xtremerat | 01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216

General

Target

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
Size

366KB
MD5

58ab608bd203846607e6fe52381dad9d
SHA1

e861165ddc44b91b5697dbebdabfea0db3c4aa0e
SHA256

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216
SHA512

1f28e5d8c396f60aed3a4c087776db7d6c1d23578c70deb3edd19a044ee498e4fee54d59d6232b0362a5cef9a6209122fb1c5065cc1c80f87cede2e96a28c853

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2284-138-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/2284-142-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4904-143-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4904-147-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

ACProtect 1.3x - 1.4x DLL software 8 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp	acprotect

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2284-135-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2284-137-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2284-138-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/2284-142-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4904-147-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Loads dropped DLL 7 IoCs

Processes:

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exeWerFault.exeWerFault.exe

pid	process
4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
3644	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

description	pid	process	target process
PID 4476 set thread context of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3644 4904 WerFault.exe svchost.exe
1056 4904 WerFault.exe svchost.exe

pid	pid_target	process	target process
3644	4904	WerFault.exe	svchost.exe
1056	4904	WerFault.exe	svchost.exe

Modifies registry class 3 IoCs

Processes:

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

pid	process
4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe

description	pid	process	target process
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 4476 wrote to memory of 2284	4476	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
PID 2284 wrote to memory of 4904	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	svchost.exe
PID 2284 wrote to memory of 4904	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	svchost.exe
PID 2284 wrote to memory of 4904	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	svchost.exe
PID 2284 wrote to memory of 4904	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	svchost.exe
PID 2284 wrote to memory of 4680	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	msedge.exe
PID 2284 wrote to memory of 4680	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	msedge.exe
PID 2284 wrote to memory of 4680	2284	01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
"C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe
"C:\Users\Admin\AppData\Local\Temp\01b90464c4c6df17e6d5f0d468eb05261507204faa2993137e0639cbf2822216.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 480
4⤵
- Loads dropped DLL
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 488
4⤵
- Loads dropped DLL
- Program crash
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4904 -ip 4904
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4904 -ip 4904
1⤵
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpi97A1.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/2284-135-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-142-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-138-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-137-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-134-0x0000000000000000-mapping.dmp

Download
memory/4904-143-0x0000000000000000-mapping.dmp

Download
memory/4904-147-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads