babylonrat | 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a

Resubmissions

15/03/2025, 09:03

250315-kz39rsy1fx 10

15/03/2025, 09:02

250315-kzr7hay1e1 10

Analysis

max time kernel
14s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
15/03/2025, 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zzzz.exe
Size

439KB
MD5

91dfc3dc22ce12c3cb94b2afb29735f9
SHA1

4478a7cca636b5163e24328478f6c654ffc02184
SHA256

66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a
SHA512

6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9
SSDEEP

12288:VLdcfxaeM6fy/KaVUtgKkTZ73coNRJHwSuBzB0:dkIZGSAtgN+eJHwSuBzB0

Score

10^/10

babylonrat discovery persistence trojan upx

Malware Config

Signatures

Babylon RAT
Babylon RAT is remote access trojan written in C++.
trojan babylonrat
Babylonrat family
babylonrat

Executes dropped EXE 2 IoCs

pid	Process
2528	client.exe
5484	client.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe"	zzzz.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3344-0-0x0000000000480000-0x0000000000573000-memory.dmp	upx
behavioral1/files/0x000900000002817a-1.dat	upx
behavioral1/memory/2528-2-0x0000000000A20000-0x0000000000B13000-memory.dmp	upx
behavioral1/memory/3344-4-0x0000000000480000-0x0000000000573000-memory.dmp	upx
behavioral1/memory/5484-6-0x0000000000A20000-0x0000000000B13000-memory.dmp	upx
behavioral1/memory/2528-7-0x0000000000A20000-0x0000000000B13000-memory.dmp	upx
behavioral1/memory/2528-8-0x0000000000A20000-0x0000000000B13000-memory.dmp	upx
behavioral1/memory/5484-10-0x0000000000A20000-0x0000000000B13000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3344	zzzz.exe
Token: SeDebugPrivilege	3344	zzzz.exe
Token: SeTcbPrivilege	3344	zzzz.exe
Token: SeShutdownPrivilege	2528	client.exe
Token: SeDebugPrivilege	2528	client.exe
Token: SeTcbPrivilege	2528	client.exe
Token: SeShutdownPrivilege	5484	client.exe
Token: SeDebugPrivilege	5484	client.exe
Token: SeTcbPrivilege	5484	client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2528	client.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2528	3344	zzzz.exe	82
PID 3344 wrote to memory of 2528	3344	zzzz.exe	82
PID 3344 wrote to memory of 2528	3344	zzzz.exe	82
PID 2528 wrote to memory of 5484	2528	client.exe	83
PID 2528 wrote to memory of 5484	2528	client.exe	83
PID 2528 wrote to memory of 5484	2528	client.exe	83

C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344
- C:\ProgramData\Babylon RAT\client.exe
  "C:\ProgramData\Babylon RAT\client.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\ProgramData\Babylon RAT\client.exe
    "C:\ProgramData\Babylon RAT\client.exe" 2528
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Babylon RAT\client.exe

Filesize
439KB

MD5
91dfc3dc22ce12c3cb94b2afb29735f9

SHA1
4478a7cca636b5163e24328478f6c654ffc02184

SHA256
66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a

SHA512
6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9

Download Submit
memory/2528-2-0x0000000000A20000-0x0000000000B13000-memory.dmp

Filesize
972KB

Download
memory/2528-7-0x0000000000A20000-0x0000000000B13000-memory.dmp

Filesize
972KB

Download
memory/2528-8-0x0000000000A20000-0x0000000000B13000-memory.dmp

Filesize
972KB

Download
memory/3344-0-0x0000000000480000-0x0000000000573000-memory.dmp

Filesize
972KB

Download
memory/3344-4-0x0000000000480000-0x0000000000573000-memory.dmp

Filesize
972KB

Download
memory/5484-6-0x0000000000A20000-0x0000000000B13000-memory.dmp

Filesize
972KB

Download
memory/5484-10-0x0000000000A20000-0x0000000000B13000-memory.dmp

Filesize
972KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads