Analysis Overview
SHA256
66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a
Threat Level: Known bad
The file zzzz.exe was found to be: Known bad.
Malicious Activity Summary
Babylon RAT
Babylonrat family
Executes dropped EXE
Adds Run key to start application
UPX packed file
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-15 09:02
Signatures
Babylonrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-15 09:02
Reported
2025-03-15 09:03
Platform
win10ltsc2021-20250314-en
Max time kernel
14s
Command Line
Signatures
Babylon RAT
Babylonrat family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498259476-758239146-3116387113-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Babylon RAT\client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 3344 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 3344 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\zzzz.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2528 wrote to memory of 5484 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2528 wrote to memory of 5484 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
| PID 2528 wrote to memory of 5484 | N/A | C:\ProgramData\Babylon RAT\client.exe | C:\ProgramData\Babylon RAT\client.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\zzzz.exe
"C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe"
C:\ProgramData\Babylon RAT\client.exe
"C:\ProgramData\Babylon RAT\client.exe" 2528
Network
Files
memory/3344-0-0x0000000000480000-0x0000000000573000-memory.dmp
C:\ProgramData\Babylon RAT\client.exe
| MD5 | 91dfc3dc22ce12c3cb94b2afb29735f9 |
| SHA1 | 4478a7cca636b5163e24328478f6c654ffc02184 |
| SHA256 | 66e6eb7cf7be2d2f07adec4d17c143c6a58d56cda382da6ff918ebecc8ee807a |
| SHA512 | 6799e99a258f3c65ef511e5faf7f5b843a30f6ae0a8e6112505cf9fc09c12732f8147e8498922d8451af1c5f5a899e55da8ad68a6c6f0555e358d9b9ed9321a9 |
memory/2528-2-0x0000000000A20000-0x0000000000B13000-memory.dmp
memory/3344-4-0x0000000000480000-0x0000000000573000-memory.dmp
memory/5484-6-0x0000000000A20000-0x0000000000B13000-memory.dmp
memory/2528-7-0x0000000000A20000-0x0000000000B13000-memory.dmp
memory/2528-8-0x0000000000A20000-0x0000000000B13000-memory.dmp
memory/5484-10-0x0000000000A20000-0x0000000000B13000-memory.dmp