babylonrat | 0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44

Analysis

max time kernel
117s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
Size

951KB
MD5

aa82ab6c120ad91f064822494fe62efb
SHA1

eb10220cfcad3f8e92d5bcbda0d49cf1866df9a0
SHA256

0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44
SHA512

3edfd8f420f3a29477a006000ce6c809814f496edc30ae86278b6cda103641ac69fec086698d4171be8f3975cb373ef5502ab34266fd8d1338b51ff2fa020920
SSDEEP

24576:AN+cu49fdt9rdqyPWLzAh0ldWjWCV6JApBpgK5Fz:i+cuWt9RZPgK0ldWjWCPppFz

Score

10^/10

babylonrat discovery persistence trojan

Malware Config

Extracted

Family

babylonrat

serialordersservice.ddns.net

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Executes dropped EXE 2 IoCs

pid	Process
4832	orderspromptservice.exe
5068	orderspromptservice.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\orderspromptservice = "C:\\ProgramData\\orderspromptservice\\orderspromptservice.exe"	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\orderspromptservice = "C:\\ProgramData\\orderspromptservice\\orderspromptservice.exe"	orderspromptservice.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\orderspromptservice = "C:\\ProgramData\\orderspromptservice\\orderspromptservice.exe"	orderspromptservice.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
4832	orderspromptservice.exe
5068	orderspromptservice.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orderspromptservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orderspromptservice.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
4832	orderspromptservice.exe
4832	orderspromptservice.exe
5068	orderspromptservice.exe
5068	orderspromptservice.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4832	orderspromptservice.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
Token: SeDebugPrivilege	1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
Token: SeTcbPrivilege	1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
Token: SeShutdownPrivilege	4832	orderspromptservice.exe
Token: SeDebugPrivilege	4832	orderspromptservice.exe
Token: SeTcbPrivilege	4832	orderspromptservice.exe
Token: SeShutdownPrivilege	5068	orderspromptservice.exe
Token: SeDebugPrivilege	5068	orderspromptservice.exe
Token: SeTcbPrivilege	5068	orderspromptservice.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	orderspromptservice.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4832	1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe	83
PID 1028 wrote to memory of 4832	1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe	83
PID 1028 wrote to memory of 4832	1028	0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe	83
PID 4832 wrote to memory of 5068	4832	orderspromptservice.exe	86
PID 4832 wrote to memory of 5068	4832	orderspromptservice.exe	86
PID 4832 wrote to memory of 5068	4832	orderspromptservice.exe	86

C:\Users\Admin\AppData\Local\Temp\0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe
"C:\Users\Admin\AppData\Local\Temp\0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
- C:\ProgramData\orderspromptservice\orderspromptservice.exe
  "C:\ProgramData\orderspromptservice\orderspromptservice.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\ProgramData\orderspromptservice\orderspromptservice.exe
    "C:\ProgramData\orderspromptservice\orderspromptservice.exe" 4832
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\orderspromptservice\orderspromptservice.exe

Filesize
951KB

MD5
aa82ab6c120ad91f064822494fe62efb

SHA1
eb10220cfcad3f8e92d5bcbda0d49cf1866df9a0

SHA256
0b3eb2c564e87b1aa8c853a6af7a08836ea402c7776f44650849abdc1d4c5d44

SHA512
3edfd8f420f3a29477a006000ce6c809814f496edc30ae86278b6cda103641ac69fec086698d4171be8f3975cb373ef5502ab34266fd8d1338b51ff2fa020920

Download Submit
memory/1028-3-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-2-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-8-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-7-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-4-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-23-0x0000000000401000-0x0000000000483000-memory.dmp

Filesize
520KB

Download
memory/1028-9-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/1028-5-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/1028-12-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-1-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/1028-16-0x0000000002360000-0x00000000023A4000-memory.dmp

Filesize
272KB

Download
memory/1028-22-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-0-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1028-6-0x0000000000401000-0x0000000000483000-memory.dmp

Filesize
520KB

Download
memory/4832-45-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-51-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-55-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-53-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-21-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/4832-20-0x0000000000760000-0x00000000007A4000-memory.dmp

Filesize
272KB

Download
memory/4832-19-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-18-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-17-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-39-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-49-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-31-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-32-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-33-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-47-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-43-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-37-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/4832-41-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-30-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-40-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-38-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-42-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-36-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-44-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-29-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/5068-46-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-34-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-48-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-26-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-50-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-28-0x0000000000720000-0x0000000000764000-memory.dmp

Filesize
272KB

Download
memory/5068-52-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-27-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-54-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-25-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/5068-56-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download