Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03-02-2024 10:16
Behavioral task
behavioral1
Sample
8c137bb7eb4c02dc79f59450a730328e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8c137bb7eb4c02dc79f59450a730328e.exe
Resource
win10v2004-20231222-en
General
-
Target
8c137bb7eb4c02dc79f59450a730328e.exe
-
Size
85KB
-
MD5
8c137bb7eb4c02dc79f59450a730328e
-
SHA1
d05e34b988bf789910bb170728873cebe31f10e1
-
SHA256
5aee67d49ef5dd71f924c9a26a20795c027f6f94f220838bdde7a0d33b690018
-
SHA512
9301a6250b6073db41d131b473caff20b78bca741f22bb6f67b0e0fc45d0f3ee87443001a205aec5ffd98d7703b5def498f683ddb4643b07b7253caaccaf6a7d
-
SSDEEP
768:28m1Sq4NQErBsH1ZzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiZKPA+7Xoh:Esq+QVwrObAdXWpf/y+7ozNwiGfEftog
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-0-0x0000000010000000-0x000000001004F000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
8c137bb7eb4c02dc79f59450a730328e.exedescription pid Process procid_target PID 1684 wrote to memory of 2752 1684 8c137bb7eb4c02dc79f59450a730328e.exe 28 PID 1684 wrote to memory of 2752 1684 8c137bb7eb4c02dc79f59450a730328e.exe 28 PID 1684 wrote to memory of 2752 1684 8c137bb7eb4c02dc79f59450a730328e.exe 28 PID 1684 wrote to memory of 2752 1684 8c137bb7eb4c02dc79f59450a730328e.exe 28