Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
aa3f313ac924c27b2d2fe5acf6c5401a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa3f313ac924c27b2d2fe5acf6c5401a.exe
Resource
win10v2004-20240226-en
General
-
Target
aa3f313ac924c27b2d2fe5acf6c5401a.exe
-
Size
106KB
-
MD5
aa3f313ac924c27b2d2fe5acf6c5401a
-
SHA1
63fcc3eb367d36544dcd0810310ed26ba5f3ce4c
-
SHA256
7bec450473cf1cffaba40e912d04dd7cc5da0d00649f17c31a099557721c74d9
-
SHA512
f07c87f247ca1346a5d4279730795c77b2a5150482482e7dca816278e7785d524c0c3ddf0997fe25ec20ce8cb5f29d68bda006e594e4f0ad64f2ffe964bb2a89
-
SSDEEP
1536:rqHvMCaAweZSsHpy/RGeCyjmKq5D6pMFhWi+PUlOCX/Aq4eoiU:atUsHp+5xe5WWHAyo1
Malware Config
Signatures
-
Detect XtremeRAT payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/2620-4-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-5-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-6-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-7-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-11-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-12-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-13-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-14-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2704-17-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2620-18-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2704-19-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aa3f313ac924c27b2d2fe5acf6c5401a.exedescription pid process target process PID 2200 set thread context of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aa3f313ac924c27b2d2fe5acf6c5401a.exepid process 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
aa3f313ac924c27b2d2fe5acf6c5401a.exeaa3f313ac924c27b2d2fe5acf6c5401a.exedescription pid process target process PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2200 wrote to memory of 2620 2200 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2620 wrote to memory of 2704 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2620 wrote to memory of 2704 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2620 wrote to memory of 2704 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2620 wrote to memory of 2704 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2620 wrote to memory of 2704 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2620 wrote to memory of 2796 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe iexplore.exe PID 2620 wrote to memory of 2796 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe iexplore.exe PID 2620 wrote to memory of 2796 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe iexplore.exe PID 2620 wrote to memory of 2796 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe iexplore.exe PID 2620 wrote to memory of 2796 2620 aa3f313ac924c27b2d2fe5acf6c5401a.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe"C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2704
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2796