babylonrat | 12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb

General

Target

eea523161809e39ee734d8deb02f9f98.exe
Size

604KB
MD5

eea523161809e39ee734d8deb02f9f98
SHA1

a563069349eb551da8121fbb1b84690cc60a1eb4
SHA256

12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb
SHA512

a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35
SSDEEP

12288:fWrrr46mYSAkuzMbGtHLkur085gLO3PzB9TxNLKvtzA9ey:CrrrSAkuoGtpoM6O/DTxtKvt6ey

Score

10^/10

babylonrat persistence trojan

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\lQJOSm2kytUFm5ER\\6ZeRMVMrClYf.exe\",explorer.exe"	eea523161809e39ee734d8deb02f9f98.exe

Executes dropped EXE 1 IoCs

pid	Process
4384	tskmsgl.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe
File created	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	eea523161809e39ee734d8deb02f9f98.exe
File created	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2288	4384	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4832	eea523161809e39ee734d8deb02f9f98.exe
4832	eea523161809e39ee734d8deb02f9f98.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	eea523161809e39ee734d8deb02f9f98.exe
Token: SeDebugPrivilege	4832	eea523161809e39ee734d8deb02f9f98.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92
PID 4832 wrote to memory of 4384	4832	eea523161809e39ee734d8deb02f9f98.exe	92

C:\Users\Admin\AppData\Local\Temp\eea523161809e39ee734d8deb02f9f98.exe
"C:\Users\Admin\AppData\Local\Temp\eea523161809e39ee734d8deb02f9f98.exe"
1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe
  "C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe"
  2⤵
  - Executes dropped EXE
  PID:4384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 536
    3⤵
    - Program crash
    PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4384 -ip 4384
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe

Filesize
342KB

MD5
8d3ee662ccf1aa41a8a5b411dc0ac6f3

SHA1
edbd80a06e4743d8bb09fada645481784017562f

SHA256
37a008638473202a742fd0f7987dfdfd5af74b61eb1056497be72fb0a1d13bd2

SHA512
626ceb16eafb0bfb3081ca7530216d4721182e92601bfd706ebe95336ffe1dc0b30cb0efeee0ee3bcf395f66cf1694cb53c7c8da1a982778181b4239644b83cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe

Filesize
375KB

MD5
ed0f1105074ae943d7e26fd0e927c0aa

SHA1
4755dd39dafbf26925da43ba087f97d2084978a4

SHA256
78a9e2ee7407dfd1267a9182ff16df82fa875d5c1a3ec5a5a2da6b9de9b00331

SHA512
3b299c8a5a176095c8544960096e7daf3c431d7efc2fe5329fc1558e69c78dec539f8a0c45f320d75954796db8eedda4eaed7c59ca7dd4cfaaa6687ca9844f74

Download Submit
C:\Users\Admin\AppData\Roaming\lQJOSm2kytUFm5ER\6ZeRMVMrClYf.exe

Filesize
327KB

MD5
6b3c501bdcf0d34ba65b6781587638e4

SHA1
22e23a31466305080104ee62491e350f5fb2c015

SHA256
938d569b23d600d1b5a945e19f255b2e051c5babcffa2d29b8e7b8ed6c7b6607

SHA512
1795522c7a1e813927e4e7c89b34e2fba90516d1d0c7fab105f8e04648941a399877630b5c5674a90aa6063a48ad41c519911b0ed1f034052f584357e307f955

Download Submit
memory/4384-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4384-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4384-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4384-9-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4832-0-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4832-2-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4832-1-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/4832-17-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download
memory/4832-18-0x00000000016F0000-0x0000000001700000-memory.dmp

Filesize
64KB

Download
memory/4832-19-0x00000000753A0000-0x0000000075951000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads