Analysis Overview
SHA256
66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a
Threat Level: Known bad
The file zzzz.exe was found to be: Known bad.
Malicious Activity Summary
Babylonrat family
Babylon RAT
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-15 09:08
Signatures
Babylonrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-15 09:08
Reported
2025-03-15 09:10
Platform
win7-20241023-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
Babylon RAT
Babylonrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2916 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2916 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2916 wrote to memory of 2812 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2812 wrote to memory of 2960 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2812 wrote to memory of 2960 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2812 wrote to memory of 2960 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2812 wrote to memory of 2960 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe" 2812
Network
Files
memory/2916-0-0x0000000000AB0000-0x0000000000BA3000-memory.dmp
\ProgramData\Babylon RAT\client.exe
| MD5 | 91dfc3dc22ce12c3cb94b2afb29735f9 |
| SHA1 | 4478a7cca636b5163e24328478f6c654ffc02184 |
| SHA256 | 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a |
| SHA512 | 6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9 |
memory/2812-9-0x00000000001B0000-0x00000000002A3000-memory.dmp
memory/2916-8-0x0000000000AB0000-0x0000000000BA3000-memory.dmp
memory/2916-6-0x0000000002650000-0x0000000002743000-memory.dmp
memory/2812-13-0x00000000001B0000-0x00000000002A3000-memory.dmp
memory/2812-14-0x0000000002CE0000-0x0000000002DD3000-memory.dmp
memory/2960-17-0x00000000001B0000-0x00000000002A3000-memory.dmp
memory/2812-20-0x00000000001B0000-0x00000000002A3000-memory.dmp
memory/2812-22-0x00000000001B0000-0x00000000002A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-15 09:08
Reported
2025-03-15 09:10
Platform
win10v2004-20250314-en
Max time kernel
148s
Max time network
111s
Command Line
Signatures
Babylon RAT
Babylonrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5472 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 5472 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 5472 wrote to memory of 384 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 384 wrote to memory of 3464 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 384 wrote to memory of 3464 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 384 wrote to memory of 3464 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe" 384
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
Files
memory/5472-0-0x0000000000F00000-0x0000000000FF3000-memory.dmp
C:\ProgramData\Babylon RAT\client.exe
| MD5 | 91dfc3dc22ce12c3cb94b2afb29735f9 |
| SHA1 | 4478a7cca636b5163e24328478f6c654ffc02184 |
| SHA256 | 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a |
| SHA512 | 6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9 |
memory/384-5-0x0000000000950000-0x0000000000A43000-memory.dmp
memory/5472-7-0x0000000000F00000-0x0000000000FF3000-memory.dmp
memory/384-9-0x0000000000950000-0x0000000000A43000-memory.dmp
memory/384-10-0x0000000000950000-0x0000000000A43000-memory.dmp
memory/3464-12-0x0000000000950000-0x0000000000A43000-memory.dmp
memory/384-13-0x0000000000950000-0x0000000000A43000-memory.dmp