babadeda | d655c80b18e92e48821998ff99afdbaac96ab2c940b70c5b2c0e7770ad1e16c2

Analysis

max time kernel
148s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c64aa0d81a6955ae443268663d734dc4.exe
Size

6.4MB
MD5

c64aa0d81a6955ae443268663d734dc4
SHA1

219cc00be870def6b56c46adfc6c2a7928beba37
SHA256

d655c80b18e92e48821998ff99afdbaac96ab2c940b70c5b2c0e7770ad1e16c2
SHA512

39cf19aefea75eafaf26aef04116f5f1111e11a24c51171b97097137afba45b57ca5b4ea87a01c40be1d91760cf38927f0dd1ca9dca3f59ccb67e253d7d74ca5
SSDEEP

196608:Tt2oFyQRCtmyuntvZ4XuFE5wR/CCosGHDzhRrTmAI7:4RnatvZ4WoCosyDzhdDI7

Score

10^/10

babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419776

http://unattended-upgrades.net:757/d_config.html

Attributes

access_type
512
beacon_type
2048
host
unattended-upgrades.net,/d_config.html
http_header1
AAAAEAAAAB1Ib3N0OiB1bmF0dGVuZGVkLXVwZ3JhZGVzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAHAAAAAAAAAA0AAAADAAAAAgAAABh3cF93b29jb21tZXJjZV9zZXNzaW9uXz0AAAAGAAAABkNvb2tpZQAAAAkAAAAMZWNob3N0cj10cnVlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAAEAAAAB1Ib3N0OiB1bmF0dGVuZGVkLXVwZ3JhZGVzLm5ldAAAAAoAAAARQ29ubmVjdGlvbjogY2xvc2UAAAAKAAAAJUFjY2VwdC1MYW5ndWFnZTogZW4tR0I7cT0wLjksICo7cT0wLjcAAAAKAAAAGENvbnRlbnQtVHlwZTogdGV4dC9wbGFpbgAAAAcAAAABAAAACAAAAAMAAAAEAAAABwAAAAAAAAADAAAAAgAAAA5fX3Nlc3Npb25fX2lkPQAAAAYAAAAGQ29va2llAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
60641
port_number
757
sc_process32
%windir%\syswow64\svchost.exe
sc_process64
%windir%\sysnative\svchost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCshEynKiaZtiQG+JWKQ9gzX1pTzR9mbIVAwISpAL0qoKSEbNKbZPv495T/9fgNOIoimabjjQRu9sgQKPaOwBUjKjWQISHp7ZjsIHHnqwbbx3lh+eMSvrG2NbzhZsBDY5ByBdox+j8ta1mG/e1RKkdnQ/JIzdXQLftVZAGQ17m5wwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
5.10860288e+08
unknown2
AAAABAAAAAIAAAFSAAAAAwAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/Forums
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36
watermark
305419776

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000232a3-479.dat	family_babadeda

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c64aa0d81a6955ae443268663d734dc4.exe

Executes dropped EXE 1 IoCs

pid	Process
5124	reporteng.exe

Loads dropped DLL 1 IoCs

pid	Process
5124	reporteng.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 5124	1108	c64aa0d81a6955ae443268663d734dc4.exe	92
PID 1108 wrote to memory of 5124	1108	c64aa0d81a6955ae443268663d734dc4.exe	92
PID 1108 wrote to memory of 5124	1108	c64aa0d81a6955ae443268663d734dc4.exe	92

C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe
"C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe
  "C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\librsvg-2-0.dll

Filesize
2.7MB

MD5
0c9ffc11536519e7aae0904b996b7b8b

SHA1
ad96920ec62c429ed53e565dbe13c010d58b4881

SHA256
8dc28c5db4dd373b587cbff789d87112c8319732b58e89cd3f97ffcad18e0904

SHA512
8bc8a3a78a76057206b62eb5765e5c9162229e4cfc6046ce26443bd3b92c0d26105513730edfa1cc50020190b904ab83f5dc0bd800bd33250d8afb7efe4c22a5

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\librsvg-2-0.dll

Filesize
3.5MB

MD5
f0b877873803ee472f25c60546a99eee

SHA1
9ca1602eddb321804bf1e3c1925914d20d6e8b71

SHA256
56c8c0e01bbcd6d7ac4e11cfb72941047d58a511c12f6668320909b19b171830

SHA512
c0d89a9bd38259178bc341b8266b54f4bb5d567f53dc63ff182b7dfa5292ef57d84151d408411cb0f24cb9952e361c0d0ca62f4f6d1085af1e522c91f947176c

