Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27-11-2024 06:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
General
-
Target
18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe
-
Size
62KB
-
MD5
81150067656989d2e2811d08fdcd7d80
-
SHA1
5c61ed1e8ac0c787e590067d5e0953ca499f88bd
-
SHA256
18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37
-
SHA512
74e9c63cac3b60c01463e655304212255be7d0db88896225deac3ed0eb211f7977603c194937dbfb55bf1532d8b8531999b576c3f347002cf3db3c33e70a2324
-
SSDEEP
1536:b8qS+OLPjNW71rGYDAWeotvXllSTeoJ9s4hxajeNbFF2:bk+OL7NW7zEvotvX/6egu4KUbP2
Malware Config
Signatures
-
Detect XtremeRAT payload 4 IoCs
resource yara_rule behavioral1/memory/2080-14-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2080-13-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2924-17-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat behavioral1/memory/2924-19-0x0000000010000000-0x000000001004D000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1644 set thread context of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 set thread context of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 set thread context of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 set thread context of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 set thread context of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 set thread context of 560 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 41 PID 1644 set thread context of 2076 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 43 PID 1644 set thread context of 2516 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 45 -
resource yara_rule behavioral1/memory/2080-14-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2080-13-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2080-8-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2080-6-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2080-4-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2080-12-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2924-17-0x0000000010000000-0x000000001004D000-memory.dmp upx behavioral1/memory/2924-19-0x0000000010000000-0x000000001004D000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 1644 wrote to memory of 2080 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 30 PID 2080 wrote to memory of 2924 2080 vbc.exe 31 PID 2080 wrote to memory of 2924 2080 vbc.exe 31 PID 2080 wrote to memory of 2924 2080 vbc.exe 31 PID 2080 wrote to memory of 2924 2080 vbc.exe 31 PID 2080 wrote to memory of 2924 2080 vbc.exe 31 PID 2080 wrote to memory of 2684 2080 vbc.exe 32 PID 2080 wrote to memory of 2684 2080 vbc.exe 32 PID 2080 wrote to memory of 2684 2080 vbc.exe 32 PID 2080 wrote to memory of 2684 2080 vbc.exe 32 PID 2080 wrote to memory of 2684 2080 vbc.exe 32 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 1644 wrote to memory of 2884 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 33 PID 2884 wrote to memory of 2708 2884 vbc.exe 34 PID 2884 wrote to memory of 2708 2884 vbc.exe 34 PID 2884 wrote to memory of 2708 2884 vbc.exe 34 PID 2884 wrote to memory of 2708 2884 vbc.exe 34 PID 2884 wrote to memory of 2708 2884 vbc.exe 34 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1644 wrote to memory of 1240 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 35 PID 1240 wrote to memory of 396 1240 vbc.exe 36 PID 1240 wrote to memory of 396 1240 vbc.exe 36 PID 1240 wrote to memory of 396 1240 vbc.exe 36 PID 1240 wrote to memory of 396 1240 vbc.exe 36 PID 1240 wrote to memory of 396 1240 vbc.exe 36 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1644 wrote to memory of 1940 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 37 PID 1940 wrote to memory of 2972 1940 vbc.exe 38 PID 1940 wrote to memory of 2972 1940 vbc.exe 38 PID 1940 wrote to memory of 2972 1940 vbc.exe 38 PID 1940 wrote to memory of 2972 1940 vbc.exe 38 PID 1940 wrote to memory of 2972 1940 vbc.exe 38 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39 PID 1644 wrote to memory of 1404 1644 18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe"C:\Users\Admin\AppData\Local\Temp\18134d44f9e32e9333e9b42ff2be7311400784f0a5c467e2dcb07127cefafe37N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- System Location Discovery: System Language Discovery
PID:2924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2684
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2708
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:396
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2972
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2408
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2404
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1796
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1924
-
-