babylonrat | dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e

General

Target

dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe
Size

735KB
MD5

228964fd171143c0fc1a2c7067857159
SHA1

eda5e7b3ce61ad23c579c953e8b3fa79aa167321
SHA256

dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e
SHA512

3ca61bc0eac3cd487e681c48db0523ffd9d0bf7de4e65e284f66810e91914b2d0e33a511e6eaee240ae8b2a4160a18311d685f587845bd1a6ae98f6e01520847
SSDEEP

12288:trsTMcgRdrEAzvHG4z2T6DSsyXUGz2FcFe0fySvZyESEGWKm:trsaRdrEAbm4zbryUGCMfySQ3m

Score

10^/10

babylonrat discovery persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

cb4cb4.ddns.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.url	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_DefaultEx = "0"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4280-24-0x0000000005420000-0x00000000054E4000-memory.dmp	upx
behavioral2/memory/4900-26-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-29-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-32-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-33-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-31-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-34-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-35-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-37-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/4900-55-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe
4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe
Token: SeShutdownPrivilege	4900	vbc.exe
Token: SeDebugPrivilege	4900	vbc.exe
Token: SeTcbPrivilege	4900	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4900	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 5088	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	83
PID 4280 wrote to memory of 5088	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	83
PID 4280 wrote to memory of 5088	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	83
PID 5088 wrote to memory of 4420	5088	csc.exe	85
PID 5088 wrote to memory of 4420	5088	csc.exe	85
PID 5088 wrote to memory of 4420	5088	csc.exe	85
PID 4280 wrote to memory of 1660	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	86
PID 4280 wrote to memory of 1660	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	86
PID 4280 wrote to memory of 1660	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	86
PID 4280 wrote to memory of 3432	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	88
PID 4280 wrote to memory of 3432	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	88
PID 4280 wrote to memory of 3432	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	88
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90
PID 4280 wrote to memory of 4900	4280	dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe	90

C:\Users\Admin\AppData\Local\Temp\dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe
"C:\Users\Admin\AppData\Local\Temp\dcd2a5fdcbba96f26247f193d5e68b5673fe48236b1b7d6a6af1842e5b80c14e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2erzlxgd\2erzlxgd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8983.tmp" "c:\Users\Admin\AppData\Local\Temp\2erzlxgd\CSC2CF27C7F3D054B0794D9EEBE708F26D1.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn RegAsm /MO 1 /tr "C:\ProgramData\Oracles\Svchost.exe\
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2erzlxgd\2erzlxgd.dll

Filesize
7KB

MD5
09a46321e77deda202daaffe68faafe0

SHA1
200ad2acefc6f3218d7381fdf412115464370e7c

SHA256
151581b86fa8794ee54d8bc26e736240a127d75390cc697d424cafe7d8a2cc6e

SHA512
74580cfc41e2c10f08a3abdc6ec197bcb7903f99e828a2d66390c8c6c71a3d025c6640e236b874b0a91690fa54a3c1ed472003adb720b8ffe2332c388174f2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2erzlxgd\2erzlxgd.pdb

Filesize
19KB

MD5
2559af46ef0cdb9f776009196e47af6b

SHA1
b21eab428d4d6e7b68147fb5f8a3eb93618ae1be

SHA256
bc3225a70611e9ae23315af2b87dd1e95438434d2c4152d88096f7a5f4338597

SHA512
5934edb08ef684f577961025ac74ae0233b35d2e142b962a4dff3f6fa85402209afb8648bdf7420d48e33c772bf32d4801517bee91a599786e5a29c52eff94e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8983.tmp

Filesize
1KB

MD5
92d56b1433c7e684c5d81d311721558a

SHA1
0c035efdab0d85185358210c4b48172aa1e05bb5

SHA256
2cfd70cdbc189747c2c18a0318fe00683c8d6dc16be8cc8b8bae4ba60b05e324

SHA512
3fe1a187496931b8042475356a70d2c9a95699a6cfaa621bdfa7c193020b919523093e55bbe3316e0fe6902eb4cac9c6cd94de8cb95e03fe887e7ccfc93ce9ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2erzlxgd\2erzlxgd.0.cs

Filesize
6KB

MD5
a100d6abfd6918aec8158600c442d61a

SHA1
19141bd6e9d00da1aec73b3dc062e8c366dee46d

SHA256
f27ca4618b977a51753ff4441613b3705dd422035c07f8bd7939bfc6cfaea888

SHA512
b7a558144ca0d3f6e3cfd4ad8899006cad58e8e0cc7621d38ee194be2e4e3807b3400c457e049cc89aa8f0522d316a42403c165d8649836ff2edd8532e4c71f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2erzlxgd\2erzlxgd.cmdline

Filesize
312B

MD5
cc6be1a2e7606e5a54351077d86b64cc

SHA1
2cfaf7704d90e29f5c84f4cde0a2e9ce397b0a93

SHA256
0a84a5320e183d8378bf42ec061e3e46cb2eb6c0544997a4756625624520ae42

SHA512
df3c11ec7ac9a7c2fcb18e0b2aea19abb0c582dd1428e12fd1582ff44c91d089f84e464bcfef42fdcaeb92c54ae4b70e779c3f98a3449fc33fa2c8a22870e5f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2erzlxgd\CSC2CF27C7F3D054B0794D9EEBE708F26D1.TMP

Filesize
1KB

MD5
4a6622d7f5b82bf349910e7102321602

SHA1
88ae1d209089ba3baf98b8df4c47be32614a7d07

SHA256
ae26d02905979be7cd6fad8e222ce90e43340e4ed3ddf170f780d6e1ec8244ab

SHA512
66a6e3670066675d9d496264aebccdde854cc4ab8457aaa671ed36eea883c0f26840b3a1f73aad0a51fe539f105d90f29d4499d499ae65d358500ee166abb591

Download Submit
memory/4280-21-0x0000000004D90000-0x0000000004D9C000-memory.dmp

Filesize
48KB

Download
memory/4280-30-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4280-1-0x0000000000390000-0x0000000000434000-memory.dmp

Filesize
656KB

Download
memory/4280-17-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/4280-19-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/4280-20-0x00000000053B0000-0x0000000005418000-memory.dmp

Filesize
416KB

Download
memory/4280-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/4280-24-0x0000000005420000-0x00000000054E4000-memory.dmp

Filesize
784KB

Download
memory/4280-25-0x00000000056D0000-0x000000000576C000-memory.dmp

Filesize
624KB

Download
memory/4280-5-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4900-26-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-29-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-32-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-33-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-31-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-34-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-35-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-37-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4900-55-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads