Overview

overview

10

Static

static

4

d9f0268cba...5f.iso

windows7-x64

3

d9f0268cba...5f.iso

windows10-2004-x64

3

out.iso

windows7-x64

1

out.iso

windows10-2004-x64

1

PANDUAN_PE...AS.lnk

windows7-x64

10

PANDUAN_PE...AS.lnk

windows10-2004-x64

10

PANDUAN_PE...AS.pdf

windows7-x64

3

PANDUAN_PE...AS.pdf

windows10-2004-x64

3

PANDUAN_PE...AS.ps1

windows7-x64

10

PANDUAN_PE...AS.ps1

windows10-2004-x64

10

controller.exe

windows7-x64

10

controller.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f.iso

  • Size

    301.3MB

  • Sample

    240907-melv4ayhre

  • MD5

    f3e410928fecf68cec98236d1bf0598d

  • SHA1

    ca8e7f70b35fe202eba3cb7b52cc5967eca32d47

  • SHA256

    d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f

  • SHA512

    413f7fe44bab520764a54514730226492231b648542e98aeb0d2e38eb3adf4fb9c4d811e1a8965194fe02d2f724c499119891121a9c38acad4b3ded6989f9f7a

  • SSDEEP

    6291456:btfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44i:pfdapc6FEWk5rei8L43

Score
10/10
babylonratdiscoveryexecutionlinkpdfpersistencetrojanupx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

fund.sekretariatparti.org

Targets

    • Target

      d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f.iso

    • Size

      301.3MB

    • MD5

      f3e410928fecf68cec98236d1bf0598d

    • SHA1

      ca8e7f70b35fe202eba3cb7b52cc5967eca32d47

    • SHA256

      d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f

    • SHA512

      413f7fe44bab520764a54514730226492231b648542e98aeb0d2e38eb3adf4fb9c4d811e1a8965194fe02d2f724c499119891121a9c38acad4b3ded6989f9f7a

    • SSDEEP

      6291456:btfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44i:pfdapc6FEWk5rei8L43

    Score
    3/10
    behavioral1behavioral2

    • Target

      out.iso

    • Size

      301.3MB

    • MD5

      f3e410928fecf68cec98236d1bf0598d

    • SHA1

      ca8e7f70b35fe202eba3cb7b52cc5967eca32d47

    • SHA256

      d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f

    • SHA512

      413f7fe44bab520764a54514730226492231b648542e98aeb0d2e38eb3adf4fb9c4d811e1a8965194fe02d2f724c499119891121a9c38acad4b3ded6989f9f7a

    • SSDEEP

      6291456:btfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44i:pfdapc6FEWk5rei8L43

    Score
    1/10
    behavioral3behavioral4

    • Target

      PANDUAN_PENGGUNA_MyKHAS.lnk

    • Size

      3KB

    • MD5

      843154177ad124c22d0107ea786b82f8

    • SHA1

      c0d80dfd81bd6b59ae8effad3e2e643da93becb9

    • SHA256

      b9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0

    • SHA512

      527291e9d492b0891277a9fdf13e5dcd41aed2fb993ba8c3eaa9a3adc42393548f9f3e0b39ead176087949787aa2bc407c6512684be4c3913702d6abf1a947a8

    Score
    10/10
    babylonratdiscoveryexecutionpersistencetrojanupx

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      PANDUAN_PENGGUNA_MyKHAS.pdf

    • Size

      378KB

    • MD5

      70588b0f7d0c41eaf361dec75814dee5

    • SHA1

      ed9a1f824a751ed45ab974c7c7d918edc1854be0

    • SHA256

      ccaab434da496d577632664aa7752dea2e66870b470fec7b44957425be4a6db3

    • SHA512

      eaeeb28e2eb182b85b1d9ddbeaddd95414d087360c3258053e1560d21e396e39b81a9f6dc77f31aee0415d58f1ea6a02f79e4faf04d81726c35ac9fcf4fd5048

    • SSDEEP

      6144:DlDpxoBOXnHBq4TkrZ/IUOF3pixCbkwrbw6Bi4eFZV7NkuM4dfgBhf6OXLKzZ:vxoBOXnHfTw/U3ExXsw6BS7Ni4taSO7O

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      PANDUAN_PENGGUNA_MyKHAS.ps1

    • Size

      627B

    • MD5

      e7d2e1452702bc0de5a92e745dbdc4a9

    • SHA1

      da8e9f9f43e29f02e5a0332239f38416f4dff844

    • SHA256

      b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3

    • SHA512

      28d2c9690f5f104e73404fa025bb09ca3c189b968716ac25f06f3e5c09ad719b17dc5319035f4172e91bb1c74797a4137f2a81f226f0d6ed25a900d1ba1b1293

    Score
    10/10
    babylonratdiscoveryexecutionpersistencetrojanupx

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      controller.exe

    • Size

      300.8MB

    • MD5

      a17a1666f47953d6e505182909c74170

    • SHA1

      b1054b4702ff9b112dfdf8ce40f0fdf399ba8a95

    • SHA256

      f21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982

    • SHA512

      406734af8e7feb8a0736740295a25734cf12e89fb0e8785d33199debe2ce49a6d33bf8f4a7d6bc73b9ae1f91d288a77af41e204c8e61be59c64d153b0e7642db

    • SSDEEP

      6291456:etfHLnhapc6UQ5cBe4raaM7N+2i35r6pLOfEL44iC:Qfdapc6FEWk5rei8L43C

    Score
    10/10
    babylonratdiscoverytrojanupx

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Tasks