Extracted

• • Target

    0d8cae7fa55a7e095e11fbb9aa4350f7_JaffaCakes118

  • Size

    791KB

  • MD5

    0d8cae7fa55a7e095e11fbb9aa4350f7

  • SHA1

    f0f9bd8f9110fbb06a51f4a987b1444bb96bb6a9

  • SHA256

    2bdcbd54ec387b521cdd9e14777d7d24794ba6bb71c85a0402eb2bd8ba8696f0

  • SHA512

    1d3da3b90042c7fb1ea2d09741a3f7b69835f5f8a885ddd3ad3d2819f80ed82397d8002d273f26685712183b3c08fb875a7d39a1d60c0e6bb0c89ce2f3033ce4

  • SSDEEP

    12288:w0YDrHInYYiaqIH7jc4vfBZj2of9zqHh882KqXRRxFgMzxks+gvJFbWVzK7ISFj:wfjWYcbEc5R2oFWB88F2sKtJwVzK7I

  Score

  10^/10

  babylonratdiscoverypersistencetrojan

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat

  • Modifies WinLogon for persistence

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Suspicious use of SetThreadContext

  behavioral1behavioral2