Analysis
-
max time kernel
155s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 17:32
Static task
static1
Behavioral task
behavioral1
Sample
80ca7ba01d7d6b349d3525e4e97387a6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
80ca7ba01d7d6b349d3525e4e97387a6.exe
Resource
win10v2004-20231215-en
General
-
Target
80ca7ba01d7d6b349d3525e4e97387a6.exe
-
Size
256KB
-
MD5
80ca7ba01d7d6b349d3525e4e97387a6
-
SHA1
38b255b0b2f7a0f11fc373656ce75c1f663d9295
-
SHA256
7870b07d5c8c8848860579a6e48c054aace2371e953013522356b2d425578d77
-
SHA512
b486206efc3062e641b0fff066a76faa748a17e92b448a4c42124fba6fdb33cab6e9348bffb1ca56e6e8ab562f5f59c7469bd41030615ea11596382fd83947b6
-
SSDEEP
3072:9fiQUSKagWQdylnXdvPdv6loGvWz0GXlG1gqtYpwRQ5VuemEDlc:9dvPdvd0wlM/tYpwRQ5V3mED
Malware Config
Extracted
xtremerat
princedz.no-ip.org
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral2/memory/4216-5-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4216-6-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3312-7-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/4216-8-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3312-9-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
resource yara_rule behavioral2/memory/4216-2-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4216-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4216-5-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4216-6-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3312-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/4216-8-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3312-9-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2596 set thread context of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 set thread context of 0 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3488 3312 WerFault.exe 97 4472 3312 WerFault.exe 97 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 4216 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe 95 PID 2596 wrote to memory of 0 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe PID 2596 wrote to memory of 0 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe PID 2596 wrote to memory of 0 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe PID 2596 wrote to memory of 0 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe PID 2596 wrote to memory of 0 2596 80ca7ba01d7d6b349d3525e4e97387a6.exe PID 4216 wrote to memory of 3312 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 97 PID 4216 wrote to memory of 3312 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 97 PID 4216 wrote to memory of 3312 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 97 PID 4216 wrote to memory of 3312 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 97 PID 4216 wrote to memory of 4496 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 98 PID 4216 wrote to memory of 4496 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 98 PID 4216 wrote to memory of 4496 4216 80ca7ba01d7d6b349d3525e4e97387a6.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\80ca7ba01d7d6b349d3525e4e97387a6.exe"C:\Users\Admin\AppData\Local\Temp\80ca7ba01d7d6b349d3525e4e97387a6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\80ca7ba01d7d6b349d3525e4e97387a6.exe"C:\Users\Admin\AppData\Local\Temp\80ca7ba01d7d6b349d3525e4e97387a6.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 4924⤵
- Program crash
PID:3488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 2444⤵
- Program crash
PID:4472
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4496
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3312 -ip 33121⤵PID:220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3312 -ip 33121⤵PID:4552