Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 03:27
Static task
static1
Behavioral task
behavioral1
Sample
7ec3398e4abc142e218b6850fb3bd659.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ec3398e4abc142e218b6850fb3bd659.exe
Resource
win10v2004-20231215-en
General
-
Target
7ec3398e4abc142e218b6850fb3bd659.exe
-
Size
52KB
-
MD5
7ec3398e4abc142e218b6850fb3bd659
-
SHA1
2e04288a95dbe1f24c56df7d04d191f6c40db0de
-
SHA256
0e294545adcade01b253ee9cec5688e2513559f6384fdcace9bb4701cb480db1
-
SHA512
513e22cb576d1ed0d9d07a86f1f2975f160e856384d271ad7de8a5235b867e2fdbecc494e9958761f6174211091c1b81cd1915ae4871fbd35312cad66f3dec85
-
SSDEEP
768:xav20XVFaBDVKLgvdwv3/zL7DZdi7NVCU7Dt8E4ukOt8E4ukO:Yvv+BVKLg+v3H71sKYfdf
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral2/memory/2780-1-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat behavioral2/memory/3676-2-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat behavioral2/memory/2780-3-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat behavioral2/memory/3676-4-0x0000000010000000-0x0000000010055000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4948 3676 WerFault.exe 84 2136 3676 WerFault.exe 84 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2780 wrote to memory of 3676 2780 7ec3398e4abc142e218b6850fb3bd659.exe 84 PID 2780 wrote to memory of 3676 2780 7ec3398e4abc142e218b6850fb3bd659.exe 84 PID 2780 wrote to memory of 3676 2780 7ec3398e4abc142e218b6850fb3bd659.exe 84 PID 2780 wrote to memory of 3676 2780 7ec3398e4abc142e218b6850fb3bd659.exe 84 PID 2780 wrote to memory of 4128 2780 7ec3398e4abc142e218b6850fb3bd659.exe 85 PID 2780 wrote to memory of 4128 2780 7ec3398e4abc142e218b6850fb3bd659.exe 85 PID 2780 wrote to memory of 4128 2780 7ec3398e4abc142e218b6850fb3bd659.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ec3398e4abc142e218b6850fb3bd659.exe"C:\Users\Admin\AppData\Local\Temp\7ec3398e4abc142e218b6850fb3bd659.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 4803⤵
- Program crash
PID:4948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 4883⤵
- Program crash
PID:2136
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:4128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3676 -ip 36761⤵PID:5100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3676 -ip 36761⤵PID:1900