Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
32s -
max time network
39s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29/01/2025, 10:39
Behavioral task
behavioral1
Sample
Babylon RAT.exe
Resource
win10ltsc2021-20250128-en
7 signatures
300 seconds
General
-
Target
Babylon RAT.exe
-
Size
6.7MB
-
MD5
aecdce1d7e2a637d1dcacd2b4580487b
-
SHA1
d5cd12f7a18d6777c9ec8458694aa3a74fd23701
-
SHA256
9157a48c53ca7a4543bac5b771886c87ea407bab6bbb053b50bc22709111d572
-
SHA512
8bb5ad64f1b2e75e47c4671396a713018c74c44e84803887c6b4a200ea85f4c020ccfe15211af3899cdcf9d0f46ef994bfd939e462f61062044874f7a64d7a35
-
SSDEEP
98304:KbldsCQTcsBL54TRRTk3w0ZIWoPzSSosDlh7OLifNLxu2UVaCS2e7Csb6j9cgl36:GnPsHqRwvoPzSSosDlhCKzi9/2BO4T
Score
10/10
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Program crash 5 IoCs
pid pid_target Process procid_target 5020 4572 WerFault.exe 79 3640 4008 WerFault.exe 88 272 3332 WerFault.exe 92 460 4988 WerFault.exe 95 640 4016 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon RAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon RAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon RAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon RAT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babylon RAT.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 680 Process not Found -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4572 Babylon RAT.exe 4008 Babylon RAT.exe 3332 Babylon RAT.exe 4988 Babylon RAT.exe 4016 Babylon RAT.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 4572 Babylon RAT.exe 4008 Babylon RAT.exe 3332 Babylon RAT.exe 4988 Babylon RAT.exe 4016 Babylon RAT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 11122⤵
- Program crash
PID:5020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4572 -ip 45721⤵PID:4580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 11122⤵
- Program crash
PID:3640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4008 -ip 40081⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 10842⤵
- Program crash
PID:272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3332 -ip 33321⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 10842⤵
- Program crash
PID:460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4988 -ip 49881⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"C:\Users\Admin\AppData\Local\Temp\Babylon RAT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 10842⤵
- Program crash
PID:640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4016 -ip 40161⤵PID:4936