babadeda | 4d02224a7dadfc2d8a1343fdc51e4634a98bd073f867bfd091e667efd112108a

Resubmissions

12-08-2024 14:48

240812-r6r9eawbmm 10

13-04-2022 03:36

220413-d51x9safek 10

Analysis

max time kernel
38s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amadey.exe
Size

6.7MB
MD5

fc33eb2d1bc5bddd539a2d498a758b93
SHA1

c2daa51655e86088bb554e89e047667f60af822f
SHA256

4d02224a7dadfc2d8a1343fdc51e4634a98bd073f867bfd091e667efd112108a
SHA512

ea0da825962b2c4beb67ce7bf54ee4139e47b4b756cc474eea06eb856e75d6b6b98133e8d9e3ebd9508c3fbdb47cc5da62eb81a1206fd3383b0673508e098656
SSDEEP

196608:26/ssSmI4zRjdfl2ykqtSE+eazr3Rldgid4sG59Ml:26vjZAqDaf3Rl9PG6

Score

10^/10

babadeda crypter discovery loader upx

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234d8-270.dat	family_babadeda

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	amadey.exe

Executes dropped EXE 1 IoCs

pid	Process
3720	RAMhelper.exe

Loads dropped DLL 1 IoCs

pid	Process
3720	RAMhelper.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4992-0-0x0000000000400000-0x000000000072F000-memory.dmp	upx
behavioral1/memory/4992-272-0x0000000000400000-0x000000000072F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amadey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RAMhelper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3720	4992	amadey.exe	89
PID 4992 wrote to memory of 3720	4992	amadey.exe	89
PID 4992 wrote to memory of 3720	4992	amadey.exe	89

C:\Users\Admin\AppData\Local\Temp\amadey.exe
"C:\Users\Admin\AppData\Local\Temp\amadey.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe
  "C:\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mXparser2\Lang\it\Phototheca EULA.rtf

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\RAMhelper.exe

Filesize
4.9MB

MD5
0c8e3d8fbcb0d3fc59ed18c2a231893c

SHA1
4361b91bd9d25b196e3b5b83aee3e8b5b9145a12

SHA256
a6d5ff8173995ddad0defd205c64babdd8254154a82b6790c8363fdc57631f0b

SHA512
601fdaeb83bac979069f97197d3599b11778c93a325242a4507210c220fb16dbbb51ce9d75d29f60041121aa166d4ef7605a7dbc25a98f7afb61189643756956

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\cds.xml

Filesize
417KB

MD5
5c99876abd68dbfb64fe6ee6a5aed894

SHA1
9410d3395d073379ad64c7d338c6c5366b39437a

SHA256
80cd89d38d02a4c48d9fac6b5a57212c6acd9326e00c894050ad4963a6dd55ca

SHA512
114bd9f1dce27298105020015d1c95aa2a923b63194b7405a9c3aa6c533156ee0ac248e4b4bfee1ef14f1fa1c44a77ced70a3bc2959b348a4a391a1a23d080dc

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\html\startpage_banner.html

Filesize
490B

MD5
5d1f7da1c3d95020a0708118145364d0

SHA1
02f630e7ac8b8d400af219bd8811aa3a22f7186e

SHA256
d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

SHA512
6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\html\startpage_connect_to_data_no_mru.html

Filesize
1KB

MD5
20bbd307866f19a5af3ae9ebd5104018

SHA1
8e03c9b18b9d27e9292ee154b773553493df1157

SHA256
e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

SHA512
420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\html\startpage_connect_to_data_with_mru.html

Filesize
1KB

MD5
e6bc0d078616dd5d5f72d46ab2216e89

SHA1
f70534bb999bcb8f1db0cf25a7279757e794499f

SHA256
e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

SHA512
6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\html\startpage_landing.html

Filesize
720B

MD5
0a5b47256c14570b80ef77ecfd2129b7

SHA1
69210a7429c991909c70b6b6b75fe4bc606048ae

SHA256
1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

SHA512
5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\html\startpage_topstrip_no_mru.html

Filesize
659B

MD5
eced86c9d5b8952ac5fb817c3ce2b8ba

SHA1
3ca24e69df7a4b81f799527a97282799fcd3f1e2

SHA256
3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

SHA512
a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\html\startpage_topstrip_with_mru.html

Filesize
798B

MD5
cc4d8a787ab1950c4e3aac5751c9fcde

SHA1
d026a156723a52c34927b5a951a2bb7d23aa2c45

SHA256
13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

SHA512
e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\stylesheets\start_page.css

Filesize
2KB

MD5
f2ab3e5fb61293ae8656413dbb6e5dc3

SHA1
53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

SHA256
06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

SHA512
2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\res\public\en_GB\stylesheets\start_page_landing.css

Filesize
282B

MD5
49617add7303a8fbd24e1ad16ba715d8

SHA1
31772218ccf51fe5955625346c12e00c0f2e539a

SHA256
b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

SHA512
9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

Download Submit
C:\Users\Admin\AppData\Roaming\mXparser2\swresample-1.dll

Filesize
3.8MB

MD5
203e85bccd9206d76dbc476d8e04155f

SHA1
d0bf7c602b44768adaddea9142315232c34fb684

SHA256
04c5d73baa33bc3a63d5081c171dec0662af22eb08591997e708de37a26a2ba0

SHA512
0d17edd1cbeb277aee2e3f9cf043e789ef442606051452aae2f9590a3bb7d64b4e8f414bf905c6244f9fb34514337c333eb7baca247c44ecff4a92470769b7c8

Download Submit
memory/3720-268-0x00000000003C0000-0x00000000008AB000-memory.dmp

Filesize
4.9MB

Download
memory/4992-0-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/4992-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4992-272-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download