General
-
Target
f6f367b46590f7ac422b745c1014218b6869885c40ca99a6ba6ad58a63a71379
-
Size
2.3MB
-
Sample
241024-c4ywvashpq
-
MD5
7b6594e7173e4ceb5289beb37766540f
-
SHA1
136bc9aec75fe1b3b21822d390e4c465d37a1948
-
SHA256
f6f367b46590f7ac422b745c1014218b6869885c40ca99a6ba6ad58a63a71379
-
SHA512
7bd06f49b6eeffde5afb941ea14d6e8b5da68503cd8614415ee7ac0f8fc54fc61c20584027ed73db1ba285edda6da1e6b0d3b7aa352435996dd3b78ceca99210
-
SSDEEP
24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWtV:Pr43o67TrXIqjbcS6vJT6WtV
Malware Config
Extracted
babylonrat
doddyfire.dyndns.org
doddyfire.linkpc.net
Targets
-
-
Target
f6f367b46590f7ac422b745c1014218b6869885c40ca99a6ba6ad58a63a71379
-
Size
2.3MB
-
MD5
7b6594e7173e4ceb5289beb37766540f
-
SHA1
136bc9aec75fe1b3b21822d390e4c465d37a1948
-
SHA256
f6f367b46590f7ac422b745c1014218b6869885c40ca99a6ba6ad58a63a71379
-
SHA512
7bd06f49b6eeffde5afb941ea14d6e8b5da68503cd8614415ee7ac0f8fc54fc61c20584027ed73db1ba285edda6da1e6b0d3b7aa352435996dd3b78ceca99210
-
SSDEEP
24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWtV:Pr43o67TrXIqjbcS6vJT6WtV
Score10/10-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1