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

Filesize
6.2MB

MD5
fdde7f35a3828c786a31764a89001105

SHA1
b2be94ed57c6f28343b23c9461f6da1ead202cfa

SHA256
03337888c04ecbdb9e72437c72450f1cbaacb7a659af9195f74d117f82cf4608

SHA512
14c6c6d63c019b4f408fef2cdb885be01adf6211f14cfe046060017b326210ef348b4d1921d1508def0544c0ee31d44357f88b2d6149927c554b4ee74edecaed

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

Filesize
2.7MB

MD5
9baa972dd972271c3b44c8d55689f698

SHA1
20dcffea3a85b1ff8087b5ad2b49c41c6fd6e786

SHA256
4a3109b08b199b40228cdca3829476da4fe3d3e5c5b845231fe5077fe7af2505

SHA512
ad2a9985fdf7cb14b29cafaf2cbb30716e4bbedd00a750f4dac9c352c06a84de0b349b0a0dea3a466804833b8b7e23a6ef21860b49ae10c1e4496f9da7bd5661

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

Filesize
3.6MB

MD5
919dd0c40ce03a97cb5180e6f492f648

SHA1
66bb8b4a3ce3c685b2b9f0b169128efb76345b7a

SHA256
3ab3d48c1895cf8fa8246691702426038ebc7d29da9970ba1b8782a04a0a621e

SHA512
2a3a2101fccad1b99a802bcff999bf1f2dcbd1face4c8305f1c74d1ddc782318f32ee6e078dae2007717528fa9317b4b61766a770d4de5393fb87b9eec6a30bd

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_banner.html

Filesize
490B

MD5
5d1f7da1c3d95020a0708118145364d0

SHA1
02f630e7ac8b8d400af219bd8811aa3a22f7186e

SHA256
d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

SHA512
6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_connect_to_data_no_mru.html

Filesize
1KB

MD5
20bbd307866f19a5af3ae9ebd5104018

SHA1
8e03c9b18b9d27e9292ee154b773553493df1157

SHA256
e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

SHA512
420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_connect_to_data_with_mru.html

Filesize
1KB

MD5
e6bc0d078616dd5d5f72d46ab2216e89

SHA1
f70534bb999bcb8f1db0cf25a7279757e794499f

SHA256
e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

SHA512
6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_landing.html

Filesize
720B

MD5
0a5b47256c14570b80ef77ecfd2129b7

SHA1
69210a7429c991909c70b6b6b75fe4bc606048ae

SHA256
1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

SHA512
5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_topstrip_no_mru.html

Filesize
659B

MD5
eced86c9d5b8952ac5fb817c3ce2b8ba

SHA1
3ca24e69df7a4b81f799527a97282799fcd3f1e2

SHA256
3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

SHA512
a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_topstrip_with_mru.html

Filesize
798B

MD5
cc4d8a787ab1950c4e3aac5751c9fcde

SHA1
d026a156723a52c34927b5a951a2bb7d23aa2c45

SHA256
13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

SHA512
e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\stylesheets\start_page.css

Filesize
2KB

MD5
f2ab3e5fb61293ae8656413dbb6e5dc3

SHA1
53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

SHA256
06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

SHA512
2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\stylesheets\start_page_landing.css

Filesize
282B

MD5
49617add7303a8fbd24e1ad16ba715d8

SHA1
31772218ccf51fe5955625346c12e00c0f2e539a

SHA256
b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

SHA512
9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

Download Submit
C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\usage.pdf

Filesize
551KB

MD5
94d53a5a99df728359716acb35c7befd

SHA1
38d9a132d5df4751ff0dc8a5782591c61375c045

SHA256
125820b942b34f7e7082041a72ddda3e51b372d734cc1c59dc8c7d89931947c4

SHA512
e141d89cbb7acceb5e78c56ecd110e0847cb859c12337af0758ee4603646870814d7c59005c4dd564708140f4fbe24a00153ec4b839354dc594e71309667aa1b

Download Submit
memory/1108-476-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/5124-480-0x0000000000400000-0x0000000000BEC000-memory.dmp

Filesize
7.9MB

Download
memory/5124-481-0x0000000000C30000-0x0000000000C63000-memory.dmp

Filesize
204KB

Download
memory/5124-482-0x0000000002830000-0x00000000028BD000-memory.dmp

Filesize
564KB

Download
memory/5124-483-0x0000000002830000-0x00000000028BD000-memory.dmp

Filesize
564KB

Download