Analysis
-
max time kernel
281s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
28-08-2024 14:47
General
-
Target
d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f/PANDUAN_PENGGUNA_MyKHAS.ps1
-
Size
627B
-
MD5
e7d2e1452702bc0de5a92e745dbdc4a9
-
SHA1
da8e9f9f43e29f02e5a0332239f38416f4dff844
-
SHA256
b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3
-
SHA512
28d2c9690f5f104e73404fa025bb09ca3c189b968716ac25f06f3e5c09ad719b17dc5319035f4172e91bb1c74797a4137f2a81f226f0d6ed25a900d1ba1b1293
Malware Config
Extracted
babylonrat
149.28.19.207
fund.sekretariatparti.org
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\PANDUAN_PENGGUNA_MyKHAS.ps11⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\PANDUAN_PENGGUNA_MyKHAS.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\controller.exe"C:\Users\Admin\AppData\Local\Temp\d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f\controller.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\controller.exe"C:\Users\Admin\AppData\Roaming\controller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD547a53d36c2693f0bada46b10a536e07c
SHA1d0ca0a5beae6bf78b16e41a897dec23f522ccddd
SHA256b4ac3ef05bcf66a4dac3cc0a6b80054a94f49a69bc0866fe3e61a75989021ae6
SHA512543db014cc76b3a78de1985e132c566d1cc13f0ccfcd44a6624a1638039d3992cd8a33d869cd5cf6a8c2d692da28b832820ebe51e0042132a45f9f022322f187
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
808KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB