Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
a7896f4acdaa6e89d2351541a040f7fa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7896f4acdaa6e89d2351541a040f7fa.exe
Resource
win10v2004-20240226-en
General
-
Target
a7896f4acdaa6e89d2351541a040f7fa.exe
-
Size
172KB
-
MD5
a7896f4acdaa6e89d2351541a040f7fa
-
SHA1
0fc532e683c8f1710cd477e12d065d47ec2e7502
-
SHA256
042c641a9cd8a0aa6b77a458a254218ace0761380af0aec0ae912b9cad84af89
-
SHA512
78ff73998d19d2f626e9d21538f61aabf382386ca91204066b090411ad3bd2e343f693f22e3f0c1843409d8cfdcac10e3b38604ffef921e3834c25c81e6adf0e
-
SSDEEP
3072:ZwpbuzMguQ+1FeLdoiBdeBYArfVul6TvfOYtctQ7ZcI:ZwZsMr1FeLKMAQQ/ctQ7ZN
Malware Config
Extracted
xtremerat
esam2at.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3344-11-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/2796-12-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/3344-13-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat behavioral2/memory/2796-16-0x0000000010000000-0x000000001004C000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 216 2796 WerFault.exe svchost.exe 3408 2796 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a7896f4acdaa6e89d2351541a040f7fa.exedescription pid process target process PID 3344 wrote to memory of 2796 3344 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 3344 wrote to memory of 2796 3344 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 3344 wrote to memory of 2796 3344 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 3344 wrote to memory of 2796 3344 a7896f4acdaa6e89d2351541a040f7fa.exe svchost.exe PID 3344 wrote to memory of 2808 3344 a7896f4acdaa6e89d2351541a040f7fa.exe msedge.exe PID 3344 wrote to memory of 2808 3344 a7896f4acdaa6e89d2351541a040f7fa.exe msedge.exe PID 3344 wrote to memory of 2808 3344 a7896f4acdaa6e89d2351541a040f7fa.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7896f4acdaa6e89d2351541a040f7fa.exe"C:\Users\Admin\AppData\Local\Temp\a7896f4acdaa6e89d2351541a040f7fa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 4803⤵
- Program crash
PID:216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 4883⤵
- Program crash
PID:3408 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:2808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2796 -ip 27961⤵PID:392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2796 -ip 27961⤵PID:1452