Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 18:02
Static task
static1
Behavioral task
behavioral1
Sample
af1f8e0fdbf5e04bc0480aefc117dd8c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
af1f8e0fdbf5e04bc0480aefc117dd8c.exe
Resource
win10v2004-20240226-en
General
-
Target
af1f8e0fdbf5e04bc0480aefc117dd8c.exe
-
Size
724KB
-
MD5
af1f8e0fdbf5e04bc0480aefc117dd8c
-
SHA1
d5eaf066341be143cadf098ead2a1592a3c33813
-
SHA256
15dafaf753155c4cff9e3b038ca0bc582d79e1852a01007fc2a2968ee4371fac
-
SHA512
61736c38a85efd58cc2926deab3a5f34ed3ed410a4b0fe8f68e169b5adc1fdb7619aca5105b7bfe348c5e6fa643dbcee370cc9a240ee2589eb071bdbcf8be5f8
-
SSDEEP
3072:ZIutLa9HJZCKxtKnFpSRSd1tAvPOaDgWYdx920HyL2vePlKRqiRneQwEbenDuee3:asheQqld6
Malware Config
Extracted
xtremerat
mmm1212.no-ip.biz
Signatures
-
Detect XtremeRAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2888-4-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2888-5-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2888-7-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2888-8-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2516-11-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2888-12-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat behavioral1/memory/2516-13-0x0000000010000000-0x000000001004A000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
af1f8e0fdbf5e04bc0480aefc117dd8c.exedescription pid process target process PID 2456 set thread context of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
af1f8e0fdbf5e04bc0480aefc117dd8c.exepid process 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
af1f8e0fdbf5e04bc0480aefc117dd8c.exeaf1f8e0fdbf5e04bc0480aefc117dd8c.exedescription pid process target process PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2456 wrote to memory of 2888 2456 af1f8e0fdbf5e04bc0480aefc117dd8c.exe af1f8e0fdbf5e04bc0480aefc117dd8c.exe PID 2888 wrote to memory of 2516 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe svchost.exe PID 2888 wrote to memory of 2516 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe svchost.exe PID 2888 wrote to memory of 2516 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe svchost.exe PID 2888 wrote to memory of 2516 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe svchost.exe PID 2888 wrote to memory of 2516 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe svchost.exe PID 2888 wrote to memory of 2584 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe iexplore.exe PID 2888 wrote to memory of 2584 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe iexplore.exe PID 2888 wrote to memory of 2584 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe iexplore.exe PID 2888 wrote to memory of 2584 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe iexplore.exe PID 2888 wrote to memory of 2584 2888 af1f8e0fdbf5e04bc0480aefc117dd8c.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1f8e0fdbf5e04bc0480aefc117dd8c.exe"C:\Users\Admin\AppData\Local\Temp\af1f8e0fdbf5e04bc0480aefc117dd8c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\af1f8e0fdbf5e04bc0480aefc117dd8c.exeC:\Users\Admin\AppData\Local\Temp\af1f8e0fdbf5e04bc0480aefc117dd8c.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵PID:2516
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2584