Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 03:27
Static task
static1
Behavioral task
behavioral1
Sample
7ec3398e4abc142e218b6850fb3bd659.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ec3398e4abc142e218b6850fb3bd659.exe
Resource
win10v2004-20231215-en
General
-
Target
7ec3398e4abc142e218b6850fb3bd659.exe
-
Size
52KB
-
MD5
7ec3398e4abc142e218b6850fb3bd659
-
SHA1
2e04288a95dbe1f24c56df7d04d191f6c40db0de
-
SHA256
0e294545adcade01b253ee9cec5688e2513559f6384fdcace9bb4701cb480db1
-
SHA512
513e22cb576d1ed0d9d07a86f1f2975f160e856384d271ad7de8a5235b867e2fdbecc494e9958761f6174211091c1b81cd1915ae4871fbd35312cad66f3dec85
-
SSDEEP
768:xav20XVFaBDVKLgvdwv3/zL7DZdi7NVCU7Dt8E4ukOt8E4ukO:Yvv+BVKLg+v3H71sKYfdf
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral1/memory/2032-1-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat behavioral1/memory/2152-4-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat behavioral1/memory/2032-5-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat behavioral1/memory/2152-6-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2152 2032 7ec3398e4abc142e218b6850fb3bd659.exe 28 PID 2032 wrote to memory of 2152 2032 7ec3398e4abc142e218b6850fb3bd659.exe 28 PID 2032 wrote to memory of 2152 2032 7ec3398e4abc142e218b6850fb3bd659.exe 28 PID 2032 wrote to memory of 2152 2032 7ec3398e4abc142e218b6850fb3bd659.exe 28 PID 2032 wrote to memory of 2152 2032 7ec3398e4abc142e218b6850fb3bd659.exe 28 PID 2032 wrote to memory of 1980 2032 7ec3398e4abc142e218b6850fb3bd659.exe 29 PID 2032 wrote to memory of 1980 2032 7ec3398e4abc142e218b6850fb3bd659.exe 29 PID 2032 wrote to memory of 1980 2032 7ec3398e4abc142e218b6850fb3bd659.exe 29 PID 2032 wrote to memory of 1980 2032 7ec3398e4abc142e218b6850fb3bd659.exe 29 PID 2032 wrote to memory of 1980 2032 7ec3398e4abc142e218b6850fb3bd659.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec3398e4abc142e218b6850fb3bd659.exe"C:\Users\Admin\AppData\Local\Temp\7ec3398e4abc142e218b6850fb3bd659.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:1980
-