Overview

overview

10

Static

static

1

98110cbc28...3c.exe

windows7-x64

10

98110cbc28...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe

  • Size

    6.6MB

  • MD5

    f1844dddcce9f1ebc415a46c0c9dbcb3

  • SHA1

    150eb90cf1886e1065b4057ec0d144a39345d25d

  • SHA256

    98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c

  • SHA512

    b2b3d45aee7316d41a0a85daa3d700329d76eead3288268402728b44c201cf1779722d16dc2a89a3e2143005f452111e7a1e029c89416d283dcb5c57e122ef9a

  • SSDEEP

    98304:uPdx/6o/EJ6N6ExIxrnumYqQ2LTihx2rds1Uq2T/flOgbBkvBbmvdY78CD+Lv4sC:uL6ocnT1GhkYgbBk5SvW8CjQvNm

Score
10/10
babadedacryptbotcrypterdiscoveryloaderspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

veogrm54.top

mornoi05.top

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Babadeda family
    babadeda
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe
    "C:\Users\Admin\AppData\Local\Temp\98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\adv1.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1734826176 " AI_EUIMSI=""
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:1844
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding FCAB96FDA2CE03C6BED479783AC11ED5 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3124
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4AEDD5FC20400FFAD01648E68992A6E9
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4988
    • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker\gtlev.exe
      "C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker\gtlev.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:4388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e578e58.rbs
    Filesize

    3KB

    MD5

    6290b5c30083548d7fcc8d2bdf685f28

    SHA1

    b0b5cd885f236fa5de2b21a1cffa19eec41764a7

    SHA256

    0766634bf39ad822595e54aebf2aab2833e4ad7df2db5415e36001e52bcf2294

    SHA512

    99a190cd57f7329031df5677461f42306097d5e381072a6d1a75251ddceb7304e39cb2ed8044949292b885cd2ffcf51d8083b4bf7bbb19a0ab7ff8eccadc47b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI8C82.tmp
    Filesize

    393KB

    MD5

    3d24a2af1fb93f9960a17d6394484802

    SHA1

    ee74a6ceea0853c47e12802961a7a8869f7f0d69

    SHA256

    8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

    SHA512

    f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI8CD1.tmp
    Filesize

    866KB

    MD5

    0be6e02d01013e6140e38571a4da2545

    SHA1

    9149608d60ca5941010e33e01d4fdc7b6c791bea

    SHA256

    3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

    SHA512

    f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\edpSMEdNDYLVk\VdsNAtjyFW.zip
    Filesize

    48KB

    MD5

    cd449ad869217034b9fa10d734634d6a

    SHA1

    77a68380782a38b5e5b892af511b14f6c70d5bd1

    SHA256

    6fda61fcbeb30cb7ddb59e8d5bf2600593280471235a6eee8b08d1cbfe890ae8

    SHA512

    1dfb8d2078aa64e9f93b54804885c5fce7d8f047916bf72e61cd9d44b519e3330943fddc8d73736dac69be2bb295e2205805e913e52dd6e3d1a78afddc5e744e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\edpSMEdNDYLVk\_Files\_Information.txt
    Filesize

    542B

    MD5

    d6e7fc0a7a6470e864f8ed704e6f3d3b

    SHA1

    13dda0ba46bc58183a0fe86d41ed554eae5d5071

    SHA256

    75717047adef5b3538ab509f11db43f0f31139fbaa1158892e3d54d05540a1ac

    SHA512

    2b104d0ed51b75ded4e942292492412ac6bc58b1283718692e5f2587b8a0d503eaac60bb57517e56dc415c90ce74180ef687bc96162dfd92d63c72e108967704

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\edpSMEdNDYLVk\_Files\_Information.txt
    Filesize

    7KB

    MD5

    1789dabee41201ba730155ce7a7e81e8

    SHA1

    d4c426be37ce236e0dc878fae2957e75142b123f

    SHA256

    d723776ea8ab2cedb38bf51151c0adc8e5d5b1c1ec5b5ea8b9915aa39a7364e6

    SHA512

    6c06c939af4a4afb755fd6ba7958a2347d1e7a0a0d62314ead8c8fce10ba6ee4451d01533ce1312155d69f7030cb8a3cc807aa413233f6f76e0e94011b8bc9aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\edpSMEdNDYLVk\_Files\_Screen_Desktop.jpeg
    Filesize

    53KB

    MD5

    f988767ef585d2d8f701f369112f0841

    SHA1

    5299711fcd8447d11dcf97c39a93bab34600cc2b

    SHA256

    2803f80e4d5784700571cce41c246403f4c967bc368a10e14669d0fee0380245

    SHA512

    60d41027d5fca3e8c49d121ee1e5926a3b42fae77a87eb465b6ab920156422286c82aed9fbc93a154f838c7637e7f78bf07e32da5c1e575e4b964f8e7f8b2a16

