babadeda

General

Target

bfb0ff3c28b6f82afabaf58837989b00
Size

4.7MB
Sample

240311-dqhs5sbc31
MD5

bfb0ff3c28b6f82afabaf58837989b00
SHA1

82fa2bbecb84cecff62c6b3600e6195803f7fb84
SHA256

7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40
SHA512

eead3c3fe155c4ce626ead7466f27ede6f7f1eaee570a88189627d1e11da63f70f2cc6ea86fbfead3dc7ae3a33ff2874435f353752a592b2d7e9cb5fa83d6f59
SSDEEP

98304:EAI+9ejHqIAPoHZXs+PdHWwLo1JLQTNUU4+w5VF0/7AMy5VV+71knp:Dt9eLzApEvU1JUTxhIVV+pknp

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419776

C2

http://advmicrodevice.com:1080/faq

Attributes

access_type
512
beacon_type
2048
host
advmicrodevice.com,/faq
http_header1
AAAAEAAAABhIb3N0OiBhZHZtaWNyb2RldmljZS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAALAAAAAwAAAAIAAAAQbWFkZV93cml0ZV9jb25uPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABhIb3N0OiBhZHZtaWNyb2RldmljZS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAHAAAAAQAAAA0AAAADAAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9984
polling_time
61835
port_number
1080
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRB7V21uKGciSh2OXnKB+/pAMi66Vr3lZFWaFPM0or5KvggvdSmZFAEQ7fRtEyEJQnmw12W7+Ikf5h6ZBGm2tY0ZTOR8ZWBbJgvXuFd31dN/CHQNeKT7hfGWeWRD/yAUFty7EsUgTf9vcx7uUNbUSN/noLl3y2w8huMtBv+zrxcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.272630272e+09
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/nl
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
watermark
305419776

Targets

- Target
  
  bfb0ff3c28b6f82afabaf58837989b00
- Size
  
  4.7MB
- MD5
  
  bfb0ff3c28b6f82afabaf58837989b00
- SHA1
  
  82fa2bbecb84cecff62c6b3600e6195803f7fb84
- SHA256
  
  7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40
- SHA512
  
  eead3c3fe155c4ce626ead7466f27ede6f7f1eaee570a88189627d1e11da63f70f2cc6ea86fbfead3dc7ae3a33ff2874435f353752a592b2d7e9cb5fa83d6f59
- SSDEEP
  
  98304:EAI+9ejHqIAPoHZXs+PdHWwLo1JLQTNUU4+w5VF0/7AMy5VV+71knp:Dt9eLzApEvU1JUTxhIVV+pknp
Score

10^/10

babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan
- Babadeda
  Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
  loader crypter babadeda
- Babadeda Crypter
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Babadeda Crypter

Cobaltstrike

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2