Overview

overview

10

Static

static

3

d4efd4c8c0...69.exe

windows7-x64

10

d4efd4c8c0...69.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d4efd4c8c02bf1c7130efdcf474f1b69

  • Size

    899KB

  • Sample

    240319-cfjf9aec76

  • MD5

    d4efd4c8c02bf1c7130efdcf474f1b69

  • SHA1

    3f17c11369338e6767fe0dade8a0f9dbc7ddac27

  • SHA256

    c7e1a1b08de4b6e01a17e4c4d5795964dae98aadba3fdd3ff5da33fc5adae7f6

  • SHA512

    9e8da8bd66fb3771523c98eb58ed343f3c360e67cb3978a332c176c5e8e4717a6a0ecb391118812b8d76be92637c88d3ffc10c82769cf96a1d1d5b3abf4f8e78

  • SSDEEP

    24576:dLJEU63Vi1wZDIzR2D4M0Q2VVFByf9djCf:xJJGZDn46abB4dO

Score
10/10
babylonratdiscoveryexecutionpersistencetrojanupx

Malware Config

Extracted

Family

babylonrat

C2

andronmatskiv20.sytes.net

Targets

    • Target

      d4efd4c8c02bf1c7130efdcf474f1b69

    • Size

      899KB

    • MD5

      d4efd4c8c02bf1c7130efdcf474f1b69

    • SHA1

      3f17c11369338e6767fe0dade8a0f9dbc7ddac27

    • SHA256

      c7e1a1b08de4b6e01a17e4c4d5795964dae98aadba3fdd3ff5da33fc5adae7f6

    • SHA512

      9e8da8bd66fb3771523c98eb58ed343f3c360e67cb3978a332c176c5e8e4717a6a0ecb391118812b8d76be92637c88d3ffc10c82769cf96a1d1d5b3abf4f8e78

    • SSDEEP

      24576:dLJEU63Vi1wZDIzR2D4M0Q2VVFByf9djCf:xJJGZDn46abB4dO

    Score
    10/10
    discoveryexecutionpersistencebabylonrattrojanupx

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Babylonrat family

      babylonrat

    • Modifies WinLogon for persistence

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks