Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27-01-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
7a446891f4ae4bfb463e960e16a8a65a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a446891f4ae4bfb463e960e16a8a65a.exe
Resource
win10v2004-20231215-en
General
-
Target
7a446891f4ae4bfb463e960e16a8a65a.exe
-
Size
272KB
-
MD5
7a446891f4ae4bfb463e960e16a8a65a
-
SHA1
96c03e22edbb7e22e4a8e37e0962dfda87158517
-
SHA256
2446229f6d118aea0521cb7987564c009c34faa50ddf292e23bc5b5ae020e8ad
-
SHA512
c1c0711d8da7e42f6d8457307a858cb867ebf76cbdf52002c3270dfc8bfe4475daae066e177a98fe6aace32b2eba5b417d505069049d3c44a121cff0d4e0d4d9
-
SSDEEP
3072:8IargcXEjCWZPZd/gitOOBXSrbwoUmqZYscJSiMe3oJa8QJfHy9rrX2+YqMunCKV:8Io5oBq321owo33zJPAMuCKczll6
Malware Config
Extracted
xtremerat
becha.no-ip.biz
Signatures
-
Detect XtremeRAT payload 7 IoCs
resource yara_rule behavioral1/memory/2372-4-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2372-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2372-9-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2372-5-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2192-12-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2372-13-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2192-14-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1448 set thread context of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1448 7a446891f4ae4bfb463e960e16a8a65a.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 1448 wrote to memory of 2372 1448 7a446891f4ae4bfb463e960e16a8a65a.exe 28 PID 2372 wrote to memory of 2192 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 29 PID 2372 wrote to memory of 2192 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 29 PID 2372 wrote to memory of 2192 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 29 PID 2372 wrote to memory of 2192 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 29 PID 2372 wrote to memory of 2192 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 29 PID 2372 wrote to memory of 2764 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 30 PID 2372 wrote to memory of 2764 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 30 PID 2372 wrote to memory of 2764 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 30 PID 2372 wrote to memory of 2764 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 30 PID 2372 wrote to memory of 2764 2372 7a446891f4ae4bfb463e960e16a8a65a.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2764
-
-