babylonrat | 15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55

General

Target

15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
Size

735KB
MD5

8b3abbb304f163345e23e9c6b1e70a90
SHA1

2f55f460322b4a687bc08e0f527e24b4a53e029c
SHA256

15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55
SHA512

7894285b95a882b2bf1f66822e1a0e24d07b96dd0738238e87a12155e2613bf05baca081c4faa4e9597d99d4a6eca00fabfe7c7dc45b4ff193c4fbfad27b9f37
SSDEEP

12288:trsTMcgRdrEAzvHG4z2T6DSsyXUGz2FcFe0fySvZyESEGWKy:trsaRdrEAbm4zbryUGCMfySQ3y

Score

10^/10

babylonrat discovery persistence trojan upx

Malware Config

Extracted

Family

babylonrat

C2

cb4cb4.ddns.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.url	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\_DefaultEx = "0"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1852-24-0x0000000005EB0000-0x0000000005F74000-memory.dmp	upx
behavioral2/memory/2820-29-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-30-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-31-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-33-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-32-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-34-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-37-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-38-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral2/memory/2820-56-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
Token: SeShutdownPrivilege	2820	vbc.exe
Token: SeDebugPrivilege	2820	vbc.exe
Token: SeTcbPrivilege	2820	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2820	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1916	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	83
PID 1852 wrote to memory of 1916	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	83
PID 1852 wrote to memory of 1916	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	83
PID 1916 wrote to memory of 2832	1916	csc.exe	85
PID 1916 wrote to memory of 2832	1916	csc.exe	85
PID 1916 wrote to memory of 2832	1916	csc.exe	85
PID 1852 wrote to memory of 3880	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	86
PID 1852 wrote to memory of 3880	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	86
PID 1852 wrote to memory of 3880	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	86
PID 1852 wrote to memory of 368	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	88
PID 1852 wrote to memory of 368	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	88
PID 1852 wrote to memory of 368	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	88
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90
PID 1852 wrote to memory of 2820	1852	15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe	90

C:\Users\Admin\AppData\Local\Temp\15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe
"C:\Users\Admin\AppData\Local\Temp\15b805ea0121bfaeadcd2e6f4cafce3199a91209f04b599bb333dca9010aeb55N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ttpiizk5\ttpiizk5.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBAF.tmp" "c:\Users\Admin\AppData\Local\Temp\ttpiizk5\CSC994E86F8D7B4416A8363F989106D7B15.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /query
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3880
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /sc MINUTE /tn RegAsm /MO 1 /tr "C:\ProgramData\Oracles\Svchost.exe\
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:368
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBBAF.tmp

Filesize
1KB

MD5
b8b3774a9227e2994451a95744e55d63

SHA1
ef40e9ab6b41e16cf6760cf780d35b6c6cbce351

SHA256
bd86ef14bccef5ad65d278cbb92b349c4119b654eb0ab40d50e6c69e0e24cfa1

SHA512
7ac60db7e25fcfdec50f39950189b84568dae0336008226f5197d4b1fd55eb31a2acc9e0fb81110f83056c0ad6d414ae87f39e3b24659e0a6e4197b67767fed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttpiizk5\ttpiizk5.dll

Filesize
7KB

MD5
ef0d727ccb3f983dbb725316176fdec1

SHA1
7ac0c350ebeb4cd72b8a938e731e889aab89fdeb

SHA256
4dc88202021b71ebe6201e934d237b181266a697d688270b84d256572265d20d

SHA512
f93a106f738355e369783377ac829668b553e3e91cd93b4e8e73531a75fd5835b64d271b84040f5573604b245a4d1cbba275ef2dc0a89ada16b176d0685d9ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttpiizk5\ttpiizk5.pdb

Filesize
19KB

MD5
e9b5480cdef75d8c4c57bc827ac63669

SHA1
8c869ed6de63ff05054d7b53613e7c07871f60e4

SHA256
04d8aeeeb70e4e11d8031765d5575626257c410daf62b32537d70da57c312988

SHA512
0ec26c2f909b37da6157ccbe3832af4afc1b519261ab4eec0046810fc8007f371a4c3230f43c97d2e272e1b75093b97950beb91527441307f38683e35bcf3773

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttpiizk5\CSC994E86F8D7B4416A8363F989106D7B15.TMP

Filesize
1KB

MD5
55817e07d24de336a62c3abc14cb116b

SHA1
ef341b2f6637eac0b1e7b183d2670f6776604a17

SHA256
f2771c7cba43c6dc1c07a94ca5fbb6545c95f6d49171a096ae67b23f2bcf75bf

SHA512
8529a10977902426dac585e1bf93b5f689dd79995858ac30a4a0ca5efa4868023e3664f11285be8a5134c06c3e66cce6cf11363baa01523633a8cfddc1d44628

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttpiizk5\ttpiizk5.0.cs

Filesize
6KB

MD5
a100d6abfd6918aec8158600c442d61a

SHA1
19141bd6e9d00da1aec73b3dc062e8c366dee46d

SHA256
f27ca4618b977a51753ff4441613b3705dd422035c07f8bd7939bfc6cfaea888

SHA512
b7a558144ca0d3f6e3cfd4ad8899006cad58e8e0cc7621d38ee194be2e4e3807b3400c457e049cc89aa8f0522d316a42403c165d8649836ff2edd8532e4c71f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttpiizk5\ttpiizk5.cmdline

Filesize
312B

MD5
d911c8acb0a46f9bf94e22a67d2179d9

SHA1
6787e58f8ba099f5537de6f8746cb0d69fab1120

SHA256
99a57603dea30d26341a49a39cedc94b89bd21218f60e251cde8d6ccab97a497

SHA512
07c31c74ca1c457f335c83a2cd68aa1db068fe044f16b3ca6056b700827219bf3c638304b37d0080d1603150f1d02ac3b7fb7721703b5d268f7a547cf3c3f292

Download Submit
memory/1852-21-0x0000000005890000-0x000000000589C000-memory.dmp

Filesize
48KB

Download
memory/1852-35-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1852-1-0x0000000000E50000-0x0000000000EF4000-memory.dmp

Filesize
656KB

Download
memory/1852-17-0x00000000057F0000-0x00000000057F8000-memory.dmp

Filesize
32KB

Download
memory/1852-19-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/1852-20-0x0000000005E40000-0x0000000005EA8000-memory.dmp

Filesize
416KB

Download
memory/1852-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1852-24-0x0000000005EB0000-0x0000000005F74000-memory.dmp

Filesize
784KB

Download
memory/1852-25-0x0000000006160000-0x00000000061FC000-memory.dmp

Filesize
624KB

Download
memory/1852-5-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2820-29-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-31-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-33-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-32-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-34-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-30-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-37-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-38-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-56-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads