xtremerat | 4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2

General

Target

4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
Size

886KB
MD5

40eaca541433514a31508b7a328db6ef
SHA1

bca267e3a5007147c9c0cb44612bf6027b47ba76
SHA256

4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2
SHA512

3fa774f21f13b349e3474ba6da9d0835151d31847f2051f731d24a71e8e6b66be0d35d495b4db9bed7f1697c55533c141b2b70f8d94d53d3e7b50e6cc9ffbf24

Score

10^/10

Malware Config

Signatures

Detect XtremeRAT payload 16 IoCs

resource	yara_rule
behavioral1/memory/1100-59-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-60-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-61-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-62-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-63-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-65-0x0000000000C88ABC-mapping.dmp	family_xtremerat
behavioral1/memory/1100-64-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-66-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-68-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-69-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1984-72-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1984-75-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1400-78-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1400-81-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1100-82-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/1400-83-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JE2C8F4-2VT5-K1NJ-HRTM-4K0C061TM2ID}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\Update.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JE2C8F4-2VT5-K1NJ-HRTM-4K0C061TM2ID}	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JE2C8F4-2VT5-K1NJ-HRTM-4K0C061TM2ID}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\Update.exe restart"	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2JE2C8F4-2VT5-K1NJ-HRTM-4K0C061TM2ID}	svchost.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Facebook = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\Update.exe"	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Facebook = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\Update.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Facebook = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\Update.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Facebook = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdate\\Update.exe"	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\L:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\N:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\V:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\B:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\G:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\T:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\W:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\Y:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\Z:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\Q:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\S:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\O:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\R:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\A:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\I:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\H:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\K:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\M:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\P:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\U:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\X:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\E:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
File opened (read-only)	\??\F:	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 272 set thread context of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 272 wrote to memory of 1100	272	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe	28
PID 1100 wrote to memory of 1984	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	29
PID 1100 wrote to memory of 1984	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	29
PID 1100 wrote to memory of 1984	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	29
PID 1100 wrote to memory of 1984	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	29
PID 1100 wrote to memory of 1984	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	29
PID 1100 wrote to memory of 568	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	30
PID 1100 wrote to memory of 568	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	30
PID 1100 wrote to memory of 568	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	30
PID 1100 wrote to memory of 568	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	30
PID 1100 wrote to memory of 1400	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	31
PID 1100 wrote to memory of 1400	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	31
PID 1100 wrote to memory of 1400	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	31
PID 1100 wrote to memory of 1400	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	31
PID 1100 wrote to memory of 1400	1100	4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE	31

C:\Users\Admin\AppData\Local\Temp\4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe
"C:\Users\Admin\AppData\Local\Temp\4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272
- C:\Users\Admin\AppData\Local\Temp\4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE
  "C:\Users\Admin\AppData\Local\Temp\4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2.ExE"
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:1984
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinUpdate\Update.exe

Filesize
886KB

MD5
40eaca541433514a31508b7a328db6ef

SHA1
bca267e3a5007147c9c0cb44612bf6027b47ba76

SHA256
4adbe2d65372183b94331aa85fbc68fd11c1031a36f316c8fe07e226f04651d2

SHA512
3fa774f21f13b349e3474ba6da9d0835151d31847f2051f731d24a71e8e6b66be0d35d495b4db9bed7f1697c55533c141b2b70f8d94d53d3e7b50e6cc9ffbf24

Download Submit
memory/1100-67-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1100-57-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-60-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-61-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-62-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-63-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-68-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-66-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-82-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-64-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-69-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-56-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1100-59-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1400-80-0x0000000072D01000-0x0000000072D03000-memory.dmp

Filesize
8KB

Download
memory/1400-81-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1400-83-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/1984-75-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads