| download: | Babylon9_setup.exe |
| Full analysis: | https://app.any.run/tasks/6270810d-542c-47f2-9002-72105bad138d |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | April 17, 2020, 12:11:56 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 114C1819AC1A7B330092EA44CF058212 |
| SHA1: | 5E59760036D1FD526594617DEF86F2FD7B5C8F0F |
| SHA256: | 7816CF12675869A2639E12394AC2C8A54AFBDC79AA34D45A3EA24CC3142D8572 |
| SSDEEP: | 24576:JCkS+gyGXENGKikh7INcIsTN9ACGSc0w3Yw2W7xF:JCP/yHukWmInCG7DY6xF |
MALICIOUS
Actions looks like stealing of personal data
- Babylon9_setup.exe (PID: 2240)
- Setup.exe (PID: 2640)
Loads dropped or rewritten executable
- rundll32.exe (PID: 3760)
- rundll32.exe (PID: 4004)
- rundll32.exe (PID: 2756)
- rundll32.exe (PID: 3948)
- rundll32.exe (PID: 3852)
- rundll32.exe (PID: 2808)
- rundll32.exe (PID: 3500)
- rundll32.exe (PID: 3844)
- rundll32.exe (PID: 3408)
- rundll32.exe (PID: 3248)
Application was dropped or rewritten from another process
- Setup.exe (PID: 2640)
BABYLON was detected
- Setup.exe (PID: 2640)
Changes internet zones settings
- iexplore.exe (PID: 2488)
Changes settings of System certificates
- Setup.exe (PID: 2640)
SUSPICIOUS
Executable content was dropped or overwritten
- Babylon9_setup.exe (PID: 2240)
- Setup.exe (PID: 2640)
Creates files in the user directory
- Setup.exe (PID: 2640)
Reads Internet Cache Settings
- rundll32.exe (PID: 4004)
- rundll32.exe (PID: 3760)
- IELowutil.exe (PID: 3040)
- Setup.exe (PID: 2640)
- rundll32.exe (PID: 3948)
- rundll32.exe (PID: 2756)
- rundll32.exe (PID: 3844)
- rundll32.exe (PID: 3500)
- rundll32.exe (PID: 3852)
- rundll32.exe (PID: 3408)
- rundll32.exe (PID: 2808)
- iexplore.exe (PID: 2488)
- rundll32.exe (PID: 3248)
Uses RUNDLL32.EXE to load library
- Setup.exe (PID: 2640)
Reads internet explorer settings
- Setup.exe (PID: 2640)
Starts Internet Explorer
- Setup.exe (PID: 2640)
- iexplore.exe (PID: 2488)
Changes the started page of IE
- Setup.exe (PID: 2640)
Application launched itself
- iexplore.exe (PID: 2488)
Adds / modifies Windows certificates
- Setup.exe (PID: 2640)
INFO
Creates files in the user directory
- iexplore.exe (PID: 1800)
Reads Internet Cache Settings
- iexplore.exe (PID: 1800)
Reads internet explorer settings
- iexplore.exe (PID: 1800)
Reads settings of System Certificates
- Setup.exe (PID: 2640)
- iexplore.exe (PID: 1800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2011:08:18 09:34:47+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 9728 |
| InitializedDataSize: | 904704 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1454 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.0.3.21 |
| ProductVersionNumber: | 9.0.3.21 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Babylon Ltd. |
| FileDescription: | Babylon Client Setup |
| FileVersion: | 1.0.9.0 |
| InternalName: | Babylon Setup |
| LegalCopyright: | 2011(c) Babylon Ltd. All rights reserved. |
| OriginalFileName: | Setup_Stub.exe |
| ProductName: | Babylon Client Setup 1.0 |
| PackagerVersion: | 1.0.9 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 18-Aug-2011 07:34:47 |
| Detected languages: |
|
| Debug artifacts: |
|
| CompanyName: | Babylon Ltd. |
| FileDescription: | Babylon Client Setup |
| FileVersion: | 1.0.9.0 |
| InternalName: | Babylon Setup |
| LegalCopyright: | 2011(c) Babylon Ltd. All rights reserved. |
| OriginalFilename: | Setup_Stub.exe |
| ProductName: | Babylon Client Setup 1.0 |
| PackagerVersion: | 1.0.9 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000D8 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 18-Aug-2011 07:34:47 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0000245F | 0x00002600 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.41193 |
.rdata | 0x00004000 | 0x000005B6 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.57492 |
.data | 0x00005000 | 0x00000B0C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.16299 |
.rsrc | 0x00006000 | 0x000DC25C | 0x000DC400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.99637 |
.reloc | 0x000E3000 | 0x00000160 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.20512 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.77792 | 357 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.99049 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.84835 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 6.06094 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 3.79772 | 1640 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 5.78793 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
FILES | 7.99981 | 889780 | Latin 1 / Western European | UNKNOWN | RT_RCDATA |
IDI_INSTALLER | 2.86669 | 90 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
Imports
