babylonrat | 12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb

General

Target

eea523161809e39ee734d8deb02f9f98.exe
Size

604KB
MD5

eea523161809e39ee734d8deb02f9f98
SHA1

a563069349eb551da8121fbb1b84690cc60a1eb4
SHA256

12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb
SHA512

a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35
SSDEEP

12288:fWrrr46mYSAkuzMbGtHLkur085gLO3PzB9TxNLKvtzA9ey:CrrrSAkuoGtpoM6O/DTxtKvt6ey

Score

10^/10

babylonrat persistence trojan

Malware Config

Extracted

Family

babylonrat

C2

185.128.25.29

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\lQJOSm2kytUFm5ER\\2cEZPoMpmuIQ.exe\",explorer.exe"	eea523161809e39ee734d8deb02f9f98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\lQJOSm2kytUFm5ER\\UobQXZEBalib.exe\",explorer.exe"	tskmsgl.exe

Executes dropped EXE 4 IoCs

pid	Process
4564	tskmsgl.exe
4184	tskmsgl.exe
5068	tskmsgl.exe
3048	tskmsgl.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 5068 set thread context of 3048	5068	tskmsgl.exe	100

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	eea523161809e39ee734d8deb02f9f98.exe
File created	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	eea523161809e39ee734d8deb02f9f98.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2128	eea523161809e39ee734d8deb02f9f98.exe
2128	eea523161809e39ee734d8deb02f9f98.exe
2128	eea523161809e39ee734d8deb02f9f98.exe
2128	eea523161809e39ee734d8deb02f9f98.exe
2128	eea523161809e39ee734d8deb02f9f98.exe
2128	eea523161809e39ee734d8deb02f9f98.exe
5068	tskmsgl.exe
5068	tskmsgl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4184	tskmsgl.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	eea523161809e39ee734d8deb02f9f98.exe
Token: SeDebugPrivilege	2128	eea523161809e39ee734d8deb02f9f98.exe
Token: SeShutdownPrivilege	4184	tskmsgl.exe
Token: SeDebugPrivilege	4184	tskmsgl.exe
Token: SeTcbPrivilege	4184	tskmsgl.exe
Token: SeDebugPrivilege	5068	tskmsgl.exe
Token: SeDebugPrivilege	5068	tskmsgl.exe
Token: SeShutdownPrivilege	3048	tskmsgl.exe
Token: SeDebugPrivilege	3048	tskmsgl.exe
Token: SeTcbPrivilege	3048	tskmsgl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4184	tskmsgl.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4564	2128	eea523161809e39ee734d8deb02f9f98.exe	96
PID 2128 wrote to memory of 4564	2128	eea523161809e39ee734d8deb02f9f98.exe	96
PID 2128 wrote to memory of 4564	2128	eea523161809e39ee734d8deb02f9f98.exe	96
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 2128 wrote to memory of 4184	2128	eea523161809e39ee734d8deb02f9f98.exe	97
PID 4184 wrote to memory of 5068	4184	tskmsgl.exe	98
PID 4184 wrote to memory of 5068	4184	tskmsgl.exe	98
PID 4184 wrote to memory of 5068	4184	tskmsgl.exe	98
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100
PID 5068 wrote to memory of 3048	5068	tskmsgl.exe	100

C:\Users\Admin\AppData\Local\Temp\eea523161809e39ee734d8deb02f9f98.exe
"C:\Users\Admin\AppData\Local\Temp\eea523161809e39ee734d8deb02f9f98.exe"
1⤵
- Modifies WinLogon for persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe
  "C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe"
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe
  "C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe
    "C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe" 4184
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe
      "C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe

Filesize
604KB

MD5
eea523161809e39ee734d8deb02f9f98

SHA1
a563069349eb551da8121fbb1b84690cc60a1eb4

SHA256
12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb

SHA512
a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7I0Lu6pvUv7PGad\tskmsgl.exe

Filesize
564KB

MD5
b606f0de9536abc73afab95886ed4a6a

SHA1
747b5289ef622eafafdd5277cfe3ad3fe33911b2

SHA256
b957c69638e835795d8b28839a60ab75fab237f340b374ba0a3485ee18d366ca

SHA512
93003b5168bee91aaec3cee1b9bc3a2459ad6ab1e4774ab7e5c8283c78b48bf5802cc5624cd92d441c92cc67e970711efb72ccde8b7d56403d0a8ab65994cc3c

Download Submit
memory/2128-29-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2128-1-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/2128-2-0x0000000001590000-0x00000000015A0000-memory.dmp

Filesize
64KB

Download
memory/2128-38-0x0000000001590000-0x00000000015A0000-memory.dmp

Filesize
64KB

Download
memory/2128-0-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/3048-37-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3048-36-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3048-35-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-11-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-15-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-27-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-42-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-39-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-23-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-20-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4184-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5068-24-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-28-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-40-0x00000000745F0000-0x0000000074BA1000-memory.dmp

Filesize
5.7MB

Download
memory/5068-41-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download
memory/5068-26-0x0000000001710000-0x0000000001720000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads