babylonrat | ca3a593c04e6f0ce2850659f33e7fc92668b460417ae856384453ccb153c59fa

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lag Switch V1.0.2.exe
Size

1.5MB
MD5

33237e876e2861c4b94b687c89826f81
SHA1

3c016a53daa19f842bde70082840bad3fc6297c0
SHA256

593a16bb2477f65d5e49b7347cfdadd3fb78c2c33241f29706de22f88deece34
SHA512

b0ac9401820098380a8813c64317ea09cc5ea244f67a40b557f41ae0dbe445714dcb718ce1b4477c741ba0218272333e3bdc20d8a9b820b19aa5d9f8fda74787
SSDEEP

49152:h0vPLarmU580IlC06ghB5Fuunrdtujbp32xn0GdF:heLarmU5XWntcunrdtup8vF

Score

10^/10

babylonrat defense_evasion discovery trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Executes dropped EXE 3 IoCs

pid	Process
2308	Kraken.exe
2620	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe

Loads dropped DLL 10 IoCs

pid	Process
2044	Lag Switch V1.0.2.exe
2044	Lag Switch V1.0.2.exe
2308	Kraken.exe
2308	Kraken.exe
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
7	pastebin.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1976-30-0x0000000000400000-0x00000000004FE000-memory.dmp	autoit_exe
behavioral1/memory/2620-29-0x0000000000400000-0x00000000004FE000-memory.dmp	autoit_exe
behavioral1/memory/1976-56-0x0000000000400000-0x00000000004FE000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 set thread context of 2940	1976	CollatSwitchV1.6.exe	34

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016cab-13.dat	upx
behavioral1/memory/2620-15-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/2620-19-0x0000000000230000-0x000000000032E000-memory.dmp	upx
behavioral1/memory/1976-30-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/2620-29-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/2792-35-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-63-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-62-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-61-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-58-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/1976-56-0x0000000000400000-0x00000000004FE000-memory.dmp	upx
behavioral1/memory/2792-44-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-43-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-42-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-41-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-40-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-37-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-64-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-66-0x0000000000400000-0x00000000004C9000-memory.dmp	upx
behavioral1/memory/2792-80-0x0000000000400000-0x00000000004C9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lag Switch V1.0.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kraken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CollatSwitchV1.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CollatSwitchV1.6.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1976	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe
2940	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2792	vbc.exe
Token: SeDebugPrivilege	2792	vbc.exe
Token: SeTcbPrivilege	2792	vbc.exe
Token: SeDebugPrivilege	2308	Kraken.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
2620	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe
1976	CollatSwitchV1.6.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	vbc.exe
2792	vbc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2308	2044	Lag Switch V1.0.2.exe	30
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2044 wrote to memory of 2620	2044	Lag Switch V1.0.2.exe	31
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 2620 wrote to memory of 1976	2620	CollatSwitchV1.6.exe	32
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2792	1976	CollatSwitchV1.6.exe	33
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 1976 wrote to memory of 2940	1976	CollatSwitchV1.6.exe	34
PID 2940 wrote to memory of 2716	2940	vbc.exe	36
PID 2940 wrote to memory of 2716	2940	vbc.exe	36
PID 2940 wrote to memory of 2716	2940	vbc.exe	36
PID 2940 wrote to memory of 2716	2940	vbc.exe	36
PID 2940 wrote to memory of 2716	2940	vbc.exe	36
PID 2940 wrote to memory of 2716	2940	vbc.exe	36
PID 2940 wrote to memory of 2716	2940	vbc.exe	36

C:\Users\Admin\AppData\Local\Temp\Lag Switch V1.0.2.exe
"C:\Users\Admin\AppData\Local\Temp\Lag Switch V1.0.2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\Kraken.exe
  "C:\Users\Admin\AppData\Local\Temp\Kraken.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\CollatSwitchV1.6.exe
  "C:\Users\Admin\AppData\Local\Temp\CollatSwitchV1.6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\CollatSwitchV1.6.exe
    "C:\Users\Admin\AppData\Local\Temp\CollatSwitchV1.6.exe" /AutoIt3ExecuteScript C:\Users\Admin\AppData\Local\Temp\TbxWYpDed
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2792
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c del /q /f %temp%\*.lnk
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CollatSwitchV1.6.exe

Filesize
1.1MB

MD5
7f95f522b87f7d53c1f73b97dae10870

SHA1
e37eac90d6e511488ed54c9300188382e73856fd

SHA256
3a7ae92b1451082ca6c4b940e11e21a4c2f3ca4bae3f70799ac7cb1623ac5a29

SHA512
13d39ed01db898ccfcc3eb6f7256a58ac8d39bc8715f4c42679a68388f860caeb09c9587f1b09b4a8dd3af9834e6593c43b64d3cab612ee7c2b15c2aab65b9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TbxWYpDed

Filesize
742KB

MD5
c6736908bb09491b1b7932b91a2f503f

SHA1
dc23e01b6394039b7105dc56a1b810a943dedc73

SHA256
0805344027ab405ebb1dcaea043cb113b12b7dabac6a797940016a2d37c30242

SHA512
437f986ca8febe3fa8de57d800b2f131251cf1d3a0c1fa751d22060b3470f9b27bc94e5364a179e2542a2910dd35ac50a504090c3379341e909a08bbc2f35875

Download Submit
\Users\Admin\AppData\Local\Temp\Kraken.exe

Filesize
594KB

MD5
ad117db0e8c4c47df26240a8f8ce17ba

SHA1
67cf6cd5ed9f852d53bd5253b3cb014ce6f85af4

SHA256
9be3cd2faf92e959d31e6d642d95a91b4730bb82cc69ad1e851ae97eb2ab05fb

SHA512
878d04c3fda7927e45cde534abd3b3b22e5cc47a081386d66a5eabed8fb977ae232be003d734557012f672148d19b378e7fd1aefdcf56efc0a966cc08e1a83ee

Download Submit
memory/1976-30-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1976-56-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/1976-31-0x0000000000290000-0x000000000038E000-memory.dmp

Filesize
1016KB

Download
memory/2308-20-0x0000000000390000-0x000000000042C000-memory.dmp

Filesize
624KB

Download
memory/2620-29-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2620-15-0x0000000000400000-0x00000000004FE000-memory.dmp

Filesize
1016KB

Download
memory/2620-19-0x0000000000230000-0x000000000032E000-memory.dmp

Filesize
1016KB

Download
memory/2620-23-0x0000000002F90000-0x000000000308E000-memory.dmp

Filesize
1016KB

Download
memory/2792-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-37-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-62-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-61-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-58-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-33-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-80-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-66-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-64-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-63-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-44-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-43-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-42-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-41-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-40-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2792-35-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2940-45-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2940-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2940-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2940-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2940-54-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download