babylonrat | 12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb | Triage

Sharing

General

Target

eea523161809e39ee734d8deb02f9f98_JaffaCakes118
Size

604KB
Sample

240411-3yeh5ahb58
MD5

eea523161809e39ee734d8deb02f9f98
SHA1

a563069349eb551da8121fbb1b84690cc60a1eb4
SHA256

12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb
SHA512

a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35
SSDEEP

12288:fWrrr46mYSAkuzMbGtHLkur085gLO3PzB9TxNLKvtzA9ey:CrrrSAkuoGtpoM6O/DTxtKvt6ey

Score

10^/10

babylonrat persistence trojan

Malware Config

Extracted

Family

babylonrat

C2

185.128.25.29

Targets

- Target
  
  eea523161809e39ee734d8deb02f9f98_JaffaCakes118
- Size
  
  604KB
- MD5
  
  eea523161809e39ee734d8deb02f9f98
- SHA1
  
  a563069349eb551da8121fbb1b84690cc60a1eb4
- SHA256
  
  12028366e44c4e772f26201af6920dbdf20adcec01d4f1d01b5c6058e5c190cb
- SHA512
  
  a1901ab67bb41d40f728f0329c42d948245fd6b1ae6c762b200f04f67918fcfd365d54214259a976bf3930069203d8e24dea5f1be5f7ae1ca842b9d88d98ff35
- SSDEEP
  
  12288:fWrrr46mYSAkuzMbGtHLkur085gLO3PzB9TxNLKvtzA9ey:CrrrSAkuoGtpoM6O/DTxtKvt6ey
Score

10^/10

babylonrat persistence trojan
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Modifies WinLogon for persistence
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

babylonratpersistencetrojan

behavioral2

babylonratpersistencetrojan