Analysis
-
max time kernel
95s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 16:34
Behavioral task
behavioral1
Sample
ac581b09eee4b97dcf18144202c732ef.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ac581b09eee4b97dcf18144202c732ef.exe
Resource
win10v2004-20240226-en
General
-
Target
ac581b09eee4b97dcf18144202c732ef.exe
-
Size
62KB
-
MD5
ac581b09eee4b97dcf18144202c732ef
-
SHA1
135b6d20769939253fea76b666e9b0528048d0d2
-
SHA256
853890c8360ab0aa68f8bf9c63f87019b2ca574e3b600f0dec678d3fb250dc80
-
SHA512
893afcd6b27d4f28800baa19cfbce7d8c75d6bf7d4342c8a786341d37a25f06d5cf42a0f3d127153c023d2da500104d60940d430b378e170532808d0781376a2
-
SSDEEP
1536:sT8qDqQ8K9MK3tGHbNwPZ6oIeXHWTl5NX3F:SqMyKdsPeXHW5R
Malware Config
Extracted
xtremerat
11hack11.no-ip.biz
11hack1.no-ip.biz
耀ǖڊڊڊڊ夰3ۃ镈ڈ졀jouba.no-ip.biz
Signatures
-
Detect XtremeRAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3836-0-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat behavioral2/memory/4624-1-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat behavioral2/memory/3836-2-0x0000000010000000-0x0000000010047000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3368 3836 WerFault.exe svchost.exe 4568 3836 WerFault.exe svchost.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ac581b09eee4b97dcf18144202c732ef.exedescription pid process target process PID 4624 wrote to memory of 3836 4624 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 4624 wrote to memory of 3836 4624 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 4624 wrote to memory of 3836 4624 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 4624 wrote to memory of 3836 4624 ac581b09eee4b97dcf18144202c732ef.exe svchost.exe PID 4624 wrote to memory of 3872 4624 ac581b09eee4b97dcf18144202c732ef.exe msedge.exe PID 4624 wrote to memory of 3872 4624 ac581b09eee4b97dcf18144202c732ef.exe msedge.exe PID 4624 wrote to memory of 3872 4624 ac581b09eee4b97dcf18144202c732ef.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac581b09eee4b97dcf18144202c732ef.exe"C:\Users\Admin\AppData\Local\Temp\ac581b09eee4b97dcf18144202c732ef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:3836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 4803⤵
- Program crash
PID:3368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 4883⤵
- Program crash
PID:4568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵PID:3872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3836 -ip 38361⤵PID:2052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3836 -ip 38361⤵PID:4816