General
-
Target
https://mega.nz/file/L81XQTSQ#nWJScUjhSm_6pyxuQZJlXf3L3x6TmBB3bE3HTqTO8Zw
-
Sample
250110-fv8w8swjdm
Malware Config
Extracted
babylonrat
killer114.ddns.net
Targets
-
-
Target
https://mega.nz/file/L81XQTSQ#nWJScUjhSm_6pyxuQZJlXf3L3x6TmBB3bE3HTqTO8Zw
Score10/10-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1Clear Persistence
1Modify Registry
3