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\LICENSE.electron.txt
    Filesize

    1KB

    MD5

    f8436f54558748146ec7ebd61ca6ac38

    SHA1

    ef226e5b023d458efcdc59dc653694d89802f81c

    SHA256

    34f6f27c26d1bb8682ebb42ae401f558228fd608455bd7c6561d5fd500b7d05b

    SHA512

    5b310b48bbee286f03e645e4bfad0ec870a7c68c445d54f46f3eaaa9c427f9de6cd0561d451838bd53c78a5289e9f0bda19cda4257a4657580afa6c357913050

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\License.txt
    Filesize

    3KB

    MD5

    cbd32695674dcfba5c4609defcafdf55

    SHA1

    6f5c934cb49845af6b59683544a95a7e4b515dce

    SHA256

    2568688dd3418b21fd0d4cd416c1a759de9dae759e192bccf834d3ec2e1e7f2c

    SHA512

    ae430b2fee5864bb4130c44c26a90a2053b098c4e783ad0ad9c587b3e4fd1a38e7ad5d87c5af6e598ed7d1a6a766f104b4c07599fcd282248e655ffbac2c2668

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\ReadMe.txt
    Filesize

    19KB

    MD5

    8eb0d56c86da3080cfe2f9bab6d6318c

    SHA1

    a63256c40d34b844d2db2f2dfb2a6c068f2f1e19

    SHA256

    091cba047a79b4be6a10ff265153d44c8474cc24fbc0b9c17775f481738ae8dd

    SHA512

    12e15de204c2edf2ab4d57e2a35d96dc2d6296079ec1c86ceaaa7510336f9c57cc833c10ee50f592797c700dd729d3076065523ffb83b0deba5b872bd4eed249

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.batteries_v2.dll
    Filesize

    5KB

    MD5

    e3ddbe5680fad01d0e5b7b963181bc06

    SHA1

    becce75cda9222511e9f8d480b145ce6c24a6ccf

    SHA256

    07a2736df9434b0fbbc5c441a76726ca66eb21554622b5f09d797ea01df9f0c7

    SHA512

    055e2ae9079b2cb8de58f01ca19c8561c21349406186a1e884765aa074c57740e7e6c4a43c3e4a939f1316f4d8114671032d76f61deb9b0c7beb9c1d10076579

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.core.dll
    Filesize

    49KB

    MD5

    358bf09045a59a1b85acd9bc0a592904

    SHA1

    53cf59d7b192f570d528b4d5c72dfa7ac25e1d7b

    SHA256

    6be5d612830990f4185dea66b4baabe191d641a3a97e081a2f62fbadf2af5b0f

    SHA512

    8e99956faedd57e83fb46cc2de6d241be9ed6b0a6967b00f7518ff461d28dbb67a3b00cb8ed22981a635e0688b53c79a507f4d92af88f9f290980aa0bef5b555

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.provider.dynamic_cdecl.dll
    Filesize

    60KB

    MD5

    6a5e8f425d04f3bc66360f2bf07688a4

    SHA1

    e7627232fd39730d90f11d979f1dac6356a5244a

    SHA256

    2a45581e2ed65cae497a199a56f311fa08b3d8c1b777e936f15d04d0b96923d1

    SHA512

    06fc1c49b40edd398ab81505e906065d3c9b52782f7e310a71cb17ff27e5521249a6ca81e18e1a546186308cc872eb4a28acb120d055a04b31850bec1642d8e6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.provider.e_sqlcipher.dll
    Filesize

    38KB

    MD5

    b7102f54d13af5f4b66b12692dde2d51

    SHA1

    8a5619c2aa731aacf9d83eaff3133fe0c63659db

    SHA256

    c6cb095cea1a39307a0579e9ec7c7d7161d04e88a245476417fe0c7d12a9b85e

    SHA512

    3577b57ca1656d0d939bf7a03f0d7d0a86c8797b57900f42690f83704681c7fdda0919158011c29ebea1aa66e53a28252cefa15c84a8e32df9e2ec41c128c433

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\Typography.GlyphLayout.dll
    Filesize

    27KB

    MD5

    3301fd842ac418cf18bc96fa52d2d497

    SHA1

    80b32039df1c2439046dfcb30120d7be8faceaab

    SHA256

    91ca98a59ce9b3347f6f23a0c52c714c4e56ae862956d9465e12e6d07ef87cd6

    SHA512

    051f218d9120f2e3d3e19301b73bf3d4fa0582456c032d6a3c2a05435754907092c41352b3ea9b2228a599081efd87bf7d32633d87adfebb197d5a1b265bc15f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\adv1.msi
    Filesize

