Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
13-11-2024 01:28
General
-
Target
ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe
-
Size
2.3MB
-
MD5
268ee5fb777b47236bfdef31c8e33241
-
SHA1
4ff784fc21c2f314c43cd562e6beb00a381a4aca
-
SHA256
ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45
-
SHA512
599d5eb1a30b7a19c15495b1ba353946332dd1666604e697669f52905e2e4c83c1a9b2bb6bb98a7f665fbfbff21a8879a2f9ef792c85a588737bee6554fbde3a
-
SSDEEP
24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWts:Pr43o67TrXIqjbcS6vJT6Wts
Malware Config
Extracted
babylonrat
doddyfire.dyndns.org
doddyfire.linkpc.net
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe"C:\Users\Admin\AppData\Local\Temp\ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD504946fe1bea5cdb8cc04cc9e4edafb26
SHA1ca3d3391c20a5b52b479b25e90c70325aedab5b1
SHA2563ae72ed3c9f55ddd0c748bd4b9f8c2985e6281998b38cf2d4e5df82f254ab7d9
SHA51277df05c95cd3cd025e3ae634d9e0a355612230134d444859b5e846c625fd0c5a442f36e53eb0a8798351851c4e5d6d353e498dd63a0e8729a03d27fcbcc99d6e
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB