babylonrat | 98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243

General

Target

98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe
Size

2.3MB
MD5

a7997c11504545455fe1961f22f0dc9b
SHA1

81319019760243ea119966bdde1a9afae01009cc
SHA256

98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243
SHA512

be089fff0dc8300356f57d8504c849b333974501b2bb00786030ecdb1a548a9d31e77d687feaa223ee23c2ddd0b1be6f4136c6934c622db69c5a278f9b8137d1
SSDEEP

24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWtV:Pr43o67TrXIqjbcS6vJT6WtV

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Extracted

Family

babylonrat

C2

doddyfire.dyndns.org

doddyfire.linkpc.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe

Executes dropped EXE 1 IoCs

Processes:

ComputerBalance.exe

pid process

2704 ComputerBalance.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

pid	process
2704	ComputerBalance.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProcessorDistrict = "C:\\Users\\Admin\\AppData\\Roaming\\ProcessorDistrict\\ComputerBalance.exe"	98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ComputerBalance.exe

description pid process target process

PID 2704 set thread context of 3676 2704 ComputerBalance.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2704 set thread context of 3676	2704	ComputerBalance.exe	vbc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exeComputerBalance.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerBalance.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exe

description pid process

Token: SeShutdownPrivilege 3676 vbc.exe
Token: SeDebugPrivilege 3676 vbc.exe
Token: SeTcbPrivilege 3676 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

3676 vbc.exe

description	pid	process
Token: SeShutdownPrivilege	3676	vbc.exe
Token: SeDebugPrivilege	3676	vbc.exe
Token: SeTcbPrivilege	3676	vbc.exe

pid	process
3676	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exeComputerBalance.exe

description	pid	process	target process
PID 1364 wrote to memory of 2704	1364	98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe	ComputerBalance.exe
PID 1364 wrote to memory of 2704	1364	98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe	ComputerBalance.exe
PID 1364 wrote to memory of 2704	1364	98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe	ComputerBalance.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe
PID 2704 wrote to memory of 3676	2704	ComputerBalance.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe
"C:\Users\Admin\AppData\Local\Temp\98cc23413643687bdbde05711e7a15b557db096668d34d662d1b9c4f2fea4243.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe
  "C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe

Filesize
2.3MB

MD5
d72da4af9eea8bdff717e38a6825a42f

SHA1
25fde69442ee5f9cbd7db896db2d16facc026bf2

SHA256
9983b84d411f457e19f2b947eaadb4bbde5d8efdac949482348e1bf764e3451c

SHA512
435172f1c12d4e367c31ef008b80dbdb8119dcea8bffa726e6ba850b8e8638bfc2ee29697df9724e5838d2eaa1e6a5ebd2723ebd6695e8c8e6443bdc33270c18

Download Submit
memory/1364-20-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1364-1-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1364-2-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1364-3-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/1364-4-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1364-5-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/1364-0-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/2704-19-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2704-21-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2704-22-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2704-23-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2704-24-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2704-29-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3676-28-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-26-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-30-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-25-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-31-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-32-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-34-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-36-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3676-37-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads