Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
abfaec448463602043f960db23960e56.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
abfaec448463602043f960db23960e56.exe
Resource
win10v2004-20240226-en
General
-
Target
abfaec448463602043f960db23960e56.exe
-
Size
67KB
-
MD5
abfaec448463602043f960db23960e56
-
SHA1
213d64f9600838ec8f24d0f5a59ccc0c4dd836f3
-
SHA256
b7da54fc653b6a932e7dcd386b553d2014c56be60f8e367b34afc750c1c68af9
-
SHA512
bd8de3f2b968891f20c53287a75e6d0cf798300834bf2666252aa272c7c2dec8ca54c2fd93baea29648f32338792b64750d289a8850b23aedfa899ff820ffe0b
-
SSDEEP
1536:Kthmxm0wZy9s0BdutSHj5afwIYa/n5FRubqTQ9TvT:KuxxLBgtKNk4O5Fv8T7
Malware Config
Extracted
xtremerat
conhecidos.dyndns.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2472-12-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2472-11-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2536-15-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2536-16-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral1/memory/2472-1-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2472-3-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2472-5-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2472-12-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2472-11-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2472-10-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2536-15-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2536-16-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
abfaec448463602043f960db23960e56.exedescription pid process target process PID 2292 set thread context of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
abfaec448463602043f960db23960e56.exeabfaec448463602043f960db23960e56.exedescription pid process target process PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2292 wrote to memory of 2472 2292 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 2472 wrote to memory of 2536 2472 abfaec448463602043f960db23960e56.exe svchost.exe PID 2472 wrote to memory of 2536 2472 abfaec448463602043f960db23960e56.exe svchost.exe PID 2472 wrote to memory of 2536 2472 abfaec448463602043f960db23960e56.exe svchost.exe PID 2472 wrote to memory of 2536 2472 abfaec448463602043f960db23960e56.exe svchost.exe PID 2472 wrote to memory of 2536 2472 abfaec448463602043f960db23960e56.exe svchost.exe PID 2472 wrote to memory of 2592 2472 abfaec448463602043f960db23960e56.exe iexplore.exe PID 2472 wrote to memory of 2592 2472 abfaec448463602043f960db23960e56.exe iexplore.exe PID 2472 wrote to memory of 2592 2472 abfaec448463602043f960db23960e56.exe iexplore.exe PID 2472 wrote to memory of 2592 2472 abfaec448463602043f960db23960e56.exe iexplore.exe PID 2472 wrote to memory of 2592 2472 abfaec448463602043f960db23960e56.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe"C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exeC:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2536
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2592