Analysis
-
max time kernel
93s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2024 12:34
Static task
static1
Behavioral task
behavioral1
Sample
7a446891f4ae4bfb463e960e16a8a65a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7a446891f4ae4bfb463e960e16a8a65a.exe
Resource
win10v2004-20231215-en
General
-
Target
7a446891f4ae4bfb463e960e16a8a65a.exe
-
Size
272KB
-
MD5
7a446891f4ae4bfb463e960e16a8a65a
-
SHA1
96c03e22edbb7e22e4a8e37e0962dfda87158517
-
SHA256
2446229f6d118aea0521cb7987564c009c34faa50ddf292e23bc5b5ae020e8ad
-
SHA512
c1c0711d8da7e42f6d8457307a858cb867ebf76cbdf52002c3270dfc8bfe4475daae066e177a98fe6aace32b2eba5b417d505069049d3c44a121cff0d4e0d4d9
-
SSDEEP
3072:8IargcXEjCWZPZd/gitOOBXSrbwoUmqZYscJSiMe3oJa8QJfHy9rrX2+YqMunCKV:8Io5oBq321owo33zJPAMuCKczll6
Malware Config
Extracted
xtremerat
becha.no-ip.biz
Signatures
-
Detect XtremeRAT payload 7 IoCs
resource yara_rule behavioral2/memory/3684-4-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3684-5-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3684-7-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3684-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2352-9-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/3684-10-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2352-11-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 400 set thread context of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3144 2352 WerFault.exe 89 2672 2352 WerFault.exe 89 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 400 7a446891f4ae4bfb463e960e16a8a65a.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 400 wrote to memory of 3684 400 7a446891f4ae4bfb463e960e16a8a65a.exe 88 PID 3684 wrote to memory of 2352 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 89 PID 3684 wrote to memory of 2352 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 89 PID 3684 wrote to memory of 2352 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 89 PID 3684 wrote to memory of 2352 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 89 PID 3684 wrote to memory of 1448 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 90 PID 3684 wrote to memory of 1448 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 90 PID 3684 wrote to memory of 1448 3684 7a446891f4ae4bfb463e960e16a8a65a.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"C:\Users\Admin\AppData\Local\Temp\7a446891f4ae4bfb463e960e16a8a65a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 4804⤵
- Program crash
PID:3144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 5004⤵
- Program crash
PID:2672
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2352 -ip 23521⤵PID:2944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2352 -ip 23521⤵PID:3136