Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
abfaec448463602043f960db23960e56.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
abfaec448463602043f960db23960e56.exe
Resource
win10v2004-20240226-en
General
-
Target
abfaec448463602043f960db23960e56.exe
-
Size
67KB
-
MD5
abfaec448463602043f960db23960e56
-
SHA1
213d64f9600838ec8f24d0f5a59ccc0c4dd836f3
-
SHA256
b7da54fc653b6a932e7dcd386b553d2014c56be60f8e367b34afc750c1c68af9
-
SHA512
bd8de3f2b968891f20c53287a75e6d0cf798300834bf2666252aa272c7c2dec8ca54c2fd93baea29648f32338792b64750d289a8850b23aedfa899ff820ffe0b
-
SSDEEP
1536:Kthmxm0wZy9s0BdutSHj5afwIYa/n5FRubqTQ9TvT:KuxxLBgtKNk4O5Fv8T7
Malware Config
Extracted
xtremerat
conhecidos.dyndns.org
Signatures
-
Detect XtremeRAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3956-7-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/3956-6-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/1680-8-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral2/memory/1680-9-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Processes:
resource yara_rule behavioral2/memory/3956-0-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3956-1-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3956-2-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3956-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3956-7-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/3956-6-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1680-8-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral2/memory/1680-9-0x0000000010000000-0x000000001004D000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
abfaec448463602043f960db23960e56.exedescription pid process target process PID 4800 set thread context of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2592 1680 WerFault.exe svchost.exe 1516 1680 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
abfaec448463602043f960db23960e56.exeabfaec448463602043f960db23960e56.exedescription pid process target process PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 4800 wrote to memory of 3956 4800 abfaec448463602043f960db23960e56.exe abfaec448463602043f960db23960e56.exe PID 3956 wrote to memory of 1680 3956 abfaec448463602043f960db23960e56.exe svchost.exe PID 3956 wrote to memory of 1680 3956 abfaec448463602043f960db23960e56.exe svchost.exe PID 3956 wrote to memory of 1680 3956 abfaec448463602043f960db23960e56.exe svchost.exe PID 3956 wrote to memory of 1680 3956 abfaec448463602043f960db23960e56.exe svchost.exe PID 3956 wrote to memory of 4868 3956 abfaec448463602043f960db23960e56.exe msedge.exe PID 3956 wrote to memory of 4868 3956 abfaec448463602043f960db23960e56.exe msedge.exe PID 3956 wrote to memory of 4868 3956 abfaec448463602043f960db23960e56.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe"C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exeC:\Users\Admin\AppData\Local\Temp\abfaec448463602043f960db23960e56.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:1680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 4804⤵
- Program crash
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 4884⤵
- Program crash
PID:1516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1680 -ip 16801⤵PID:1920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1680 -ip 16801⤵PID:2020