babadeda | 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901

Analysis

max time kernel
151s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe
Size

16.5MB
MD5

e3ffe9b1db336ca7f34e0f26215d4ee4
SHA1

3ec434df80529311342401ac7a7acd066e19c90f
SHA256

700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
SHA512

71168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b
SSDEEP

196608:jtxgKFeSqv70qJ3uf0jox2m1eKFL3mKLzmi3S4s8EzR:rgKHpqJ3ussx2R+L3mKnPSXV

Score

10^/10

babadeda outsteel crypter discovery loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023342-897.dat	family_babadeda

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe

Executes dropped EXE 1 IoCs

Processes:

csvhelper.exe

pid	Process
5084	csvhelper.exe

Loads dropped DLL 1 IoCs

Processes:

csvhelper.exe

pid	Process
5084	csvhelper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csvhelper.exe

description	ioc	Process
File opened (read-only)	\??\e:	csvhelper.exe
File opened (read-only)	\??\i:	csvhelper.exe
File opened (read-only)	\??\k:	csvhelper.exe
File opened (read-only)	\??\l:	csvhelper.exe
File opened (read-only)	\??\t:	csvhelper.exe
File opened (read-only)	\??\o:	csvhelper.exe
File opened (read-only)	\??\v:	csvhelper.exe
File opened (read-only)	\??\y:	csvhelper.exe
File opened (read-only)	\??\a:	csvhelper.exe
File opened (read-only)	\??\b:	csvhelper.exe
File opened (read-only)	\??\g:	csvhelper.exe
File opened (read-only)	\??\h:	csvhelper.exe
File opened (read-only)	\??\j:	csvhelper.exe
File opened (read-only)	\??\m:	csvhelper.exe
File opened (read-only)	\??\p:	csvhelper.exe
File opened (read-only)	\??\q:	csvhelper.exe
File opened (read-only)	\??\r:	csvhelper.exe
File opened (read-only)	\??\u:	csvhelper.exe
File opened (read-only)	\??\n:	csvhelper.exe
File opened (read-only)	\??\s:	csvhelper.exe
File opened (read-only)	\??\w:	csvhelper.exe
File opened (read-only)	\??\x:	csvhelper.exe
File opened (read-only)	\??\z:	csvhelper.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/5084-899-0x0000000000AD0000-0x000000000120F000-memory.dmp	autoit_exe
behavioral2/memory/5084-900-0x0000000000AD0000-0x000000000120F000-memory.dmp	autoit_exe
behavioral2/memory/5084-903-0x0000000000AD0000-0x000000000120F000-memory.dmp	autoit_exe
behavioral2/memory/5084-905-0x0000000000AD0000-0x000000000120F000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.execsvhelper.exe

