General
-
Target
c64aa0d81a6955ae443268663d734dc4
-
Size
6.4MB
-
Sample
240313-tgdqtsba67
-
MD5
c64aa0d81a6955ae443268663d734dc4
-
SHA1
219cc00be870def6b56c46adfc6c2a7928beba37
-
SHA256
d655c80b18e92e48821998ff99afdbaac96ab2c940b70c5b2c0e7770ad1e16c2
-
SHA512
39cf19aefea75eafaf26aef04116f5f1111e11a24c51171b97097137afba45b57ca5b4ea87a01c40be1d91760cf38927f0dd1ca9dca3f59ccb67e253d7d74ca5
-
SSDEEP
196608:Tt2oFyQRCtmyuntvZ4XuFE5wR/CCosGHDzhRrTmAI7:4RnatvZ4WoCosyDzhdDI7
Malware Config
Extracted
cobaltstrike
305419776
http://unattended-upgrades.net:757/d_config.html
-
access_type
512
-
beacon_type
2048
-
host
unattended-upgrades.net,/d_config.html
-
http_header1
AAAAEAAAAB1Ib3N0OiB1bmF0dGVuZGVkLXVwZ3JhZGVzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAA0AAAADAAAAAgAAABh3cF93b29jb21tZXJjZV9zZXNzaW9uXz0AAAAGAAAABkNvb2tpZQAAAAkAAAAMZWNob3N0cj10cnVlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAAEAAAAB1Ib3N0OiB1bmF0dGVuZGVkLXVwZ3JhZGVzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAACAAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
60641
-
port_number
757
-
sc_process32
%windir%\syswow64\svchost.exe
-
sc_process64
%windir%\sysnative\svchost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCshEynKiaZtiQG+JWKQ9gzX1pTzR9mbIVAwISpAL0qoKSEbNKbZPv495T/9fgNOIoimabjjQRu9sgQKPaOwBUjKjWQISHp7ZjsIHHnqwbbx3lh+eMSvrG2NbzhZsBDY5ByBdox+j8ta1mG/e1RKkdnQ/JIzdXQLftVZAGQ17m5wwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
5.10860288e+08
-
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/Forums
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
-
watermark
305419776
Targets
-
-
Target
c64aa0d81a6955ae443268663d734dc4
-
Size
6.4MB
-
MD5
c64aa0d81a6955ae443268663d734dc4
-
SHA1
219cc00be870def6b56c46adfc6c2a7928beba37
-
SHA256
d655c80b18e92e48821998ff99afdbaac96ab2c940b70c5b2c0e7770ad1e16c2
-
SHA512
39cf19aefea75eafaf26aef04116f5f1111e11a24c51171b97097137afba45b57ca5b4ea87a01c40be1d91760cf38927f0dd1ca9dca3f59ccb67e253d7d74ca5
-
SSDEEP
196608:Tt2oFyQRCtmyuntvZ4XuFE5wR/CCosGHDzhRrTmAI7:4RnatvZ4WoCosyDzhdDI7
Score10/10-
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
-
Babadeda Crypter
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-