Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe
Resource
win10v2004-20241007-en
General
-
Target
98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe
-
Size
2.3MB
-
MD5
a7997c11504545455fe1961f22f0dc9b
-
SHA1
81319019760243ea119966bdde1a9afae01009cc
-
SHA256
98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243
-
SHA512
be089fff0dc8300356f57d8504c849b333974501b2bb00786030ecdb1a548a9d31e77d687feaa223ee23c2ddd0b1be6f4136c6934c622db69c5a278f9b8137d1
-
SSDEEP
24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWtV:Pr43o67TrXIqjbcS6vJT6WtV
Malware Config
Extracted
babylonrat
doddyfire.dyndns.org
doddyfire.linkpc.net
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe -
Executes dropped EXE 1 IoCs
pid Process 2704 ComputerBalance.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProcessorDistrict = "C:\\Users\\Admin\\AppData\\Roaming\\ProcessorDistrict\\ComputerBalance.exe" 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2704 set thread context of 3676 2704 ComputerBalance.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ComputerBalance.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 3676 vbc.exe Token: SeDebugPrivilege 3676 vbc.exe Token: SeTcbPrivilege 3676 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3676 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2704 1364 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe 99 PID 1364 wrote to memory of 2704 1364 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe 99 PID 1364 wrote to memory of 2704 1364 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe 99 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108 PID 2704 wrote to memory of 3676 2704 ComputerBalance.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe"C:\Users\Admin\AppData\Local\Temp\98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5d72da4af9eea8bdff717e38a6825a42f
SHA125fde69442ee5f9cbd7db896db2d16facc026bf2
SHA2569983b84d411f457e19f2b947eaadb4bbde5d8efdac949482348e1bf764e3451c
SHA512435172f1c12d4e367c31ef008b80dbdb8119dcea8bffa726e6ba850b8e8638bfc2ee29697df9724e5838d2eaa1e6a5ebd2723ebd6695e8c8e6443bdc33270c18