Analysis
-
max time kernel
92s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 21:51
Static task
static1
Behavioral task
behavioral1
Sample
aa3f313ac924c27b2d2fe5acf6c5401a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa3f313ac924c27b2d2fe5acf6c5401a.exe
Resource
win10v2004-20240226-en
General
-
Target
aa3f313ac924c27b2d2fe5acf6c5401a.exe
-
Size
106KB
-
MD5
aa3f313ac924c27b2d2fe5acf6c5401a
-
SHA1
63fcc3eb367d36544dcd0810310ed26ba5f3ce4c
-
SHA256
7bec450473cf1cffaba40e912d04dd7cc5da0d00649f17c31a099557721c74d9
-
SHA512
f07c87f247ca1346a5d4279730795c77b2a5150482482e7dca816278e7785d524c0c3ddf0997fe25ec20ce8cb5f29d68bda006e594e4f0ad64f2ffe964bb2a89
-
SSDEEP
1536:rqHvMCaAweZSsHpy/RGeCyjmKq5D6pMFhWi+PUlOCX/Aq4eoiU:atUsHp+5xe5WWHAyo1
Malware Config
Signatures
-
Detect XtremeRAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2052-2-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2052-3-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2052-4-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2052-5-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/4656-6-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/2052-7-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral2/memory/4656-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aa3f313ac924c27b2d2fe5acf6c5401a.exedescription pid process target process PID 3468 set thread context of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3928 4656 WerFault.exe svchost.exe 4420 4656 WerFault.exe svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aa3f313ac924c27b2d2fe5acf6c5401a.exepid process 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
aa3f313ac924c27b2d2fe5acf6c5401a.exeaa3f313ac924c27b2d2fe5acf6c5401a.exedescription pid process target process PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 3468 wrote to memory of 2052 3468 aa3f313ac924c27b2d2fe5acf6c5401a.exe aa3f313ac924c27b2d2fe5acf6c5401a.exe PID 2052 wrote to memory of 4656 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2052 wrote to memory of 4656 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2052 wrote to memory of 4656 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2052 wrote to memory of 4656 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe svchost.exe PID 2052 wrote to memory of 4380 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe msedge.exe PID 2052 wrote to memory of 4380 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe msedge.exe PID 2052 wrote to memory of 4380 2052 aa3f313ac924c27b2d2fe5acf6c5401a.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe"C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\aa3f313ac924c27b2d2fe5acf6c5401a.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 4804⤵
- Program crash
PID:3928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 4884⤵
- Program crash
PID:4420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4656 -ip 46561⤵PID:3516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4656 -ip 46561⤵PID:4340