Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 00:34
Static task
static1
Behavioral task
behavioral1
Sample
a7c3493de6970cd2c7f3fa099893459e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7c3493de6970cd2c7f3fa099893459e.exe
Resource
win10v2004-20240226-en
General
-
Target
a7c3493de6970cd2c7f3fa099893459e.exe
-
Size
101KB
-
MD5
a7c3493de6970cd2c7f3fa099893459e
-
SHA1
a8b0e309791b5b47b8dee083c7071625560379aa
-
SHA256
63bf4e48621084d50df9174f5c548168ebb3c26d91299d9e129c30b37b6a33b7
-
SHA512
26a2417ea4e2d022a1b96b6f30cebb1bc56bffb3a30bd3421b8dfcc14f95700f34e6b8b131e7868ddf16cc18111145ca6d47a6d4310dca03ee811eedc0b657b6
-
SSDEEP
1536:Ogh/Qk5xku/BTxnW069gE9nKzFre0FT98nvhVGqDjNldt8+xwIiuilPLzHPop3a4:7h/Qk5xku/BTQ00hVGYjNdliRLzw
Malware Config
Extracted
xtremerat
ketchup.no-ip.biz
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2748-10-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2492-13-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2748-14-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2492-15-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/2748-3-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2748-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2748-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2748-10-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2748-9-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2492-13-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2748-14-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2492-15-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a7c3493de6970cd2c7f3fa099893459e.exedescription pid process target process PID 1504 set thread context of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a7c3493de6970cd2c7f3fa099893459e.exepid process 1504 a7c3493de6970cd2c7f3fa099893459e.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
a7c3493de6970cd2c7f3fa099893459e.exea7c3493de6970cd2c7f3fa099893459e.exedescription pid process target process PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 1504 wrote to memory of 2748 1504 a7c3493de6970cd2c7f3fa099893459e.exe a7c3493de6970cd2c7f3fa099893459e.exe PID 2748 wrote to memory of 2492 2748 a7c3493de6970cd2c7f3fa099893459e.exe svchost.exe PID 2748 wrote to memory of 2492 2748 a7c3493de6970cd2c7f3fa099893459e.exe svchost.exe PID 2748 wrote to memory of 2492 2748 a7c3493de6970cd2c7f3fa099893459e.exe svchost.exe PID 2748 wrote to memory of 2492 2748 a7c3493de6970cd2c7f3fa099893459e.exe svchost.exe PID 2748 wrote to memory of 2492 2748 a7c3493de6970cd2c7f3fa099893459e.exe svchost.exe PID 2748 wrote to memory of 2604 2748 a7c3493de6970cd2c7f3fa099893459e.exe iexplore.exe PID 2748 wrote to memory of 2604 2748 a7c3493de6970cd2c7f3fa099893459e.exe iexplore.exe PID 2748 wrote to memory of 2604 2748 a7c3493de6970cd2c7f3fa099893459e.exe iexplore.exe PID 2748 wrote to memory of 2604 2748 a7c3493de6970cd2c7f3fa099893459e.exe iexplore.exe PID 2748 wrote to memory of 2604 2748 a7c3493de6970cd2c7f3fa099893459e.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c3493de6970cd2c7f3fa099893459e.exe"C:\Users\Admin\AppData\Local\Temp\a7c3493de6970cd2c7f3fa099893459e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\a7c3493de6970cd2c7f3fa099893459e.exeC:\Users\Admin\AppData\Local\Temp\a7c3493de6970cd2c7f3fa099893459e.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2492
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2604