babadeda | 7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40

General

Target

bfb0ff3c28b6f82afabaf58837989b00.exe
Size

4.7MB
MD5

bfb0ff3c28b6f82afabaf58837989b00
SHA1

82fa2bbecb84cecff62c6b3600e6195803f7fb84
SHA256

7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40
SHA512

eead3c3fe155c4ce626ead7466f27ede6f7f1eaee570a88189627d1e11da63f70f2cc6ea86fbfead3dc7ae3a33ff2874435f353752a592b2d7e9cb5fa83d6f59
SSDEEP

98304:EAI+9ejHqIAPoHZXs+PdHWwLo1JLQTNUU4+w5VF0/7AMy5VV+71knp:Dt9eLzApEvU1JUTxhIVV+pknp

Score

10^/10

babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419776

C2

http://advmicrodevice.com:1080/faq

Attributes

access_type
512
beacon_type
2048
host
advmicrodevice.com,/faq
http_header1
AAAAEAAAABhIb3N0OiBhZHZtaWNyb2RldmljZS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAABwAAAAAAAAALAAAAAwAAAAIAAAAQbWFkZV93cml0ZV9jb25uPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAABhIb3N0OiBhZHZtaWNyb2RldmljZS5jb20AAAAKAAAAEUNvbm5lY3Rpb246IGNsb3NlAAAACgAAABNBY2NlcHQtRW5jb2Rpbmc6IGJyAAAACgAAABhDb250ZW50LVR5cGU6IHRleHQvcGxhaW4AAAAHAAAAAQAAAA0AAAADAAAABAAAAAcAAAAAAAAAAwAAAAIAAAAOX19zZXNzaW9uX19pZD0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9984
polling_time
61835
port_number
1080
sc_process32
%windir%\syswow64\runonce.exe
sc_process64
%windir%\sysnative\runonce.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCRB7V21uKGciSh2OXnKB+/pAMi66Vr3lZFWaFPM0or5KvggvdSmZFAEQ7fRtEyEJQnmw12W7+Ikf5h6ZBGm2tY0ZTOR8ZWBbJgvXuFd31dN/CHQNeKT7hfGWeWRD/yAUFty7EsUgTf9vcx7uUNbUSN/noLl3y2w8huMtBv+zrxcQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.272630272e+09
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/nl
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9
watermark
305419776

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000015cff-413.dat	family_babadeda

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Executes dropped EXE 1 IoCs

pid	Process
2620	firesql.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	bfb0ff3c28b6f82afabaf58837989b00.exe
2620	firesql.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2620	firesql.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2620	2276	bfb0ff3c28b6f82afabaf58837989b00.exe	28
PID 2276 wrote to memory of 2620	2276	bfb0ff3c28b6f82afabaf58837989b00.exe	28
PID 2276 wrote to memory of 2620	2276	bfb0ff3c28b6f82afabaf58837989b00.exe	28
PID 2276 wrote to memory of 2620	2276	bfb0ff3c28b6f82afabaf58837989b00.exe	28

C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe
"C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe
  "C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\Chart.png

Filesize
537KB

MD5
d1c21568eece976ec41d43f1d78218f9

SHA1
0ee4aeffc2a5c11cc20d20ccfa504b90768d8f57

SHA256
20b75a5cb0d67689ef3436dfa9ecbdc877fb03fb72632efdf9adc8e809422925

SHA512
354b4597e3ae0342abf7b34527c67afcbd58f03580f34c24e981e938c4caee16662463fc0a42770f15aa91e39baa7349e1065e0167c85711402af2d542766ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\ff_wmv9.dll

Filesize
2.0MB

MD5
af419184a4da05d5ea9df37130ee750b

SHA1
ba7ea98545e58c006e62a3b8ae98a5928cd1d74d

SHA256
bb0e61cdfc101cac62486eec8a02b1f200bff1a98baea8571e1742995adc0e02

SHA512
402ef1175692bd70029bca1d62000f21bc225a5adf9cf749cb09f0b4613589bd2d76fe07e2b25556f12f1f299608a7f622eaef9e8a121c2bac4de65bb8abb69c

Download Submit
C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

Filesize
6.0MB

MD5
e1b6202fce07a1f68b874e14793f2323

SHA1
157163eed9bb263b54b200ec4c84c0d8c6b2590e

SHA256
a1771679869dc5f43e9f7e9a1553c0200047630b8fc07202f44d9db3108062ae

SHA512
ea59dfa0c045a98df02aab7e42a7037a9744d4cee144917ed75d4e88a2eb083406d7272e038ecddadb01bac0501bfb9ad3d34cfeaf082232da501d74d40e109e

Download Submit
\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

Filesize
5.6MB

MD5
73166e57798ee39b3d5632adb35d8602

SHA1
768dc339c011305679fe73238f88567978047942

SHA256
b3729c7166fbd9568acb94a735817f0acb11295fd6ac4c59e917a63e749f9c20

SHA512
b338d4a308bff8c838a4d149b02edc73efac1a6e37a3879a1452763e0c0497ba92387ed8efc78a1b36b2f2791b79bbdaf1b4798f2e01d976e221685ecaff45c9

Download Submit
memory/2276-408-0x0000000003B50000-0x00000000041A4000-memory.dmp

Filesize
6.3MB

Download
memory/2276-407-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2276-414-0x0000000003B50000-0x00000000041A4000-memory.dmp

Filesize
6.3MB

Download
memory/2620-410-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/2620-415-0x0000000000400000-0x0000000000A54000-memory.dmp

Filesize
6.3MB

Download
memory/2620-417-0x0000000003610000-0x0000000003690000-memory.dmp

Filesize
512KB

Download
memory/2620-416-0x0000000003490000-0x00000000034C3000-memory.dmp

Filesize
204KB

Download
memory/2620-418-0x0000000003610000-0x0000000003690000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing