babylonrat | 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a

General

Target

zzzz.exe
Size

439KB
MD5

91dfc3dc22ce12c3cb94b2afb29735f9
SHA1

4478a7cca636b5163e24328478f6c654ffc02184
SHA256

66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a
SHA512

6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9
SSDEEP

12288:VLdcfxaeM6fy/KaVUtgKkTZ73coNRJHwSuBzB0:dkIZGSAtgN+eJHwSuBzB0

Score

10^/10

babylonrat discovery persistence trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Executes dropped EXE 2 IoCs

pid	Process
384	client.exe
3464	client.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	zzzz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5472-0-0x0000000000F00000-0x0000000000FF3000-memory.dmp	upx
behavioral2/files/0x0008000000024283-3.dat	upx
behavioral2/memory/384-5-0x0000000000950000-0x0000000000A43000-memory.dmp	upx
behavioral2/memory/5472-7-0x0000000000F00000-0x0000000000FF3000-memory.dmp	upx
behavioral2/memory/384-9-0x0000000000950000-0x0000000000A43000-memory.dmp	upx
behavioral2/memory/384-10-0x0000000000950000-0x0000000000A43000-memory.dmp	upx
behavioral2/memory/3464-12-0x0000000000950000-0x0000000000A43000-memory.dmp	upx
behavioral2/memory/384-13-0x0000000000950000-0x0000000000A43000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
384	client.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5472	zzzz.exe
Token: SeDebugPrivilege	5472	zzzz.exe
Token: SeTcbPrivilege	5472	zzzz.exe
Token: SeShutdownPrivilege	384	client.exe
Token: SeDebugPrivilege	384	client.exe
Token: SeTcbPrivilege	384	client.exe
Token: SeShutdownPrivilege	3464	client.exe
Token: SeDebugPrivilege	3464	client.exe
Token: SeTcbPrivilege	3464	client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
384	client.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5472 wrote to memory of 384	5472	zzzz.exe	85
PID 5472 wrote to memory of 384	5472	zzzz.exe	85
PID 5472 wrote to memory of 384	5472	zzzz.exe	85
PID 384 wrote to memory of 3464	384	client.exe	86
PID 384 wrote to memory of 3464	384	client.exe	86
PID 384 wrote to memory of 3464	384	client.exe	86

C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5472
- C:\ProgramData\Babylon RAT\client.exe
  "C:\ProgramData\Babylon RAT\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\ProgramData\Babylon RAT\client.exe
    "C:\ProgramData\Babylon RAT\client.exe" 384
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Babylon RAT\client.exe

Filesize
439KB

MD5
91dfc3dc22ce12c3cb94b2afb29735f9

SHA1
4478a7cca636b5163e24328478f6c654ffc02184

SHA256
66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a

SHA512
6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9

Download Submit
memory/384-5-0x0000000000950000-0x0000000000A43000-memory.dmp

Filesize
972KB

Download
memory/384-9-0x0000000000950000-0x0000000000A43000-memory.dmp

Filesize
972KB

Download
memory/384-10-0x0000000000950000-0x0000000000A43000-memory.dmp

Filesize
972KB

Download
memory/384-13-0x0000000000950000-0x0000000000A43000-memory.dmp

Filesize
972KB

Download
memory/3464-12-0x0000000000950000-0x0000000000A43000-memory.dmp

Filesize
972KB

Download
memory/5472-0-0x0000000000F00000-0x0000000000FF3000-memory.dmp

Filesize
972KB

Download
memory/5472-7-0x0000000000F00000-0x0000000000FF3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads