Overview

overview

10

Static

static

10

Gumball.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • submitted
    04-02-2024 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Gumball.exe

  • Size

    733KB

  • MD5

    851f14d9ca2dd166ad73253b5c5efc1d

  • SHA1

    b83e26e5f6ad4d87858a88eef1a2a39511f90d01

  • SHA256

    da7962813c16963d35cc67e5556ac41539d6f9f61904e4b446305758d6fd6408

  • SHA512

    05b6df2c133e57641a77f372db558ae7e0d2bb5a837846e792248745a1f3d8e6d36d9dd1437a8256df66024465c8f3c019b790fa803f22426f22a4e63680f7c4

  • SSDEEP

    12288:8qzcpVgUXzL0TTUKZHTNloEkOpnKgofuIwV6eAj0wZxxXMcEe/3paPcgeX:8qzcpKIL0TvZzNlNky0wVW0wZxxVgeX

Score
10/10
babylonratdiscoverypersistencetrojan

Malware Config

Extracted

Family

babylonrat

C2

192.168.1.78

Signatures

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat
  • Babylonrat family
    babylonrat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gumball.exe
    "C:\Users\Admin\AppData\Local\Temp\Gumball.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\ProgramData\Babylon RAT\client.exe
      "C:\ProgramData\Babylon RAT\client.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\ProgramData\Babylon RAT\client.exe
        "C:\ProgramData\Babylon RAT\client.exe" 1748
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Babylon RAT\client.exe
    Filesize

    733KB

    MD5

    851f14d9ca2dd166ad73253b5c5efc1d

    SHA1

    b83e26e5f6ad4d87858a88eef1a2a39511f90d01

    SHA256

    da7962813c16963d35cc67e5556ac41539d6f9f61904e4b446305758d6fd6408

    SHA512

    05b6df2c133e57641a77f372db558ae7e0d2bb5a837846e792248745a1f3d8e6d36d9dd1437a8256df66024465c8f3c019b790fa803f22426f22a4e63680f7c4

    Download Submit