KERNEL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
Total processes
55
Monitored processes
16
Malicious processes
9
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1800 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2488 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2240 | "C:\Users\admin\AppData\Local\Temp\Babylon9_setup.exe" | C:\Users\admin\AppData\Local\Temp\Babylon9_setup.exe | explorer.exe | ||||||||||||
User: admin Company: Babylon Ltd. Integrity Level: HIGH Description: Babylon Client Setup Exit code: 0 Version: 1.0.9.0 Modules
| |||||||||||||||
| 2488 | http://www.babylon.com/redirects/redir.cgi?no_policy=1&type=inst_fallback&lang=0&ver=9.0.3.35&sutp=20&sufl=0&dnld=0&dcnt=3&dtot=3&iev=9&ffv=68&dwb=ie | C:\Program Files\Internet Explorer\iexplore.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
| 2640 | "C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\Setup.exe" | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\Setup.exe | Babylon9_setup.exe | ||||||||||||
User: admin Company: Babylon Ltd. Integrity Level: HIGH Description: Setup Application Exit code: 3 Version: 9.0.3.35 Modules
| |||||||||||||||
| 2756 | rundll32.exe C:\Users\admin\AppData\Local\Temp\C32818~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache visitorID|http://babylon.com | C:\Windows\system32\rundll32.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2808 | rundll32.exe C:\Users\admin\AppData\Local\Temp\C32818~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon.com | C:\Windows\system32\rundll32.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3040 | "C:\Program Files\Internet Explorer\IELowutil.exe" -PID:123 | C:\Program Files\Internet Explorer\IELowutil.exe | — | rundll32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Low-Mic Utility Tool Exit code: 0 Version: 11.00.9600.17840 (winblue_r11.150522-0826) Modules
| |||||||||||||||
| 3248 | rundll32.exe C:\Users\admin\AppData\Local\Temp\C32818~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache trkInfo|http://babylon.com | C:\Windows\system32\rundll32.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3408 | rundll32.exe C:\Users\admin\AppData\Local\Temp\C32818~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon.com | C:\Windows\system32\rundll32.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3468 | "C:\Users\admin\AppData\Local\Temp\Babylon9_setup.exe" | C:\Users\admin\AppData\Local\Temp\Babylon9_setup.exe | — | explorer.exe | |||||||||||
User: admin Company: Babylon Ltd. Integrity Level: MEDIUM Description: Babylon Client Setup Exit code: 3221226540 Version: 1.0.9.0 | |||||||||||||||
Total events
2 766
Read events
1 172
Write events
1 585
Delete events
9
Modification events
| (PID) Process: | (3760) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3760) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3760) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3760) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2640) Setup.exe | Key: | HKEY_CURRENT_USER\Software\BabyTest |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (2640) Setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\BabyTest |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (2640) Setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Test.cap |
| Operation: | delete key | Name: | |
Value: | |||
| (PID) Process: | (4004) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (4004) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (4004) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
Executable files
22
Suspicious files
124
Text files
74
Unknown types
20
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\bab909.skip.dat | binary | |
MD5:— | SHA256:— | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\page2.js | text | |
MD5:— | SHA256:— | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\page1.css | text | |
MD5:D4C0D08D93A6DD53B2CE883F4AD8F22C | SHA256:360FC111E7210A166E739B2ECD666E7C612F3C8871DC0A6E854E6613FE8E0A18 | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\BExternal.dll | executable | |
MD5:D42AC5E3ECBD76776A4E4F0A57039401 | SHA256:6052B6BCCBE5354BD46F4AC69F2EF9D62E39F0D0B5A00A2D8C85A1197486B498 | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\eula.html | html | |
MD5:1636D09667D7915D32F5C1B157942D70 | SHA256:1815293D1D5E20D2798A09938212F92647D5E9096C75C566B75A61FE04B0B2B9 | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\common.js | html | |
MD5:61326FE65B7AB277221D5FD3C3D8154F | SHA256:055CC4086E5C6F5991AAB46999CB147C155A1B4BD4675B1FE673CCC8527DBD07 | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\cmbx.png | image | |
