Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 10:16

General

  • Target

    8c137bb7eb4c02dc79f59450a730328e.exe

  • Size

    85KB

  • MD5

    8c137bb7eb4c02dc79f59450a730328e

  • SHA1

    d05e34b988bf789910bb170728873cebe31f10e1

  • SHA256

    5aee67d49ef5dd71f924c9a26a20795c027f6f94f220838bdde7a0d33b690018

  • SHA512

    9301a6250b6073db41d131b473caff20b78bca741f22bb6f67b0e0fc45d0f3ee87443001a205aec5ffd98d7703b5def498f683ddb4643b07b7253caaccaf6a7d

  • SSDEEP

    768:28m1Sq4NQErBsH1ZzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiZKPA+7Xoh:Esq+QVwrObAdXWpf/y+7ozNwiGfEftog

Malware Config

Extracted

Family

xtremerat

C2

esam2at.no-ip.biz

Signatures

  • Detect XtremeRAT payload 1 IoCs
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c137bb7eb4c02dc79f59450a730328e.exe
    "C:\Users\Admin\AppData\Local\Temp\8c137bb7eb4c02dc79f59450a730328e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      2⤵
        PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1684-0-0x0000000010000000-0x000000001004F000-memory.dmp

      Filesize

      316KB