babylonrat | ebe6967d80552c9543d8f2e8b8cacbae667d0e504e2b8874028e2a438b63227b

Resubmissions

04-02-2024 21:01

240204-zt7gkaagb6 10

Analysis

max time kernel
290s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Clown.exe
Size

355KB
MD5

666b04054db7cd449d31ac30d0d448fa
SHA1

c83a12f38392560cf97228f510bf1992626c4650
SHA256

ebe6967d80552c9543d8f2e8b8cacbae667d0e504e2b8874028e2a438b63227b
SHA512

1bf1ae69b8251604c329ec001cea069509d709870b9ba7f6748557d4cafd5353ad4705f56fe2b7d1a5f856a608270e2e81d06772b7e8869dc661a2754232d984
SSDEEP

6144:3L1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19E:3LdcfxaeM6fy/KaVUtgKkTZ73coNRJ

Score

10^/10

babylonrat persistence trojan upx

Malware Config

Extracted

Family

babylonrat

184.57.171.124

192.168.1.78

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Executes dropped EXE 1 IoCs

pid	Process
4192	client.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4396-0-0x0000000000A90000-0x0000000000B59000-memory.dmp	upx
behavioral1/files/0x0006000000023233-5.dat	upx
behavioral1/files/0x0006000000023233-4.dat	upx
behavioral1/memory/4192-6-0x0000000000DF0000-0x0000000000EB9000-memory.dmp	upx
behavioral1/memory/4396-7-0x0000000000A90000-0x0000000000B59000-memory.dmp	upx
behavioral1/memory/4192-8-0x0000000000DF0000-0x0000000000EB9000-memory.dmp	upx
behavioral1/memory/4192-9-0x0000000000DF0000-0x0000000000EB9000-memory.dmp	upx
behavioral1/memory/4192-10-0x0000000000DF0000-0x0000000000EB9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	Clown.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4192	client.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4396	Clown.exe
Token: SeDebugPrivilege	4396	Clown.exe
Token: SeTcbPrivilege	4396	Clown.exe
Token: SeShutdownPrivilege	4192	client.exe
Token: SeDebugPrivilege	4192	client.exe
Token: SeTcbPrivilege	4192	client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4192	client.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4192	4396	Clown.exe	84
PID 4396 wrote to memory of 4192	4396	Clown.exe	84
PID 4396 wrote to memory of 4192	4396	Clown.exe	84

C:\Users\Admin\AppData\Local\Temp\Clown.exe
"C:\Users\Admin\AppData\Local\Temp\Clown.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\ProgramData\Babylon RAT\client.exe
  "C:\ProgramData\Babylon RAT\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Babylon RAT\client.exe

Filesize
276KB

MD5
48ced7e27cc4a6169ed6e81ff06b2646

SHA1
813b59f5855cdbd66480a7f1f3f5d012c006d9db

SHA256
a8b8f5c427bc4c5848046eac50d3be576df91993159db3ad041cd2ab4f72012c

SHA512
02de2303670ef4fe7fa149cc3cda3e3468e49e9074b5c065bccf70433b1382de5c102c89f66e37e6bfb07f8441d5636bf50c890b4e4a7ded283fbc3dadae9baf

Download Submit
C:\ProgramData\Babylon RAT\client.exe

Filesize
311KB

MD5
20a66024840b1a7ee556acf8340e973a

SHA1
b38b11d2a8ce0954444b8fc761bd26682d82a73b

SHA256
f698092182e877292b3cdb728fddf26b656479fa1238cdd0f051c745d04b3fac

SHA512
66d29fca6f63855b594838426620ad4b729b61cfe6126d827882f8b4af03be0e6d086aa2d780eb039e9354cff49c6f034520956bc4903d1f4fafabd86b7b0210

Download Submit
memory/4192-6-0x0000000000DF0000-0x0000000000EB9000-memory.dmp

Filesize
804KB

Download
memory/4192-8-0x0000000000DF0000-0x0000000000EB9000-memory.dmp

Filesize
804KB

Download
memory/4192-9-0x0000000000DF0000-0x0000000000EB9000-memory.dmp

Filesize
804KB

Download
memory/4192-10-0x0000000000DF0000-0x0000000000EB9000-memory.dmp

Filesize
804KB

Download
memory/4396-0-0x0000000000A90000-0x0000000000B59000-memory.dmp

Filesize
804KB

Download
memory/4396-7-0x0000000000A90000-0x0000000000B59000-memory.dmp

Filesize
804KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads