babylonrat | 4f7309e61135f65171ee3377d9503a4139b3315d2e68424dced864051cafba2e

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-28_c7e3af8640a875bfca96e6f8059e7246_ryuk.exe
Size

1.7MB
MD5

c7e3af8640a875bfca96e6f8059e7246
SHA1

c770b5bfea1014a7d05f3dd204009598859b5c6d
SHA256

4f7309e61135f65171ee3377d9503a4139b3315d2e68424dced864051cafba2e
SHA512

1073dab4115aa786f7fa0dc94b8936a726eeb99d6f3231fe4de2d3be80868fac0ade0c39c3bd3eeeccb3bd4bae0ecd9acd0967bfa4de8d606b9900c725b985c7
SSDEEP

24576:g6+UJfQ3VSYnQJRXvKxZF5hI+ro3xXPyjlbsqJBaS28b:PBQ3VSYCRXvKxZ5X03xXPcF9Ftb

Score

10^/10

babylonrat discovery trojan upx

Malware Config

Extracted

Family

babylonrat

91.227.18.174

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3184	TMP97CB.tmp
4160	TMP97CB.tmp

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3184 set thread context of 5008	3184	TMP97CB.tmp	84
PID 4160 set thread context of 3464	4160	TMP97CB.tmp	85

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5008-60-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-65-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-68-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-75-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-73-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-72-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-66-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-81-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-82-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-86-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-93-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral2/memory/5008-98-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5008	dxdiag.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5008	dxdiag.exe
Token: SeDebugPrivilege	5008	dxdiag.exe
Token: SeTcbPrivilege	5008	dxdiag.exe
Token: SeShutdownPrivilege	3464	dxdiag.exe
Token: SeDebugPrivilege	3464	dxdiag.exe
Token: SeTcbPrivilege	3464	dxdiag.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5008	dxdiag.exe
5008	dxdiag.exe
5008	dxdiag.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 3184 wrote to memory of 5008	3184	TMP97CB.tmp	84
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85
PID 4160 wrote to memory of 3464	4160	TMP97CB.tmp	85

C:\Users\Admin\AppData\Local\Temp\2024-12-28_c7e3af8640a875bfca96e6f8059e7246_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_c7e3af8640a875bfca96e6f8059e7246_ryuk.exe"
1⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\TMP97CB.tmp
C:\Users\Admin\AppData\Local\Temp\TMP97CB.tmp
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\SysWOW64\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5008

C:\Users\Admin\AppData\Local\Temp\TMP97CB.tmp
C:\Users\Admin\AppData\Local\Temp\TMP97CB.tmp
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\SysWOW64\dxdiag.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
77b20b5cd41bc6bb475cca3f91ae6e3c

SHA1
9e98ace72bd2ab931341427a856ef4cea6faf806

SHA256
5511a9b9f9144ed7bde4ccb074733b7c564d918d2a8b10d391afc6be5b3b1509

SHA512
3537da5e7f3aba3dafe6a86e9511aba20b7a3d34f30aea6cc11feef7768bd63c0c85679c49e99c3291bd1b552ded2c6973b6c2f7f6d731bcfacecab218e72fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
5b5467ef0bead4f6218c132ed1743998

SHA1
39b9b686b463f4a8e7b7bd5e5f4d26b63a6aaeec

SHA256
8756d31e688372981ed91a1a8aa9fa705fc21ce14111b1570e087f2bbe3375dc

SHA512
5bd7351edcffd56aedddaeab6975a94d91a301a525454200567d25979837e5d8dab5daa10125ed33072920e452bcf3922c46025ea2cc4a270671d1c49e828326

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
471B

MD5
49a872152a68fc44f59f4adfc7344e8e

SHA1
856af30f3318a4812139f56206acf8b946e27cdb

SHA256
0387191470bad6e22a3c76f864362151bab671de9d376399a355abbeb5a15516

SHA512
a6d512db125746bccc444786d42e2ca53961e2c2c2f74b2d3de98e029a6fdecc0a634a5985dd082c61faefe7b9f6e96b91714a86b15fa313580ac113e84dbd05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_E7AFBAB1045CF53D322BC26D3E9BEB05

