Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 06:24
General
-
Target
virus.exe
-
Size
315KB
-
MD5
0be23ddaec11bb1e64f2f54d4505cbcd
-
SHA1
24dce5a1b78c691f57d20de2afe00af2f88c1bb5
-
SHA256
58d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e
-
SHA512
5252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879
-
SSDEEP
6144:elNBW0lmEWfK8OZn05Wm6wFBDpomqTVg+e67YCkxLr3DI3NoAcs:ent8OZQBDDpsyfFr3Io
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier2⤵
-
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe" 39243⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier4⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
-
C:\Windows\SysWOW64\cmd.exeecho [zoneTransfer]ZoneID = 2 > "C:\ProgramData\Babylon RAT\client.exe":ZONE.identifier3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Babylon RAT\client.exeFilesize
315KB
MD50be23ddaec11bb1e64f2f54d4505cbcd
SHA124dce5a1b78c691f57d20de2afe00af2f88c1bb5
SHA25658d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e
SHA5125252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879
-
C:\ProgramData\Babylon RAT\client.exeFilesize
315KB
MD50be23ddaec11bb1e64f2f54d4505cbcd
SHA124dce5a1b78c691f57d20de2afe00af2f88c1bb5
SHA25658d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e
SHA5125252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879
-
C:\ProgramData\Babylon RAT\client.exeFilesize
315KB
MD50be23ddaec11bb1e64f2f54d4505cbcd
SHA124dce5a1b78c691f57d20de2afe00af2f88c1bb5
SHA25658d89ecd353406c747242574858134b6e37f1d49ab65b4fc48a1e822293bb22e
SHA5125252df7b7c170dcaff33f4e6dbdae1e3cc070f1b5cc1a628c49216d5fb2781fc5be78c4df78c19a47b81d06d78980f2ca0cca10a738994484ea4d0537fbeb879
-
memory/380-141-0x0000000000BE0000-0x0000000000C5E000-memory.dmpFilesize
504KB
-
memory/2264-138-0x0000000000E60000-0x0000000000EDE000-memory.dmpFilesize
504KB
-
memory/3924-150-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-156-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-143-0x0000000000BE0000-0x0000000000C5E000-memory.dmpFilesize
504KB
-
memory/3924-145-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-147-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-139-0x0000000000BE0000-0x0000000000C5E000-memory.dmpFilesize
504KB
-
memory/3924-153-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-142-0x0000000074120000-0x0000000074159000-memory.dmpFilesize
228KB
-
memory/3924-159-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-162-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-165-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-167-0x0000000074120000-0x0000000074159000-memory.dmpFilesize
228KB
-
memory/3924-169-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-171-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-174-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB
-
memory/3924-177-0x00000000740F0000-0x0000000074129000-memory.dmpFilesize
228KB