Overview
overview
10Static
static
4d9f0268cba...5f.iso
windows7-x64
3d9f0268cba...5f.iso
windows10-2004-x64
3out.iso
windows7-x64
1out.iso
windows10-2004-x64
1PANDUAN_PE...AS.lnk
windows7-x64
10PANDUAN_PE...AS.lnk
windows10-2004-x64
10PANDUAN_PE...AS.pdf
windows7-x64
3PANDUAN_PE...AS.pdf
windows10-2004-x64
3PANDUAN_PE...AS.ps1
windows7-x64
10PANDUAN_PE...AS.ps1
windows10-2004-x64
10controller.exe
windows7-x64
10controller.exe
windows10-2004-x64
10Analysis
-
max time kernel
132s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-09-2024 10:22
Behavioral task
behavioral1
Sample
d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f.iso
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f.iso
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
out.iso
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
out.iso
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
PANDUAN_PENGGUNA_MyKHAS.lnk
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
PANDUAN_PENGGUNA_MyKHAS.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
PANDUAN_PENGGUNA_MyKHAS.pdf
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
PANDUAN_PENGGUNA_MyKHAS.pdf
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
PANDUAN_PENGGUNA_MyKHAS.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
PANDUAN_PENGGUNA_MyKHAS.ps1
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
controller.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
controller.exe
Resource
win10v2004-20240802-en
General
-
Target
PANDUAN_PENGGUNA_MyKHAS.ps1
-
Size
627B
-
MD5
e7d2e1452702bc0de5a92e745dbdc4a9
-
SHA1
da8e9f9f43e29f02e5a0332239f38416f4dff844
-
SHA256
b348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3
-
SHA512
28d2c9690f5f104e73404fa025bb09ca3c189b968716ac25f06f3e5c09ad719b17dc5319035f4172e91bb1c74797a4137f2a81f226f0d6ed25a900d1ba1b1293
Malware Config
Extracted
babylonrat
149.28.19.207
fund.sekretariatparti.org
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Executes dropped EXE 1 IoCs
pid Process 2532 controller.exe -
resource yara_rule behavioral9/memory/2848-11-0x00000000001B0000-0x000000000027A000-memory.dmp upx behavioral9/memory/2848-12-0x00000000001B0000-0x000000000027A000-memory.dmp upx behavioral9/memory/2848-13-0x00000000001B0000-0x000000000027A000-memory.dmp upx behavioral9/memory/2848-14-0x00000000001B0000-0x000000000027A000-memory.dmp upx behavioral9/memory/2848-16-0x00000000001B0000-0x000000000027A000-memory.dmp upx behavioral9/memory/2532-25-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral9/memory/2532-24-0x0000000000130000-0x00000000001FA000-memory.dmp upx behavioral9/memory/2848-44-0x00000000001B0000-0x000000000027A000-memory.dmp upx behavioral9/memory/2848-46-0x00000000001B0000-0x000000000027A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\USBController = "C:\\Users\\Admin\\AppData\\Roaming\\controller.exe" powershell.exe -
pid Process 2304 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language controller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language controller.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2304 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2848 controller.exe 2808 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2304 powershell.exe Token: SeShutdownPrivilege 2848 controller.exe Token: SeDebugPrivilege 2848 controller.exe Token: SeTcbPrivilege 2848 controller.exe Token: SeShutdownPrivilege 2532 controller.exe Token: SeDebugPrivilege 2532 controller.exe Token: SeTcbPrivilege 2532 controller.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2808 AcroRd32.exe 2848 controller.exe 2808 AcroRd32.exe 2808 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2808 2304 powershell.exe 31 PID 2304 wrote to memory of 2808 2304 powershell.exe 31 PID 2304 wrote to memory of 2808 2304 powershell.exe 31 PID 2304 wrote to memory of 2808 2304 powershell.exe 31 PID 2304 wrote to memory of 2848 2304 powershell.exe 32 PID 2304 wrote to memory of 2848 2304 powershell.exe 32 PID 2304 wrote to memory of 2848 2304 powershell.exe 32 PID 2304 wrote to memory of 2848 2304 powershell.exe 32 PID 2304 wrote to memory of 2532 2304 powershell.exe 33 PID 2304 wrote to memory of 2532 2304 powershell.exe 33 PID 2304 wrote to memory of 2532 2304 powershell.exe 33 PID 2304 wrote to memory of 2532 2304 powershell.exe 33
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.ps11⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PANDUAN_PENGGUNA_MyKHAS.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\controller.exe"C:\Users\Admin\AppData\Local\Temp\controller.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\AppData\Roaming\controller.exe"C:\Users\Admin\AppData\Roaming\controller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58818f6b8b7185401f703abf052db5675
SHA1b3d4b5a535b65c72752a64063b0951a1f8c4e115
SHA256f7822bb4442e054de42686b91b4319d1325aa2b969c1929ec5f02f25986ccb9f
SHA512da193dea90c87121b14c1444c23c80ba03788e662c3d5c18532bc1cde197cfd990ab3639e0a39f68b1daf2e2f7a4d1412526e00afa87211022bb45327b4b7581