babylonrat | b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624 | Triage

Submit
Reports

Overview

overview

Static

static

3

6ef46b3ee7...18.exe

windows7-x64

6ef46b3ee7...18.exe

windows10-2004-x64

7

Sharing

General

Target

6ef46b3ee72c052c845d51607af3f171_JaffaCakes118
Size

835KB
Sample

240524-sppmmaaf56
MD5

6ef46b3ee72c052c845d51607af3f171
SHA1

68734412ae23efc6143e422d440f0342cbbff870
SHA256

b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624
SHA512

adead4473234c090069c1f474602f9677e6c1fa201a6a963826fcaaa1745cdce134ac7392a63f3b1a60ba1a30de07bb16346ec65f8516600a6bced682ac73e24
SSDEEP

12288:P/CNO27MmI+xURXPeXEquGIwlXoD5H5Lo5hNpa:P/ccnlRf3El6B5L

Score

10^/10

babylonrat agilenet persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6ef46b3ee72c052c845d51607af3f171_JaffaCakes118.exe

Resource

win7-20240508-en

babylonrat agilenet persistence trojan upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

6ef46b3ee72c052c845d51607af3f171_JaffaCakes118.exe

Resource

win10v2004-20240508-en

agilenet persistence upx

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  6ef46b3ee72c052c845d51607af3f171_JaffaCakes118
- Size
  
  835KB
- MD5
  
  6ef46b3ee72c052c845d51607af3f171
- SHA1
  
  68734412ae23efc6143e422d440f0342cbbff870
- SHA256
  
  b7170d09345e05d8147692c74b3b8790a943b5d062d4a6cea85b3fdbb8245624
- SHA512
  
  adead4473234c090069c1f474602f9677e6c1fa201a6a963826fcaaa1745cdce134ac7392a63f3b1a60ba1a30de07bb16346ec65f8516600a6bced682ac73e24
- SSDEEP
  
  12288:P/CNO27MmI+xURXPeXEquGIwlXoD5H5Lo5hNpa:P/ccnlRf3El6B5L
Score

10^/10

babylonrat agilenet persistence trojan upx
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

babylonratagilenetpersistencetrojanupx

behavioral2

agilenetpersistenceupx

© 2018-2024

Terms | Privacy