babylonrat | e8eefab37fec532a017d60a2851ed8aff3f4589028e9ca6794d100ea758bddb1

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BABYLON.exe
Size

355KB
MD5

072428ed08c736d6f81aea71741389b8
SHA1

6efa1a089267ce56b1962f2f93e5564256d38a1e
SHA256

e8eefab37fec532a017d60a2851ed8aff3f4589028e9ca6794d100ea758bddb1
SHA512

f53ba351383eaa4f375b89032f974215b808b0e50591a430e552e29d43a327da4ed028d5cd01e4a1d7b332b6fcfd21cc6609d54cd88a5ce4909df0c7cd393c15
SSDEEP

6144:9L1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19N:9LdcfxaeM6fy/KaVUtgKkTZ73coNRJN

Score

10^/10

babylonrat trojan upx

Malware Config

Extracted

Family

babylonrat

179.43.162.58

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2732-133-0x0000000000420000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2732-134-0x0000000000420000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2732-136-0x0000000000420000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/2732-154-0x0000000000420000-0x00000000004E9000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3BB646E7-4844-43B5-BACC-AA407CC5D5FA}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8BF9436B-7911-4DA5-BF5C-D2A9779F22A5}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5550BF98-1C1D-44E2-91F7-48DEFF076F95}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2903C559-BA55-47CD-A4AF-B0562B3064EE}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{73E32DE8-39DA-4C96-8A70-4D7C14FE19B7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F856B8E0-80BE-4328-B96E-CFFA69574CCC}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A81F0316-7F8E-43EC-B61F-C9F31EF44D5F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{67848460-A3F4-4E4C-9D7A-36653B3160EB}.catalogItem	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2732	BABYLON.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2732	BABYLON.exe
Token: SeDebugPrivilege	2732	BABYLON.exe
Token: SeTcbPrivilege	2732	BABYLON.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	BABYLON.exe

C:\Users\Admin\AppData\Local\Temp\BABYLON.exe
"C:\Users\Admin\AppData\Local\Temp\BABYLON.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-133-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/2732-134-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/2732-136-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/2732-154-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download