Filesize
471B

MD5
4187d69e26f4a528cf4a30658aa5477e

SHA1
bc3658865ca7cd33fc7450f9461585f8b8be9eff

SHA256
83680844b44c6fe884c525f8912eb8dde4dacc63ec1b40870f94c066b027c114

SHA512
d86d733abd46510fde82a4f4d8c13a191cb64c0702a4b1240911829ad8089e07a9dcdb2b01d0dc8ba6009e8a7dca40237e22e7fd2aa7027be6b3ddd60e95a477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
fe66fc8cfcf0da3c285ce56b35c127ab

SHA1
677305bfa0cc19d11dc9ca5b18c98a68998671f6

SHA256
3a53262376a4a92a8eebb6706b5cd04e9caa7331cfca534ecc93b857152ad337

SHA512
ec1ac56f6e4016cf2231d3ff64fce6b00bbac9b86770d4e2c0fa136bea51c6648884f2e7ad8b0bdd4ca0e728f5491cb37f3fadc9690e227934f7b2ab3952a09f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
d66614061b481dac0cbb711635b478e4

SHA1
da324465831ce6bacd829c6d1deedee84c1a414c

SHA256
4b8dc05111d5d7425078297ea4761a39b8ea143121e10e0388e7882fd4ce93ca

SHA512
18bf7e87f1168684e38b2933371249e2baef2d1f450b972e41680895c72ba94a24e80be778facd3064c20da40923aceb7e71bdbd72883e7a91f767cb5762df30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038

Filesize
400B

MD5
37a7cdce56bbf7bae8e09de8947bbde2

SHA1
4487741e66ad860c743a5eceef01896fa323f0be

SHA256
27999da75964bf0910c4541e2df92e47abb8cdcc450c74d475bc0fdb1d31cffb

SHA512
c5892892429baed276eb3c7e2a8569935801797e556f57c223bf871972551e153716f27971ed96727f5e8173c822d302b9eb1ce44037f1cf9fd9c56b8282ce11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_E7AFBAB1045CF53D322BC26D3E9BEB05

Filesize
396B

MD5
87199669f22896e8cd21ed39a3c83993

SHA1
85effd49126435ba3db25dab23a517f76dc1b355

SHA256
95825c7ab0a3f923ef2a713eefaae48654dda2d4a352bf9f4cba39a817f091a3

SHA512
62e990ecbd57f31be38365c8f20cf9477c66ff08e510b52cb4837c79b2ebf38984e11c3feecb9aa1bf2cf9f6fc9cae796aa7ef24def6a5e4ca727516d0ae752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMP97CB.tmp

Filesize
7KB

MD5
5ce96dbc20998bfd92a0da9b75d5ab77

SHA1
60ba534435941d1afd8522ede977a8a5b446f377

SHA256
ccf00a4f8efbc01112ca595fb85c6b4104b614b79b9a948eb20f1effe911f4b8

SHA512
f0cb11cc1acf86671fcd4c97328b27417dd68939c87b4cd4ac349fdfb9b7826ec71562a7e8f6bb8e6bc9e7e8d8afc70c543b25699258b90d83616c553fd16d82

Download Submit
memory/3184-37-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-38-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-39-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-36-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-40-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-44-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-43-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-45-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-41-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-42-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-49-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-47-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-48-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-46-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-69-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/3184-61-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-51-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-53-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-56-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-58-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-71-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-57-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-55-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-52-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-63-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-59-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-67-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-79-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-80-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-70-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/4160-64-0x0000000140000000-0x0000000140EB9000-memory.dmp

Filesize
14.7MB

Download
memory/5008-66-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-72-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-73-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-75-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-68-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-65-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-60-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-81-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-82-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-84-0x0000000073EC0000-0x0000000073EF9000-memory.dmp

Filesize
228KB

Download
memory/5008-86-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-93-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-98-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/5008-112-0x0000000073EC0000-0x0000000073EF9000-memory.dmp

Filesize
228KB

Download