Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
8ae60ffd054b91d05a999b81c842dff6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8ae60ffd054b91d05a999b81c842dff6.exe
Resource
win10v2004-20231215-en
General
-
Target
8ae60ffd054b91d05a999b81c842dff6.exe
-
Size
272KB
-
MD5
8ae60ffd054b91d05a999b81c842dff6
-
SHA1
c4d53e74655ecef838f43679f86ac97fa03b693b
-
SHA256
3855d14233d9b0d2264b18749baef259989099aa3471fde387885743d1809299
-
SHA512
847aa1f2290b877070eab91ab53186465916a1caa4c9a41943a8ae36807400930f402e0d91d28363a116ae2fe97ec771e07e63c7e86c121a0b0376ad93046448
-
SSDEEP
6144:z5MiHH39hzMBo7Ljd/Q1RgOw7I43qRKoC4pFsMmKAae0d7:VT3Lzqo7Li1RgdI0wbC4pFpmKAae0d7
Malware Config
Extracted
xtremerat
firefox-dmm.sytes.net
google-pro.dyndns.info
Signatures
-
Detect XtremeRAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2568-8-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/2568-9-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/3076-10-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/3924-11-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/2568-12-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat behavioral2/memory/3076-14-0x0000000010000000-0x0000000010048000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/2568-4-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/2568-7-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/2568-8-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/2568-9-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/3076-10-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/3924-11-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/2568-12-0x0000000010000000-0x0000000010048000-memory.dmp upx behavioral2/memory/3076-14-0x0000000010000000-0x0000000010048000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8ae60ffd054b91d05a999b81c842dff6.exedescription pid Process procid_target PID 2244 set thread context of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 4540 3076 WerFault.exe 84 2184 3924 WerFault.exe 85 260 3924 WerFault.exe 85 4956 3076 WerFault.exe 84 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
8ae60ffd054b91d05a999b81c842dff6.exepid Process 2244 8ae60ffd054b91d05a999b81c842dff6.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
8ae60ffd054b91d05a999b81c842dff6.exe8ae60ffd054b91d05a999b81c842dff6.exedescription pid Process procid_target PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2244 wrote to memory of 2568 2244 8ae60ffd054b91d05a999b81c842dff6.exe 83 PID 2568 wrote to memory of 3076 2568 8ae60ffd054b91d05a999b81c842dff6.exe 84 PID 2568 wrote to memory of 3076 2568 8ae60ffd054b91d05a999b81c842dff6.exe 84 PID 2568 wrote to memory of 3076 2568 8ae60ffd054b91d05a999b81c842dff6.exe 84 PID 2568 wrote to memory of 3076 2568 8ae60ffd054b91d05a999b81c842dff6.exe 84 PID 2568 wrote to memory of 3924 2568 8ae60ffd054b91d05a999b81c842dff6.exe 85 PID 2568 wrote to memory of 3924 2568 8ae60ffd054b91d05a999b81c842dff6.exe 85 PID 2568 wrote to memory of 3924 2568 8ae60ffd054b91d05a999b81c842dff6.exe 85 PID 2568 wrote to memory of 3924 2568 8ae60ffd054b91d05a999b81c842dff6.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exe"C:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exeC:\Users\Admin\AppData\Local\Temp\8ae60ffd054b91d05a999b81c842dff6.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:3076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 4884⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 4964⤵
- Program crash
PID:4956
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe3⤵PID:3924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 4484⤵
- Program crash
PID:2184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 4884⤵
- Program crash
PID:260
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3076 -ip 30761⤵PID:4520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3924 -ip 39241⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3924 -ip 39241⤵PID:2272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3076 -ip 30761⤵PID:2748