Overview

overview

10

Static

static

3

2024-06-26...ch.exe

windows7-x64

1

2024-06-26...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch

  • Size

    4.8MB

  • Sample

    240626-rq1kvaycmg

  • MD5

    4c7afbccecb19ce4ed453f9c65fd36f1

  • SHA1

    42bea032c04be5ad23ee33209d710365afbaba62

  • SHA256

    82d7f059608bbf6bf8112dfaa2cfae570b4fa68aa56f3b48cd3673212fa19c52

  • SHA512

    914dd71f49e12d2c3f1928903c4903af0b40d3b50f7e7be313b8923a91bf6b6f544be6b100f8a20c709275612d21a5f898e4b6bb60cc70903f1559606c956d46

  • SSDEEP

    49152:1ur1PwvIyeo+j+E5p9vTiOHWdC9hHbxCM5Ems3pQMLxA7y:qVo+jXJzWdC9lXEmBMN3

Score
10/10
babylonratexecutiontrojan

Malware Config

Extracted

Family

babylonrat

C2

147.185.221.20

Targets

    • Target

      2024-06-26_4c7afbccecb19ce4ed453f9c65fd36f1_poet-rat_snatch

    • Size

      4.8MB

    • MD5

      4c7afbccecb19ce4ed453f9c65fd36f1

    • SHA1

      42bea032c04be5ad23ee33209d710365afbaba62

    • SHA256

      82d7f059608bbf6bf8112dfaa2cfae570b4fa68aa56f3b48cd3673212fa19c52

    • SHA512

      914dd71f49e12d2c3f1928903c4903af0b40d3b50f7e7be313b8923a91bf6b6f544be6b100f8a20c709275612d21a5f898e4b6bb60cc70903f1559606c956d46

    • SSDEEP

      49152:1ur1PwvIyeo+j+E5p9vTiOHWdC9hHbxCM5Ems3pQMLxA7y:qVo+jXJzWdC9lXEmBMN3

    Score
    10/10
    babylonratexecutiontrojan

    • Babylon RAT

      Babylon RAT is remote access trojan written in C++.

      trojanbabylonrat

    • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks