Analysis
-
max time kernel
21s -
max time network
17s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
26/01/2025, 13:41
Behavioral task
behavioral1
Sample
UNIVERSAL CHETA.exe
Resource
win10ltsc2021-20250113-en
Behavioral task
behavioral2
Sample
UNIVERSAL CHETA.exe
Resource
win11-20241007-en
General
-
Target
UNIVERSAL CHETA.exe
-
Size
355KB
-
MD5
10ed02c031944ddb3f6bfce0ad48c96a
-
SHA1
0b41dc80543290f77076836e5dc62f1ff072b3fe
-
SHA256
1ddde818bbcce3fe9e6f70ca9c7b44aac6c5687db4202e93fa64245396001677
-
SHA512
a1545160a810043cbf90db9187800d6538e5137a64a3fa4acd5fd79e9bab09febdadc444f55229cfcfa601afa3834302b34f03851e1d46773fb09e7fdbe8a554
-
SSDEEP
6144:nL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19I:nLdcfxaeM6fy/KaVUtgKkTZ73coNRJI
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
resource yara_rule behavioral1/memory/3824-0-0x0000000000F50000-0x0000000001019000-memory.dmp upx behavioral1/memory/3824-1-0x0000000000F50000-0x0000000001019000-memory.dmp upx behavioral1/memory/3824-2-0x0000000000F50000-0x0000000001019000-memory.dmp upx behavioral1/memory/1300-3-0x0000000000F50000-0x0000000001019000-memory.dmp upx behavioral1/memory/3824-4-0x0000000000F50000-0x0000000001019000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UNIVERSAL CHETA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UNIVERSAL CHETA.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 3824 UNIVERSAL CHETA.exe Token: SeDebugPrivilege 3824 UNIVERSAL CHETA.exe Token: SeTcbPrivilege 3824 UNIVERSAL CHETA.exe Token: SeShutdownPrivilege 1300 UNIVERSAL CHETA.exe Token: SeDebugPrivilege 1300 UNIVERSAL CHETA.exe Token: SeTcbPrivilege 1300 UNIVERSAL CHETA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3824 UNIVERSAL CHETA.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3824 wrote to memory of 1300 3824 UNIVERSAL CHETA.exe 84 PID 3824 wrote to memory of 1300 3824 UNIVERSAL CHETA.exe 84 PID 3824 wrote to memory of 1300 3824 UNIVERSAL CHETA.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\UNIVERSAL CHETA.exe"C:\Users\Admin\AppData\Local\Temp\UNIVERSAL CHETA.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\UNIVERSAL CHETA.exe"C:\Users\Admin\AppData\Local\Temp\UNIVERSAL CHETA.exe" 38242⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1300
-