babadeda | fad9151bdf6b42b534a4eca9c0fa331970fc0596e1ffd4fcba245b2a1cfc936b

General

Target

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
Size

10.7MB
MD5

60bce89d8df5caa28d3d73ee4c94313a
SHA1

878e237aeb528a1e4c6c3fe53cb4ffd1c420231e
SHA256

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d
SHA512

963629759df10731e7b49a113fd4eb462286d26d4b394bab89bea35f4515cc907d803b01313764b973ebd4876a40e2fff820ad6b10f7a142e74a31a836010665
SSDEEP

196608:yxthehwzf4soekmmf7zADj75xtw0QkyPAm2VxdG1P5K5S2njugWR:meCBoeq7adK7JonCxC7juR

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

C2

prunerflowershop.com:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002320d-473.dat	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Executes dropped EXE 3 IoCs

pid	Process
4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
4772	alcodec.exe

Loads dropped DLL 1 IoCs

pid	Process
4772	alcodec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4508	748	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	88
PID 748 wrote to memory of 4508	748	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	88
PID 748 wrote to memory of 4508	748	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	88
PID 4508 wrote to memory of 1452	4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	89
PID 4508 wrote to memory of 1452	4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	89
PID 4508 wrote to memory of 1452	4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	89
PID 1452 wrote to memory of 532	1452	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	90
PID 1452 wrote to memory of 532	1452	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	90
PID 1452 wrote to memory of 532	1452	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	90
PID 532 wrote to memory of 4772	532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	95
PID 532 wrote to memory of 4772	532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	95
PID 532 wrote to memory of 4772	532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	95

C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
"C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\is-3IRV5.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3IRV5.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$301D2,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\is-U45CR.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-U45CR.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$401D4,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe
        
        "C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IRV5.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\FAQ.pdf

Filesize
859KB

MD5
7d48ba5bfc96796ab7dc48f6764aec44

SHA1
bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

SHA256
4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

SHA512
71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe

Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\libftype-5.dll

Filesize
17.1MB

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
memory/532-467-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/532-17-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/748-12-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/748-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1452-464-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1452-469-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1452-8-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4508-10-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4508-5-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4772-470-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/4772-479-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download

Resubmissions

Analysis

Sharing