babylonrat | db34097591cecd997e42d7735a128516f9cf94e70f970d7c091ddfa1946b8edc

General

Target

baby.exe
Size

733KB
MD5

b9b119f4d43068bb9ef2af278a98ca61
SHA1

8e9a9f8d8624da0d9881ac6b61e8d7df056c898f
SHA256

db34097591cecd997e42d7735a128516f9cf94e70f970d7c091ddfa1946b8edc
SHA512

7f804e731b26c7671de2bdde0241f5bc2c2b33bbe4d4822bce2dadc06793d926318fdc12ba04e17effb3a6d510799729a504fe8d47feff83800bb4ad2dc24344
SSDEEP

12288:8qzcpVgUXzL0TTUKZHTNloEkOpnKgofuIwV6eAj0wZxxXMcEe/3paPcg9X:8qzcpKIL0TvZzNlNky0wVW0wZxxVg9X

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Executes dropped EXE 2 IoCs

Processes:

COM Surrogate.exeCOM Surrogate.exe

pid process

4964 COM Surrogate.exe
516 COM Surrogate.exe

pid	process
4964	COM Surrogate.exe
516	COM Surrogate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

baby.exeCOM Surrogate.exeCOM Surrogate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\COM Surrogate = "C:\\ProgramData\\COM Surrogate\\COM Surrogate.exe"	baby.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\COM Surrogate = "C:\\ProgramData\\COM Surrogate\\COM Surrogate.exe"	COM Surrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\COM Surrogate = "C:\\ProgramData\\COM Surrogate\\COM Surrogate.exe"	COM Surrogate.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

COM Surrogate.exeCOM Surrogate.exebaby.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM Surrogate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	baby.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

COM Surrogate.exe

pid process

4964 COM Surrogate.exe

pid	process
4964	COM Surrogate.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

baby.exeCOM Surrogate.exeCOM Surrogate.exe

description	pid	process
Token: SeShutdownPrivilege	1636	baby.exe
Token: SeDebugPrivilege	1636	baby.exe
Token: SeTcbPrivilege	1636	baby.exe
Token: SeShutdownPrivilege	4964	COM Surrogate.exe
Token: SeDebugPrivilege	4964	COM Surrogate.exe
Token: SeTcbPrivilege	4964	COM Surrogate.exe
Token: SeShutdownPrivilege	516	COM Surrogate.exe
Token: SeDebugPrivilege	516	COM Surrogate.exe
Token: SeTcbPrivilege	516	COM Surrogate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

COM Surrogate.exe

pid process

4964 COM Surrogate.exe

pid	process
4964	COM Surrogate.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

baby.exeCOM Surrogate.exe

description	pid	process	target process
PID 1636 wrote to memory of 4964	1636	baby.exe	COM Surrogate.exe
PID 1636 wrote to memory of 4964	1636	baby.exe	COM Surrogate.exe
PID 1636 wrote to memory of 4964	1636	baby.exe	COM Surrogate.exe
PID 4964 wrote to memory of 516	4964	COM Surrogate.exe	COM Surrogate.exe
PID 4964 wrote to memory of 516	4964	COM Surrogate.exe	COM Surrogate.exe
PID 4964 wrote to memory of 516	4964	COM Surrogate.exe	COM Surrogate.exe

C:\Users\Admin\AppData\Local\Temp\baby.exe
"C:\Users\Admin\AppData\Local\Temp\baby.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\ProgramData\COM Surrogate\COM Surrogate.exe
  "C:\ProgramData\COM Surrogate\COM Surrogate.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\ProgramData\COM Surrogate\COM Surrogate.exe
    "C:\ProgramData\COM Surrogate\COM Surrogate.exe" 4964
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\COM Surrogate\COM Surrogate.exe

Filesize
733KB

MD5
b9b119f4d43068bb9ef2af278a98ca61

SHA1
8e9a9f8d8624da0d9881ac6b61e8d7df056c898f

SHA256
db34097591cecd997e42d7735a128516f9cf94e70f970d7c091ddfa1946b8edc

SHA512
7f804e731b26c7671de2bdde0241f5bc2c2b33bbe4d4822bce2dadc06793d926318fdc12ba04e17effb3a6d510799729a504fe8d47feff83800bb4ad2dc24344

Download Submit
memory/4964-6-0x0000000073B60000-0x0000000073B9A000-memory.dmp

Filesize
232KB

Download
memory/4964-7-0x0000000073B60000-0x0000000073B9A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads