Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe
Resource
win10v2004-20241007-en
General
-
Target
ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe
-
Size
2.3MB
-
MD5
268ee5fb777b47236bfdef31c8e33241
-
SHA1
4ff784fc21c2f314c43cd562e6beb00a381a4aca
-
SHA256
ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45
-
SHA512
599d5eb1a30b7a19c15495b1ba353946332dd1666604e697669f52905e2e4c83c1a9b2bb6bb98a7f665fbfbff21a8879a2f9ef792c85a588737bee6554fbde3a
-
SSDEEP
24576:x1r43sfARB7U4kieI1SqjEDKcSrJIvJiu/AxWts:Pr43o67TrXIqjbcS6vJT6Wts
Malware Config
Extracted
babylonrat
doddyfire.dyndns.org
doddyfire.linkpc.net
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe -
Executes dropped EXE 1 IoCs
pid Process 4476 ComputerBalance.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProcessorDistrict = "C:\\Users\\Admin\\AppData\\Roaming\\ProcessorDistrict\\ComputerBalance.exe" ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4476 set thread context of 1960 4476 ComputerBalance.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ComputerBalance.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1960 vbc.exe Token: SeDebugPrivilege 1960 vbc.exe Token: SeTcbPrivilege 1960 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1960 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1896 wrote to memory of 4476 1896 ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe 101 PID 1896 wrote to memory of 4476 1896 ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe 101 PID 1896 wrote to memory of 4476 1896 ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe 101 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102 PID 4476 wrote to memory of 1960 4476 ComputerBalance.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe"C:\Users\Admin\AppData\Local\Temp\ab55d958bbe9c65cd360a724fb0b19b642cb089387defdd8e748e15a4f377f45.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"C:\Users\Admin\AppData\Roaming\ProcessorDistrict\ComputerBalance.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD504946fe1bea5cdb8cc04cc9e4edafb26
SHA1ca3d3391c20a5b52b479b25e90c70325aedab5b1
SHA2563ae72ed3c9f55ddd0c748bd4b9f8c2985e6281998b38cf2d4e5df82f254ab7d9
SHA51277df05c95cd3cd025e3ae634d9e0a355612230134d444859b5e846c625fd0c5a442f36e53eb0a8798351851c4e5d6d353e498dd63a0e8729a03d27fcbcc99d6e