Analysis
-
max time kernel
124s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 23:42
Behavioral task
behavioral1
Sample
7b9731b71c1b7f94c0747406687c9f72.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7b9731b71c1b7f94c0747406687c9f72.exe
Resource
win10v2004-20231222-en
General
-
Target
7b9731b71c1b7f94c0747406687c9f72.exe
-
Size
85KB
-
MD5
7b9731b71c1b7f94c0747406687c9f72
-
SHA1
24954377aba04ef528e8bee20ed1312ab2bfc0b4
-
SHA256
8edf305ce7e4270c8d111fd9172b4168fbcf63e6bd7a53b937eb90d6b069d1b2
-
SHA512
5071d35e13641a4ee2f6ada576dcbbd52b86b200fc82aa5e1786ac0e4f532069440718a08d47706a476b4bdc1683942e5a0ea458935ef4094e0a59e8366d784a
-
SSDEEP
768:28m1Sq4NQErBsH1RzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiZKPA+7Xoh:Esq+QVcrObAdXWpf/y+7ozNwiGfEftog
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 3 IoCs
resource yara_rule behavioral2/memory/4240-0-0x0000000010000000-0x000000001004F000-memory.dmp family_xtremerat behavioral2/memory/2492-1-0x0000000010000000-0x000000001004F000-memory.dmp family_xtremerat behavioral2/memory/4240-2-0x0000000010000000-0x000000001004F000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3572 4240 WerFault.exe 87 1116 4240 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4240 2492 7b9731b71c1b7f94c0747406687c9f72.exe 87 PID 2492 wrote to memory of 4240 2492 7b9731b71c1b7f94c0747406687c9f72.exe 87 PID 2492 wrote to memory of 4240 2492 7b9731b71c1b7f94c0747406687c9f72.exe 87 PID 2492 wrote to memory of 4240 2492 7b9731b71c1b7f94c0747406687c9f72.exe 87 PID 2492 wrote to memory of 1196 2492 7b9731b71c1b7f94c0747406687c9f72.exe 89 PID 2492 wrote to memory of 1196 2492 7b9731b71c1b7f94c0747406687c9f72.exe 89 PID 2492 wrote to memory of 1196 2492 7b9731b71c1b7f94c0747406687c9f72.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b9731b71c1b7f94c0747406687c9f72.exe"C:\Users\Admin\AppData\Local\Temp\7b9731b71c1b7f94c0747406687c9f72.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:4240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 4803⤵
- Program crash
PID:3572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 4883⤵
- Program crash
PID:1116
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:1196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4240 -ip 42401⤵PID:840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4240 -ip 42401⤵PID:2368