memory.dmp

Filesize
6.1MB

Download
memory/4704-202-0x00000000005A0000-0x0000000000BBE000-memory.dmp

Filesize
6.1MB

Download
memory/4704-203-0x0000000002E20000-0x0000000002E30000-memory.dmp

Filesize
64KB

Download
memory/4704-206-0x00000000005A0000-0x0000000000BBE000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads