Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
a7896f4acdaa6e89d2351541a040f7fa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7896f4acdaa6e89d2351541a040f7fa.exe
Resource
win10v2004-20240226-en
General
-
Target
a7896f4acdaa6e89d2351541a040f7fa.exe
-
Size
172KB
-
MD5
a7896f4acdaa6e89d2351541a040f7fa
-
SHA1
0fc532e683c8f1710cd477e12d065d47ec2e7502
-
SHA256
042c641a9cd8a0aa6b77a458a254218ace0761380af0aec0ae912b9cad84af89
-
SHA512
78ff73998d19d2f626e9d21538f61aabf382386ca91204066b090411ad3bd2e343f693f22e3f0c1843409d8cfdcac10e3b38604ffef921e3834c25c81e6adf0e
-
SSDEEP
3072:ZwpbuzMguQ+1FeLdoiBdeBYArfVul6TvfOYtctQ7ZcI:ZwZsMr1FeLKMAQQ/ctQ7ZN
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2164-5-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral1/memory/1704-6-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral1/memory/2164-9-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral1/memory/2164-11-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a7896f4acdaa6e89d2351541a040f7fa.exedescription pid process target process PID 1704 wrote to memory of 2164 1704 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 1704 wrote to memory of 2164 1704 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 1704 wrote to memory of 2164 1704 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 1704 wrote to memory of 2164 1704 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 1704 wrote to memory of 2164 1704 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 1704 wrote to memory of 928 1704 a7896f4acdaa6e89d2351541a040f7fa.exe iexplore.exe PID 1704 wrote to memory of 928 1704 a7896f4acdaa6e89d2351541a040f7fa.exe iexplore.exe PID 1704 wrote to memory of 928 1704 a7896f4acdaa6e89d2351541a040f7fa.exe iexplore.exe PID 1704 wrote to memory of 928 1704 a7896f4acdaa6e89d2351541a040f7fa.exe iexplore.exe PID 1704 wrote to memory of 928 1704 a7896f4acdaa6e89d2351541a040f7fa.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7896f4acdaa6e89d2351541a040f7fa.exe"C:\Users\Admin\AppData\Local\Temp\a7896f4acdaa6e89d2351541a040f7fa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2164
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:928