Analysis
-
max time kernel
117s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 06:59
Static task
static1
Behavioral task
behavioral1
Sample
15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
Resource
win10v2004-20241007-en
General
-
Target
15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
-
Size
735KB
-
MD5
8b3abbb304f163345e23e9c6b1e70a90
-
SHA1
2f55f460322b4a687bc08e0f527e24b4a53e029c
-
SHA256
15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55
-
SHA512
7894285b95a882b2bf1f66822e1a0e24d07b96dd0738238e87a12155e2613bf05baca081c4faa4e9597d99d4a6eca00fabfe7c7dc45b4ff193c4fbfad27b9f37
-
SSDEEP
12288:trsTMcgRdrEAzvHG4z2T6DSsyXUGz2FcFe0fySvZyESEGWKy:trsaRdrEAbm4zbryUGCMfySQ3y
Malware Config
Extracted
babylonrat
cb4cb4.ddns.net
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.url 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_DefaultEx = "0" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1852 set thread context of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 -
resource yara_rule behavioral2/memory/1852-24-0x0000000005EB0000-0x0000000005F74000-memory.dmp upx behavioral2/memory/2820-29-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-30-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-31-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-33-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-32-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-34-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-37-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-38-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2820-56-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 368 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe Token: SeShutdownPrivilege 2820 vbc.exe Token: SeDebugPrivilege 2820 vbc.exe Token: SeTcbPrivilege 2820 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2820 vbc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1916 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 83 PID 1852 wrote to memory of 1916 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 83 PID 1852 wrote to memory of 1916 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 83 PID 1916 wrote to memory of 2832 1916 csc.exe 85 PID 1916 wrote to memory of 2832 1916 csc.exe 85 PID 1916 wrote to memory of 2832 1916 csc.exe 85 PID 1852 wrote to memory of 3880 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 86 PID 1852 wrote to memory of 3880 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 86 PID 1852 wrote to memory of 3880 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 86 PID 1852 wrote to memory of 368 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 88 PID 1852 wrote to memory of 368 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 88 PID 1852 wrote to memory of 368 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 88 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90 PID 1852 wrote to memory of 2820 1852 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe"C:\Users\Admin\AppData\Local\Temp\15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttpiizk5\ttpiizk5.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBAF.tmp" "c:\Users\Admin\AppData\Local\Temp\ttpiizk5\CSC994E86F8D7B4416A8363F989106D7B15.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query2⤵
- System Location Discovery: System Language Discovery
PID:3880
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /sc MINUTE /tn RegAsm /MO 1 /tr "C:\ProgramData\Oracles\Svchost.exe\2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:368
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b8b3774a9227e2994451a95744e55d63
SHA1ef40e9ab6b41e16cf6760cf780d35b6c6cbce351
SHA256bd86ef14bccef5ad65d278cbb92b349c4119b654eb0ab40d50e6c69e0e24cfa1
SHA5127ac60db7e25fcfdec50f39950189b84568dae0336008226f5197d4b1fd55eb31a2acc9e0fb81110f83056c0ad6d414ae87f39e3b24659e0a6e4197b67767fed6
-
Filesize
7KB
MD5ef0d727ccb3f983dbb725316176fdec1
SHA17ac0c350ebeb4cd72b8a938e731e889aab89fdeb
SHA2564dc88202021b71ebe6201e934d237b181266a697d688270b84d256572265d20d
SHA512f93a106f738355e369783377ac829668b553e3e91cd93b4e8e73531a75fd5835b64d271b84040f5573604b245a4d1cbba275ef2dc0a89ada16b176d0685d9ba1
-
Filesize
19KB
MD5e9b5480cdef75d8c4c57bc827ac63669
SHA18c869ed6de63ff05054d7b53613e7c07871f60e4
SHA25604d8aeeeb70e4e11d8031765d5575626257c410daf62b32537d70da57c312988
SHA5120ec26c2f909b37da6157ccbe3832af4afc1b519261ab4eec0046810fc8007f371a4c3230f43c97d2e272e1b75093b97950beb91527441307f38683e35bcf3773
-
Filesize
1KB
MD555817e07d24de336a62c3abc14cb116b
SHA1ef341b2f6637eac0b1e7b183d2670f6776604a17
SHA256f2771c7cba43c6dc1c07a94ca5fbb6545c95f6d49171a096ae67b23f2bcf75bf
SHA5128529a10977902426dac585e1bf93b5f689dd79995858ac30a4a0ca5efa4868023e3664f11285be8a5134c06c3e66cce6cf11363baa01523633a8cfddc1d44628
-
Filesize
6KB
MD5a100d6abfd6918aec8158600c442d61a
SHA119141bd6e9d00da1aec73b3dc062e8c366dee46d
SHA256f27ca4618b977a51753ff4441613b3705dd422035c07f8bd7939bfc6cfaea888
SHA512b7a558144ca0d3f6e3cfd4ad8899006cad58e8e0cc7621d38ee194be2e4e3807b3400c457e049cc89aa8f0522d316a42403c165d8649836ff2edd8532e4c71f0
-
Filesize
312B
MD5d911c8acb0a46f9bf94e22a67d2179d9
SHA16787e58f8ba099f5537de6f8746cb0d69fab1120
SHA25699a57603dea30d26341a49a39cedc94b89bd21218f60e251cde8d6ccab97a497
SHA51207c31c74ca1c457f335c83a2cd68aa1db068fe044f16b3ca6056b700827219bf3c638304b37d0080d1603150f1d02ac3b7fb7721703b5d268f7a547cf3c3f292