babylonrat | 140101499e08b28f0a33c26da45086e72a35a23576dfbbb5d63f445755893903

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe
Size

300.8MB
MD5

a17a1666f47953d6e505182909c74170
SHA1

b1054b4702ff9b112dfdf8ce40f0fdf399ba8a95
SHA256

f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982
SHA512

406734af8e7feb8a0736740295a25734cf12e89fb0e8785d33199debe2ce49a6d33bf8f4a7d6bc73b9ae1f91d288a77af41e204c8e61be59c64d153b0e7642db
SSDEEP

6291456:etfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44iC:Qfdapc6FEWk5rei8L43C

Score

10^/10

babylonrat discovery trojan upx

Malware Config

Extracted

Family

babylonrat

149.28.19.207

fund.sekretariatparti.org

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1660-0-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-1-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-2-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-3-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-4-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-6-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-7-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-8-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-32-0x00000000013B0000-0x000000000147A000-memory.dmp	upx
behavioral2/memory/1660-34-0x00000000013B0000-0x000000000147A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1660	f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1660	f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe
Token: SeDebugPrivilege	1660	f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe
Token: SeTcbPrivilege	1660	f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1660	f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe

C:\Users\Admin\AppData\Local\Temp\f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe
"C:\Users\Admin\AppData\Local\Temp\f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ConfigsEx\2024 08 28 - 06 24 AM

Filesize
88B

MD5
08a79528c1142370117b95f067b20f8c

SHA1
df108d0960c55dbcd15f2bfd6dd37a25d305724b

SHA256
375dc6043243f5aea43ac4a667fbdc88ae5ee54c33af97c6f77de6b0055d5373

SHA512
4cdfd7042d4770c4e4d37ba2c1850258467384b3b80aee4350643b7763ab89c3895df05be18b5504e03ccd7c73749eebecb2f5e67552c2f011ac8f1cf4e972aa

Download Submit
memory/1660-0-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-1-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-2-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-3-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-4-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-6-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-7-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-8-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-32-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download
memory/1660-34-0x00000000013B0000-0x000000000147A000-memory.dmp

Filesize
808KB

Download