Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-02-2024 16:34
Behavioral task
behavioral1
Sample
ac581b09eee4b97dcf18144202c732ef.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ac581b09eee4b97dcf18144202c732ef.exe
Resource
win10v2004-20240226-en
General
-
Target
ac581b09eee4b97dcf18144202c732ef.exe
-
Size
62KB
-
MD5
ac581b09eee4b97dcf18144202c732ef
-
SHA1
135b6d20769939253fea76b666e9b0528048d0d2
-
SHA256
853890c8360ab0aa68f8bf9c63f87019b2ca574e3b600f0dec678d3fb250dc80
-
SHA512
893afcd6b27d4f28800baa19cfbce7d8c75d6bf7d4342c8a786341d37a25f06d5cf42a0f3d127153c023d2da500104d60940d430b378e170532808d0781376a2
-
SSDEEP
1536:sT8qDqQ8K9MK3tGHbNwPZ6oIeXHWTl5NX3F:SqMyKdsPeXHW5R
Malware Config
Extracted
xtremerat
11hack11.no-ip.biz
11hack1.no-ip.biz
耀ǖڊڊڊڊ夰3ۃ镈ڈ졀jouba.no-ip.biz
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2224-2-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat behavioral1/memory/2204-3-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat behavioral1/memory/2224-4-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ac581b09eee4b97dcf18144202c732ef.exedescription pid process target process PID 2204 wrote to memory of 2224 2204 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 2204 wrote to memory of 2224 2204 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 2204 wrote to memory of 2224 2204 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 2204 wrote to memory of 2224 2204 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 2204 wrote to memory of 2224 2204 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 2204 wrote to memory of 2900 2204 ac581b09eee4b97dcf18144202c732ef.exe iexplore.exe PID 2204 wrote to memory of 2900 2204 ac581b09eee4b97dcf18144202c732ef.exe iexplore.exe PID 2204 wrote to memory of 2900 2204 ac581b09eee4b97dcf18144202c732ef.exe iexplore.exe PID 2204 wrote to memory of 2900 2204 ac581b09eee4b97dcf18144202c732ef.exe iexplore.exe PID 2204 wrote to memory of 2900 2204 ac581b09eee4b97dcf18144202c732ef.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac581b09eee4b97dcf18144202c732ef.exe"C:\Users\Admin\AppData\Local\Temp\ac581b09eee4b97dcf18144202c732ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2224
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2900