Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27/12/2023, 01:52

General

  • Target

    9bfd251b49758150859e74e9c911f8af.exe

  • Size

    116KB

  • MD5

    9bfd251b49758150859e74e9c911f8af

  • SHA1

    e684820c6df57b58f5a6b57a5189352db803900e

  • SHA256

    3a3004d6d306fb7154b4289bed3e094260ca11f9a97c38f1e5c3dc0640194a05

  • SHA512

    eb130d40667b5391a8c048fef19fc38827cc85564ed5f17a76ba3323550dfdc9c1be3b6b98e3022fdb391ececcb5896a76d8e82c3e1cc45fe15795cd0dcca39a

  • SSDEEP

    3072:zayVOR0es5BCMQgnwbbNkewDXEj+fXHh4U4wwPvF0Zev+P27i4pCrYOqkL:zayVOR0es5BCMQgnwbRkewDXEKvHVYy

Malware Config

Extracted

Family

xtremerat

C2

black100.no-ip.biz

cantstop.no-ip.biz

Signatures

  • Detect XtremeRAT payload 5 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe
    "C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe
      "C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe
        3⤵
          PID:2848
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
            PID:2880

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2080-4-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2080-7-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2080-8-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2080-9-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2080-13-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2412-0-0x0000000000400000-0x0000000000419000-memory.dmp

              Filesize

              100KB

            • memory/2412-3-0x0000000000250000-0x0000000000269000-memory.dmp

              Filesize

              100KB

            • memory/2412-5-0x0000000000400000-0x0000000000419000-memory.dmp

              Filesize

              100KB

            • memory/2848-10-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2848-12-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB

            • memory/2848-14-0x0000000010000000-0x0000000010049000-memory.dmp

              Filesize

              292KB