description	pid	Process	procid_target
PID 3572 wrote to memory of 5084	3572	700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe	99
PID 3572 wrote to memory of 5084	3572	700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe	99
PID 3572 wrote to memory of 5084	3572	700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe	99
PID 5084 wrote to memory of 848	5084	csvhelper.exe	111
PID 5084 wrote to memory of 848	5084	csvhelper.exe	111
PID 5084 wrote to memory of 848	5084	csvhelper.exe	111
PID 5084 wrote to memory of 4120	5084	csvhelper.exe	114
PID 5084 wrote to memory of 4120	5084	csvhelper.exe	114
PID 5084 wrote to memory of 4120	5084	csvhelper.exe	114
PID 5084 wrote to memory of 4328	5084	csvhelper.exe	116
PID 5084 wrote to memory of 4328	5084	csvhelper.exe	116
PID 5084 wrote to memory of 4328	5084	csvhelper.exe	116
PID 5084 wrote to memory of 2472	5084	csvhelper.exe	118
PID 5084 wrote to memory of 2472	5084	csvhelper.exe	118
PID 5084 wrote to memory of 2472	5084	csvhelper.exe	118
PID 5084 wrote to memory of 4896	5084	csvhelper.exe	121
PID 5084 wrote to memory of 4896	5084	csvhelper.exe	121
PID 5084 wrote to memory of 4896	5084	csvhelper.exe	121
PID 5084 wrote to memory of 2420	5084	csvhelper.exe	123
PID 5084 wrote to memory of 2420	5084	csvhelper.exe	123
PID 5084 wrote to memory of 2420	5084	csvhelper.exe	123
PID 5084 wrote to memory of 3544	5084	csvhelper.exe	125
PID 5084 wrote to memory of 3544	5084	csvhelper.exe	125
PID 5084 wrote to memory of 3544	5084	csvhelper.exe	125
PID 5084 wrote to memory of 2600	5084	csvhelper.exe	127
PID 5084 wrote to memory of 2600	5084	csvhelper.exe	127
PID 5084 wrote to memory of 2600	5084	csvhelper.exe	127
PID 5084 wrote to memory of 4276	5084	csvhelper.exe	129
PID 5084 wrote to memory of 4276	5084	csvhelper.exe	129
PID 5084 wrote to memory of 4276	5084	csvhelper.exe	129
PID 5084 wrote to memory of 3408	5084	csvhelper.exe	131
PID 5084 wrote to memory of 3408	5084	csvhelper.exe	131
PID 5084 wrote to memory of 3408	5084	csvhelper.exe	131
PID 5084 wrote to memory of 3996	5084	csvhelper.exe	133
PID 5084 wrote to memory of 3996	5084	csvhelper.exe	133
PID 5084 wrote to memory of 3996	5084	csvhelper.exe	133
PID 5084 wrote to memory of 1296	5084	csvhelper.exe	135
PID 5084 wrote to memory of 1296	5084	csvhelper.exe	135
PID 5084 wrote to memory of 1296	5084	csvhelper.exe	135
PID 5084 wrote to memory of 2476	5084	csvhelper.exe	137
PID 5084 wrote to memory of 2476	5084	csvhelper.exe	137
PID 5084 wrote to memory of 2476	5084	csvhelper.exe	137
PID 5084 wrote to memory of 4916	5084	csvhelper.exe	139
PID 5084 wrote to memory of 4916	5084	csvhelper.exe	139
PID 5084 wrote to memory of 4916	5084	csvhelper.exe	139
PID 5084 wrote to memory of 4852	5084	csvhelper.exe	141
PID 5084 wrote to memory of 4852	5084	csvhelper.exe	141
PID 5084 wrote to memory of 4852	5084	csvhelper.exe	141
PID 5084 wrote to memory of 4416	5084	csvhelper.exe	143
PID 5084 wrote to memory of 4416	5084	csvhelper.exe	143
PID 5084 wrote to memory of 4416	5084	csvhelper.exe	143
PID 5084 wrote to memory of 3028	5084	csvhelper.exe	145
PID 5084 wrote to memory of 3028	5084	csvhelper.exe	145
PID 5084 wrote to memory of 3028	5084	csvhelper.exe	145
PID 5084 wrote to memory of 3264	5084	csvhelper.exe	147
PID 5084 wrote to memory of 3264	5084	csvhelper.exe	147
PID 5084 wrote to memory of 3264	5084	csvhelper.exe	147

C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe
"C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
  "C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
    3⤵
    PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf

Filesize
2.0MB

MD5
349a1d8bb00ae11bbf535cd909838c65

SHA1
c7b9d73580d6c733fbd5875bbccfbf3b792018e2

SHA256
93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4

SHA512
f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
2KB

MD5
44018e1779270b083ad90da3dffe9b15

SHA1
e09c06b564abe26bcf91ecb7632d761c3234b30d

SHA256
71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c

SHA512
ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\PagerBackL.png

Filesize
4KB

MD5
b3c74bb5250effad46ce11a96c9468c2

SHA1
3a339e244a29fe41d13fa4cc951a7e0a2862e299

SHA256
5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825

SHA512
a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
4KB

MD5
3272be2da53b6d5271111431f7d90d28

SHA1
7ec382eee6282454d5b0b03751f3d14c568bbfa5

SHA256
4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982

SHA512
45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
2KB

MD5
228d4bd899577ed16ad3ac74b592a0e6

SHA1
baf99e34e126d6c41b7aa39caabc2376358bab70

SHA256
fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5

SHA512
285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]

Filesize
2KB

MD5
2719683b8dba819f2e6bd9e9b7307f1c

SHA1
6cbac17ebf8b56489ad8b8c458dd618b2788512a

SHA256
316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a

SHA512
96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe

Filesize
6.9MB

MD5
f5de326683df44d71ed1b986fd836e0b

SHA1
33bc899da6afd2b82b27d59acd0844b521e57079

SHA256
17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f

SHA512
12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a

Download Submit
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\libfreetype-4.dll

Filesize
3.9MB

MD5
1bf457ea201a3374f7c37f43d5c3ffdb

SHA1
bf693ad6b3070cfb60902eeeb3a290bad531bbd0

SHA256
9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08

SHA512
c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074

Download Submit
memory/3572-894-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5084-898-0x0000000000AD0000-0x000000000120F000-memory.dmp

Filesize
7.2MB

Download
memory/5084-899-0x0000000000AD0000-0x000000000120F000-memory.dmp

Filesize
7.2MB

Download
memory/5084-900-0x0000000000AD0000-0x000000000120F000-memory.dmp

Filesize
7.2MB

Download
memory/5084-903-0x0000000000AD0000-0x000000000120F000-memory.dmp

Filesize
7.2MB

Download
memory/5084-905-0x0000000000AD0000-0x000000000120F000-memory.dmp

Filesize
7.2MB

Download