Malware Analysis Report

2024-09-22 16:35

Sample ID 240311-dqhs5sbc31
Target bfb0ff3c28b6f82afabaf58837989b00
SHA256 7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40
Tags
babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7816862d412c71840584ab9032952ce4e7a9268e44bfac669311356937fc6a40

Threat Level: Known bad

The file bfb0ff3c28b6f82afabaf58837989b00 was found to be: Known bad.

Malicious Activity Summary

babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan

Babadeda

Babadeda Crypter

Cobaltstrike

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-11 03:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 03:12

Reported

2024-03-11 03:15

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe

"C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe"

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

"C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 advmicrodevice.com udp

Files

\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

MD5 73166e57798ee39b3d5632adb35d8602
SHA1 768dc339c011305679fe73238f88567978047942
SHA256 b3729c7166fbd9568acb94a735817f0acb11295fd6ac4c59e917a63e749f9c20
SHA512 b338d4a308bff8c838a4d149b02edc73efac1a6e37a3879a1452763e0c0497ba92387ed8efc78a1b36b2f2791b79bbdaf1b4798f2e01d976e221685ecaff45c9

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

MD5 e1b6202fce07a1f68b874e14793f2323
SHA1 157163eed9bb263b54b200ec4c84c0d8c6b2590e
SHA256 a1771679869dc5f43e9f7e9a1553c0200047630b8fc07202f44d9db3108062ae
SHA512 ea59dfa0c045a98df02aab7e42a7037a9744d4cee144917ed75d4e88a2eb083406d7272e038ecddadb01bac0501bfb9ad3d34cfeaf082232da501d74d40e109e

memory/2276-408-0x0000000003B50000-0x00000000041A4000-memory.dmp

memory/2276-407-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-410-0x0000000000400000-0x0000000000A54000-memory.dmp

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\ff_wmv9.dll

MD5 af419184a4da05d5ea9df37130ee750b
SHA1 ba7ea98545e58c006e62a3b8ae98a5928cd1d74d
SHA256 bb0e61cdfc101cac62486eec8a02b1f200bff1a98baea8571e1742995adc0e02
SHA512 402ef1175692bd70029bca1d62000f21bc225a5adf9cf749cb09f0b4613589bd2d76fe07e2b25556f12f1f299608a7f622eaef9e8a121c2bac4de65bb8abb69c

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\Chart.png

MD5 d1c21568eece976ec41d43f1d78218f9
SHA1 0ee4aeffc2a5c11cc20d20ccfa504b90768d8f57
SHA256 20b75a5cb0d67689ef3436dfa9ecbdc877fb03fb72632efdf9adc8e809422925
SHA512 354b4597e3ae0342abf7b34527c67afcbd58f03580f34c24e981e938c4caee16662463fc0a42770f15aa91e39baa7349e1065e0167c85711402af2d542766ae6

memory/2276-414-0x0000000003B50000-0x00000000041A4000-memory.dmp

memory/2620-415-0x0000000000400000-0x0000000000A54000-memory.dmp

memory/2620-417-0x0000000003610000-0x0000000003690000-memory.dmp

memory/2620-416-0x0000000003490000-0x00000000034C3000-memory.dmp

memory/2620-418-0x0000000003610000-0x0000000003690000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 03:12

Reported

2024-03-11 03:15

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe

"C:\Users\Admin\AppData\Local\Temp\bfb0ff3c28b6f82afabaf58837989b00.exe"

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

"C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 advmicrodevice.com udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 advmicrodevice.com udp

Files

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\firesql.exe

MD5 e1b6202fce07a1f68b874e14793f2323
SHA1 157163eed9bb263b54b200ec4c84c0d8c6b2590e
SHA256 a1771679869dc5f43e9f7e9a1553c0200047630b8fc07202f44d9db3108062ae
SHA512 ea59dfa0c045a98df02aab7e42a7037a9744d4cee144917ed75d4e88a2eb083406d7272e038ecddadb01bac0501bfb9ad3d34cfeaf082232da501d74d40e109e

memory/4248-414-0x0000000000400000-0x0000000000A54000-memory.dmp

memory/1272-413-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\ff_wmv9.dll

MD5 af419184a4da05d5ea9df37130ee750b
SHA1 ba7ea98545e58c006e62a3b8ae98a5928cd1d74d
SHA256 bb0e61cdfc101cac62486eec8a02b1f200bff1a98baea8571e1742995adc0e02
SHA512 402ef1175692bd70029bca1d62000f21bc225a5adf9cf749cb09f0b4613589bd2d76fe07e2b25556f12f1f299608a7f622eaef9e8a121c2bac4de65bb8abb69c

C:\Users\Admin\AppData\Roaming\Firebird Project\Firebird Control SQL Server\Chart.png

MD5 d1c21568eece976ec41d43f1d78218f9
SHA1 0ee4aeffc2a5c11cc20d20ccfa504b90768d8f57
SHA256 20b75a5cb0d67689ef3436dfa9ecbdc877fb03fb72632efdf9adc8e809422925
SHA512 354b4597e3ae0342abf7b34527c67afcbd58f03580f34c24e981e938c4caee16662463fc0a42770f15aa91e39baa7349e1065e0167c85711402af2d542766ae6

memory/4248-418-0x0000000000B70000-0x0000000000BA3000-memory.dmp

memory/4248-419-0x0000000003F50000-0x0000000003FD0000-memory.dmp

memory/4248-420-0x0000000003F50000-0x0000000003FD0000-memory.dmp