Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/12/2023, 01:52
Static task
static1
Behavioral task
behavioral1
Sample
9bfd251b49758150859e74e9c911f8af.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9bfd251b49758150859e74e9c911f8af.exe
Resource
win10v2004-20231215-en
General
-
Target
9bfd251b49758150859e74e9c911f8af.exe
-
Size
116KB
-
MD5
9bfd251b49758150859e74e9c911f8af
-
SHA1
e684820c6df57b58f5a6b57a5189352db803900e
-
SHA256
3a3004d6d306fb7154b4289bed3e094260ca11f9a97c38f1e5c3dc0640194a05
-
SHA512
eb130d40667b5391a8c048fef19fc38827cc85564ed5f17a76ba3323550dfdc9c1be3b6b98e3022fdb391ececcb5896a76d8e82c3e1cc45fe15795cd0dcca39a
-
SSDEEP
3072:zayVOR0es5BCMQgnwbbNkewDXEj+fXHh4U4wwPvF0Zev+P27i4pCrYOqkL:zayVOR0es5BCMQgnwbRkewDXEKvHVYy
Malware Config
Extracted
xtremerat
black100.no-ip.biz
cantstop.no-ip.biz
Signatures
-
Detect XtremeRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2080-8-0x0000000010000000-0x0000000010049000-memory.dmp family_xtremerat behavioral1/memory/2080-9-0x0000000010000000-0x0000000010049000-memory.dmp family_xtremerat behavioral1/memory/2848-12-0x0000000010000000-0x0000000010049000-memory.dmp family_xtremerat behavioral1/memory/2080-13-0x0000000010000000-0x0000000010049000-memory.dmp family_xtremerat behavioral1/memory/2848-14-0x0000000010000000-0x0000000010049000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
resource yara_rule behavioral1/memory/2080-4-0x0000000010000000-0x0000000010049000-memory.dmp upx behavioral1/memory/2080-7-0x0000000010000000-0x0000000010049000-memory.dmp upx behavioral1/memory/2080-8-0x0000000010000000-0x0000000010049000-memory.dmp upx behavioral1/memory/2080-9-0x0000000010000000-0x0000000010049000-memory.dmp upx behavioral1/memory/2848-12-0x0000000010000000-0x0000000010049000-memory.dmp upx behavioral1/memory/2080-13-0x0000000010000000-0x0000000010049000-memory.dmp upx behavioral1/memory/2848-14-0x0000000010000000-0x0000000010049000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2412 set thread context of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2412 9bfd251b49758150859e74e9c911f8af.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2412 wrote to memory of 2080 2412 9bfd251b49758150859e74e9c911f8af.exe 28 PID 2080 wrote to memory of 2848 2080 9bfd251b49758150859e74e9c911f8af.exe 29 PID 2080 wrote to memory of 2848 2080 9bfd251b49758150859e74e9c911f8af.exe 29 PID 2080 wrote to memory of 2848 2080 9bfd251b49758150859e74e9c911f8af.exe 29 PID 2080 wrote to memory of 2848 2080 9bfd251b49758150859e74e9c911f8af.exe 29 PID 2080 wrote to memory of 2848 2080 9bfd251b49758150859e74e9c911f8af.exe 29 PID 2080 wrote to memory of 2880 2080 9bfd251b49758150859e74e9c911f8af.exe 30 PID 2080 wrote to memory of 2880 2080 9bfd251b49758150859e74e9c911f8af.exe 30 PID 2080 wrote to memory of 2880 2080 9bfd251b49758150859e74e9c911f8af.exe 30 PID 2080 wrote to memory of 2880 2080 9bfd251b49758150859e74e9c911f8af.exe 30 PID 2080 wrote to memory of 2880 2080 9bfd251b49758150859e74e9c911f8af.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe"C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe"C:\Users\Admin\AppData\Local\Temp\9bfd251b49758150859e74e9c911f8af.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2880
-
-