babylonrat | ca3a593c04e6f0ce2850659f33e7fc92668b460417ae856384453ccb153c59fa | Triage

Submit
Reports

Overview

overview

Static

static

3

Lag Switch V1.0.2.exe

windows7-x64

Lag Switch V1.0.2.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_63dbc7444be61de76a08c3dd4a8a40d0
Size

1.4MB
Sample

250102-kh522awnap
MD5

63dbc7444be61de76a08c3dd4a8a40d0
SHA1

beff80f4484de69edd60eca3c9cfbb8c9b33e76b
SHA256

ca3a593c04e6f0ce2850659f33e7fc92668b460417ae856384453ccb153c59fa
SHA512

0c66b1df5cf72762af070b8777b1b47721bc695f4e33955558e2a1c2333d656b473b7cc89155b1872faf4c7276750e021745640c37ddfe4132a442e27721e41d
SSDEEP

24576:wEr+zAM4KPr4YHK3+dzhxWyYsLiPXWGcEYDJFlYdnoLPmmxiYu7pRDZX11P:w3zHat3+6JPmVEYDJFlYCLP+YuFbX3

Score

10^/10

babylonrat defense_evasion discovery trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Lag Switch V1.0.2.exe

Resource

win7-20241010-en

babylonrat defense_evasion discovery trojan upx

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Lag Switch V1.0.2.exe

Resource

win10v2004-20241007-en

babylonrat defense_evasion discovery trojan upx

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  Lag Switch V1.0.2.exe
- Size
  
  1.5MB
- MD5
  
  33237e876e2861c4b94b687c89826f81
- SHA1
  
  3c016a53daa19f842bde70082840bad3fc6297c0
- SHA256
  
  593a16bb2477f65d5e49b7347cfdadd3fb78c2c33241f29706de22f88deece34
- SHA512
  
  b0ac9401820098380a8813c64317ea09cc5ea244f67a40b557f41ae0dbe445714dcb718ce1b4477c741ba0218272333e3bdc20d8a9b820b19aa5d9f8fda74787
- SSDEEP
  
  49152:h0vPLarmU580IlC06ghB5Fuunrdtujbp32xn0GdF:heLarmU5XWntcunrdtup8vF
Score

10^/10

babylonrat defense_evasion discovery trojan upx
- Babylon RAT
  Babylon RAT is remote access trojan written in C++.
  trojan babylonrat
- Babylonrat family
  babylonrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

babylonratdefense_evasiondiscoverytrojanupx

behavioral2

babylonratdefense_evasiondiscoverytrojanupx

© 2018-2025

Terms | Privacy