MD5:F42EF9814569EC9F8C120D0ED4914326 | SHA256:F7C80D69AEFE9999BDB82E1FADD400945D8E0BC958CFBEB23DD8D2F547A58E0E | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\Babylon.dat | binary | |
MD5:8E6B33A7F03E2693A614002587A35DDD | SHA256:504BAA961BFC83A0DA0A7B5AB45F713A81B06642602F3D4C032FAE8A1391BE30 | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\page2.html | html | |
MD5:0600FEA401BC17F17898655B334BB780 | SHA256:67F92F162A4CA44CE3E8A51383CD60E4A6B041D15C5660E7B326E8B1CB9E3346 | |||
| 2240 | Babylon9_setup.exe | C:\Users\admin\AppData\Local\Temp\C32818B7-BAB0-7891-90C9-69AC995B44C8\HtmlScreens\page2Lrg.css | text | |
MD5:3100155EA6E7151EE06AFC80F073B02C | SHA256:BD0437FC8CDAB734DFBC7381112BAF03AC38EE05D3247AE13B0AAE339B9E4FB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
43
DNS requests
18
Threats
16
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2640 | Setup.exe | GET | 200 | 216.104.42.92:80 | http://dl.babsft.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/3.0.9/ClientAddon.zpb | US | binary | 144 Kb | malicious |
2640 | Setup.exe | GET | 200 | 184.154.27.235:80 | http://info.babylon.com/setup/setup.html?no_policy=1&type=setup_prog_img&lang=0no_policy=1&lang=1 | US | html | 392 b | malicious |
2640 | Setup.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D | US | der | 471 b | whitelisted |
2640 | Setup.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D | US | der | 727 b | whitelisted |
2640 | Setup.exe | GET | 200 | 216.104.42.92:80 | http://dl.babsft.com/site/files/Setup9/dwr/DefaultClient/DefaultClient/3.0.9/Setup-client.zpb | US | binary | 4.44 Mb | malicious |
2640 | Setup.exe | GET | 404 | 216.104.42.92:80 | http://dl.babsft.com/site/files/Setup9/dwr/Category/full/uninstbb.zpb | US | html | 169 b | malicious |
2640 | Setup.exe | GET | 302 | 216.58.207.46:80 | http://www.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=1345101014&utmhn=info.babylon.com&utmcs=windows-1252&utmsr=1280x720&utmvp=525x211&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=26.0%20r0&utmhid=1971423270&utmr=-&utmp=%2Fsetup%2Fsetup.html%3Fno_policy%3D1%26type%3Dsetup_prog_img%26lang%3D0no_policy%3D1%26lang%3D1&utmht=1587125549655&utmac=UA-34701345-1&utmcc=__utma%3D216259150.315709172.1587125550.1587125550.1587125550.1%3B%2B__utmz%3D216259150.1587125550.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=1055053910&utmredir=1&utmu=DAAAAAAAAAAAAAAAAAAAAAAE~ | US | html | 370 b | whitelisted |
2640 | Setup.exe | GET | 200 | 184.154.27.235:80 | http://info.babylon.com/setup/downloader.php?ver=9.0.3.35&lang=en&sutp=20&sufl=0&wbs=7&dwb=ie&prver=0&iev=9&tbtp=mntr903&tball=1&zpb=1&geo=1&cntry=US&&guid={AE1C40F6-2F09-4802-98F0-445399EEC8B5} | US | text | 261 b | malicious |
2640 | Setup.exe | GET | 200 | 172.217.23.163:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQC5g0g8l6k%2FKQIAAAAAYQBa | US | der | 472 b | whitelisted |
2640 | Setup.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEDq7j9aypG5Hm9CkSn3CimE%3D | US | der | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2640 | Setup.exe | 198.20.96.179:80 | www.babylon.com | SingleHop, Inc. | NL | malicious |
2640 | Setup.exe | 198.20.106.254:80 | www.babylon-software.com | SingleHop, Inc. | NL | malicious |
2640 | Setup.exe | 198.20.106.254:443 | www.babylon-software.com | SingleHop, Inc. | NL | malicious |
2640 | Setup.exe | 184.154.27.235:80 | info.babylon.com | SingleHop, Inc. | US | malicious |
2640 | Setup.exe | 216.104.42.92:80 | dl.babsft.com | SingleHop, Inc. | US | malicious |
2640 | Setup.exe | 216.58.207.46:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
2640 | Setup.exe | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
1800 | iexplore.exe | 198.20.96.164:80 | search.babylon.com | SingleHop, Inc. | NL | unknown |
1800 | iexplore.exe | 209.197.3.7:443 | e5h8d2f9.map2.ssl.hwcdn.net | Highwinds Network Group, Inc. | US | unknown |
1800 | iexplore.exe | 172.217.23.98:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.babylon.com |
| malicious |
www.babylon-software.com |
| malicious |
info.babylon.com |
| malicious |
dl.babsft.com |
| malicious |
www.google-analytics.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
img.babylon.com |
| unknown |
stats.g.doubleclick.net |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |
2640 | Setup.exe | Misc activity | SUSPICIOUS [PTsecurity] Possible TrojanDownloader |
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |
2640 | Setup.exe | Misc activity | SUSPICIOUS [PTsecurity] Possible TrojanDownloader |
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |
2640 | Setup.exe | Misc activity | SUSPICIOUS [PTsecurity] Possible TrojanDownloader |
2640 | Setup.exe | Potential Corporate Privacy Violation | ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) |