Analysis Overview
SHA256
cb831ca08798bcea49874f81a7fe08368c057bd3bf9d1bfba6d7bb92fa61c4c1
Threat Level: Known bad
The file ws4.exe was found to be: Known bad.
Malicious Activity Summary
Babylon RAT
Babylonrat family
Executes dropped EXE
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-14 18:20
Signatures
Babylonrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-14 18:20
Reported
2025-03-14 18:24
Platform
win10ltsc2021-20250314-en
Max time kernel
205s
Max time network
161s
Command Line
Signatures
Babylon RAT
Babylonrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ws4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\Users\Admin\AppData\Local\Temp\ws4.exe
"C:\Users\Admin\AppData\Local\Temp\ws4.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
Files
memory/756-0-0x0000000000600000-0x00000000006C9000-memory.dmp
C:\ProgramData\Babylon RAT\client.exe
| MD5 | 474885a0b7d7ce32f93b1b141f716a6b |
| SHA1 | d3b796ebc8b1121a80972d6d5bb3bcfecefce3ef |
| SHA256 | cb831ca08798bcea49874f81a7fe08368c057bd3bf9d1bfba6d7bb92fa61c4c1 |
| SHA512 | 6a05d281970222ebb7868ba0653ac64ef3973cd62165da78404cb5a7589b977be0a01b4bd5c3d7e4d2210fefef1e4de340741e912bf8532cb7bd2a7184bb371b |
memory/252-2-0x0000000000390000-0x0000000000459000-memory.dmp
memory/756-4-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/252-5-0x0000000000390000-0x0000000000459000-memory.dmp
memory/252-6-0x0000000000390000-0x0000000000459000-memory.dmp
memory/252-7-0x0000000000390000-0x0000000000459000-memory.dmp
memory/252-10-0x0000000000390000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Roaming\ConfigsEx\2025 03 14 - 06 21 PM
| MD5 | 1e3d429a9b7ebcee23ea29302d4f7e0e |
| SHA1 | 4242f0e605572bb2cccff1066b2bd7f6ab7b34c0 |
| SHA256 | 06878b276e3fa2b975c18483ee816b6dc8cf3aeafd02ce886f918c55f0b10ca1 |
| SHA512 | e4674739026e89f628c7c93342b060260f6dfa103eab7d4b957e419165a0100f34894ced18535b759ba02bef9ba674b6177c6cfac97f8b5b29063393cae93beb |
C:\Users\Admin\AppData\Roaming\ConfigsEx\2025 03 14 - 06 21 PM
| MD5 | 00e5a53a9f8fa6ed1495898d19078d33 |
| SHA1 | d4b5d30e42851fb6983052b56a5c967f1aa4556e |
| SHA256 | 4d271db58fad4f8153c824b8b707949dede286ad56c305ba7e2dcd6a34fd5ed2 |
| SHA512 | f133e6c1a7982e904b222328e9864ff53405d1e4c55bab42424cd7f6c22453dfdda3869ec8168f41b0c58dc2da815d0c09b19ddd897bf0952084106d9f9567e8 |
C:\Users\Admin\AppData\Roaming\ConfigsEx\2025 03 14 - 06 21 PM
| MD5 | 3459dfca89e40b3adcf47a00c74c2072 |
| SHA1 | 0d79122f802c128171faa6bd696b06422f490ea5 |
| SHA256 | 4b790feddca6749e0d086eac403e0b3cc01cddcb4feeb131d598552b74b6a25d |
| SHA512 | dfe4990b6d82b84f9c9269636c49719e7fbd509f7ac3300099fdc4565fa7859108474ab6741b30d388cdb5fcee183a38d209c7f6194dfbef4219232da85137d0 |
memory/252-49-0x0000000000390000-0x0000000000459000-memory.dmp
memory/5740-51-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/2188-53-0x0000000000390000-0x0000000000459000-memory.dmp
memory/2188-55-0x0000000000390000-0x0000000000459000-memory.dmp
memory/252-56-0x0000000000390000-0x0000000000459000-memory.dmp
memory/4088-58-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/1644-61-0x0000000000390000-0x0000000000459000-memory.dmp
memory/252-62-0x0000000000390000-0x0000000000459000-memory.dmp
memory/6060-65-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/3864-67-0x0000000000390000-0x0000000000459000-memory.dmp
memory/5244-72-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/1760-75-0x0000000000390000-0x0000000000459000-memory.dmp
memory/1880-78-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/1672-80-0x0000000000390000-0x0000000000459000-memory.dmp
memory/3452-88-0x0000000000600000-0x00000000006C9000-memory.dmp
memory/1112-90-0x0000000000390000-0x0000000000459000-memory.dmp