xtremerat | 3fbbfe2ff14aed34219b3449a6a555c453ebd7acbb999a32f893b234b34dfab0

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 16:21

Target

b9214c384345b04a88275de4bc7de7b7.exe
Size

45KB
MD5

b9214c384345b04a88275de4bc7de7b7
SHA1

4fb301633f8c9a5ff27a7eaea4c7026b64a5681f
SHA256

3fbbfe2ff14aed34219b3449a6a555c453ebd7acbb999a32f893b234b34dfab0
SHA512

c556bb0ddd25d3d0452bee5d78621799e8fc653eb23563fa0e38d10947aa4ed6aa1549a10ad7f7376191525d88f8fff1679cb237e94e620a59a4e0fad20222f9
SSDEEP

768:9Br+tjFY90iY6W1jwmDzKgEFQXpklSTAnX8hwfOgw08Azo5J:jyRh31jxPEFQXpkcIX84blo5J

Score

10^/10

Detect XtremeRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1976-0-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2376	1976	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2376	1976	b9214c384345b04a88275de4bc7de7b7.exe	28
PID 1976 wrote to memory of 2376	1976	b9214c384345b04a88275de4bc7de7b7.exe	28
PID 1976 wrote to memory of 2376	1976	b9214c384345b04a88275de4bc7de7b7.exe	28
PID 1976 wrote to memory of 2376	1976	b9214c384345b04a88275de4bc7de7b7.exe	28

C:\Users\Admin\AppData\Local\Temp\b9214c384345b04a88275de4bc7de7b7.exe
"C:\Users\Admin\AppData\Local\Temp\b9214c384345b04a88275de4bc7de7b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 160
  2⤵
  - Program crash
  PID:2376

memory/1976-0-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download