Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 16:13
Behavioral task
behavioral1
Sample
0chRme.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
0chRme.exe
Resource
win7-20240903-en
General
-
Target
0chRme.exe
-
Size
804KB
-
MD5
418ccb1e17cffe26f54d479fba90c69e
-
SHA1
ed698e2f701579f79b73247663a50ecc508c1c29
-
SHA256
3f3cf4acef8a65b963a09424dca300d4f5b0e3959abd7a459fcd21d5e02becb8
-
SHA512
7abc69cedfc9cff630cd9434e5b995118e98d5cfb6be4a48cf3b25dbfbdc59e8d7684ec3831841eb0b6509bc0e9e08933ded9e3fde49e8fa1c5653c035a3c354
-
SSDEEP
12288:6LdcfxaeM6fy/KaVUtgKkTZ73coNRJ1F:6kIZGSAtgN+eJ1F
Malware Config
Extracted
babylonrat
149.28.19.207
fund.sekretariatparti.org
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
resource yara_rule behavioral2/memory/1832-0-0x0000000000870000-0x0000000000939000-memory.dmp upx behavioral2/memory/1832-1-0x0000000000870000-0x0000000000939000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0chRme.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1832 0chRme.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeShutdownPrivilege 1832 0chRme.exe Token: SeDebugPrivilege 1832 0chRme.exe Token: SeTcbPrivilege 1832 0chRme.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1832 0chRme.exe