xtremerat | 0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092

Analysis

max time kernel
53s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 13:38

Target

0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe
Size

452KB
MD5

93c97ad9849b96517b157c6634ac0c70
SHA1

7a36c2739593ceb3b5f04fc91e3cf3497465364d
SHA256

0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092
SHA512

cccb3f1eb1789c5f93420eb06042c4ecd03708701c65b379854400e5ab401c2117e593ee95a3bfb335d81691ae0e32a7d12b5fecb16f2ee1e78894ec81e8cfaa
SSDEEP

6144:ebL0yiwta1lGuw8ylN3pPRELbgr5/iJd5hAy0nGE/xcEm/XfkbLmgRgrPd3iq:eP0yiwt7uvsTEIr5/0B/0nGEK/fr3i

Score

10^/10

Detect XtremeRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/620-134-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4764	620	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82
PID 3968 wrote to memory of 620	3968	0337777df94ae1fcb5a4fe325f1c83da026eb5985dae8fec90230ccd3f56c092.exe	82

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 620 -ip 620
1⤵
PID:1320

memory/620-134-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3968-132-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download
memory/3968-135-0x00000000748E0000-0x0000000074E91000-memory.dmp

Filesize
5.7MB

Download