    2.1MB

    MD5

    8657c28e9f944a3bcba1cf0cd42321c2

    SHA1

    c34d6c347f470f7a41f85a071dce9f8cdbcc3df5

    SHA256

    8102380bcead93c904a3fa33f982876ec45c8399b02d3933e653d574aed75b21

    SHA512

    1ea6533be362c67b695dc09a255bbb50dab98dd8405b1e5ddc913af8ddb650a31ad9c991744a66e74868a23faede2cb75222c3e3c9b9f1a840c2ff4b7799aa54

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\assets\goal_achieved.png
    Filesize

    102KB

    MD5

    a2b879334ed0ded12343695e26e30554

    SHA1

    581dcf49f959f35b13a71705b917a61658bd7836

    SHA256

    ecdbdf4a3a32936e79327fd7ca276340e89960ccb6caa665a27bbb8ea774c83d

    SHA512

    2050065d7d4eadebd7814e76a18039fecf6c93ae5d145777761caa452cbe3c7c4d7122ec709f60990254d2a4f4cff3dd0774a9fdca08c5aa8bd4c40d7a087ff0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\assets\goal_progress.png
    Filesize

    64KB

    MD5

    3559215a74e795f065a0eba888fab63e

    SHA1

    78834c228b2bcef9a2d22d8b407bff1901955043

    SHA256

    8eb9852560a3e6ed0790a8b40cedeeeff8a39d6f2985738ec81dfe9445f61d8a

    SHA512

    9e5fd39bb5e420f2172b25e15b75ed988fba1343925ad019d8636932dda9b20090e2f14ba48f3e1b003eb499910e43fd5870cd122188fc8eb39684e3253a8f2b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\gtlev.exe
    Filesize

    5.9MB

    MD5

    af3b4b796d3c7881b7422efc2373a218

    SHA1

    da90e86a22f9efdbd5b2c432c43b68748942f6ac

    SHA256

    6a011f69c225f5d61be0d47ec2115e5cd947e619c25dc2e8d300d835ed660168

    SHA512

    667a3f3a0730843d2b0486d4006b1ef4c9dce4d347a3eec37545ae87d3eb5fa2631e0ace3d5c9061f21650eeecee6ee7052f44774d09ee1cb7be1fc80253c22e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\libEGL.dll
    Filesize

    106KB

    MD5

    e4b0061bfc552111aa9f6a63ac61b1b9

    SHA1

    2f4f9a0e179eb17ff077c3bba30c09e1ea0e0c0f

    SHA256

    17c8685f54efd76ae5c3171f146910772b49a3d733cda66e2fbc5c64ce800214

    SHA512

    978d41141967fdbd509d081f1fb107f13c61eabb4e13712d7d4fef51997ad0273f211901ad46e0a352770fd849f15b878aff1b02b3600880160d1213dc9b53a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\libGLES-v2.dll
    Filesize

    3.8MB

    MD5

    29932e03a19a2b989dad28988e6c6923

    SHA1

    d4466d0bb1934aa9595ee10cb8ccf779261cf292

    SHA256

    7ac9064ac42922e046c312527f87d0aad695147edec080e1aa9891d688962858

    SHA512

    d21e287dff7abe24f34b80fab2cc4e314f371e649ee8c809eb2908ca06b8d63304cd062f6bfeb9de3863cd84d8d3a96f82e06a9a75a4956de2448d9aeb14d0c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\upd
    Filesize

    491KB

    MD5

    774b9fccb9d4832146800d65c765a8c1

    SHA1

    5478bd36d960a4ebfcf9f571ee21df9f9d4a3b00

    SHA256

    db87f2e28c29cca546be18fc5883bf4ab42c00aeb21e24e09fd92e226a4493cd

    SHA512

    cd641177bd25d98f7eec66854ee8fe24357a345c7dcc5db623ab032e782a1a40874772eda596b23fdafe37d96030accd3e3426abd26626a5c47288687eba2f19

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\decoder.dll
    Filesize

    202KB

    MD5

    454418ebd68a4e905dc2b9b2e5e1b28c

    SHA1

    a54cb6a80d9b95451e2224b6d95de809c12c9957

    SHA256

    73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

    SHA512

    171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

    Download Submit

  • C:\Windows\Installer\MSI903F.tmp
    Filesize

    573KB

    MD5

    2a6c81882b2db41f634b48416c8c8450

    SHA1

    f36f3a30a43d4b6ee4be4ea3760587056428cac6

    SHA256

    245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

    SHA512

    e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

    Download Submit

  • memory/4388-124-0x00000000005A0000-0x0000000000BF7000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/4388-253-0x00000000005A0000-0x0000000000BF7000-memory.dmp

    Filesize

    6.3MB

    Download