xtremerat | a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247

General

Target

a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe
Size

132KB
MD5

569884b24b3a48a7283a36027dbbd0bf
SHA1

24514373a752bd755d3e9d185986221b5cfd6859
SHA256

a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247
SHA512

af057bde22eb4db6b22ba2f970a99f4a4bdc1aa85a3259be074e7ef5aaedaa4bcc4630839babb385d48d30d567ec9370fdcb8c823e0f0470d574248e970b5e6e
SSDEEP

1536:DnxxQWRT5e6K2DxdzKCJTAS5Q/+4xvgtYQIo9tXoGzX/nnRcymY:DnxSH2Dxdz38R/IOQIoUcnRcymY

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

moroccanghosts.no-ip.biz

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4244-145-0x0000000010000000-0x0000000010049000-memory.dmp	family_xtremerat
behavioral2/memory/4896-146-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4244-147-0x0000000010000000-0x0000000010049000-memory.dmp	family_xtremerat
behavioral2/memory/4896-148-0x0000000010000000-0x0000000010049000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4244-142-0x0000000010000000-0x0000000010049000-memory.dmp	upx
behavioral2/memory/4244-144-0x0000000010000000-0x0000000010049000-memory.dmp	upx
behavioral2/memory/4244-145-0x0000000010000000-0x0000000010049000-memory.dmp	upx
behavioral2/memory/4244-147-0x0000000010000000-0x0000000010049000-memory.dmp	upx
behavioral2/memory/4896-148-0x0000000010000000-0x0000000010049000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2056 set thread context of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4688	4896	WerFault.exe	81
1900	4896	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe
2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 2056 wrote to memory of 4244	2056	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	80
PID 4244 wrote to memory of 4896	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	81
PID 4244 wrote to memory of 4896	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	81
PID 4244 wrote to memory of 4896	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	81
PID 4244 wrote to memory of 4896	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	81
PID 4244 wrote to memory of 4824	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	82
PID 4244 wrote to memory of 4824	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	82
PID 4244 wrote to memory of 4824	4244	a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe	82

C:\Users\Admin\AppData\Local\Temp\a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe
"C:\Users\Admin\AppData\Local\Temp\a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe
  "C:\Users\Admin\AppData\Local\Temp\a87ade15fdadcdf157bbaecca6658beea4964cdf2359789d12fb5c2d39b7c247.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 480
      4⤵
      Program crash
      PID:4688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 500
      4⤵
      Program crash
      PID:1900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4896 -ip 4896
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4896 -ip 4896
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-140-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2056-139-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2056-132-0x0000000000570000-0x0000000000580000-memory.dmp

Filesize
64KB

Download
memory/2056-135-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2056-136-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2056-137-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2056-133-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2056-138-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2056-134-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/4244-142-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/4244-144-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/4244-145-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/4244-147-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download
memory/4896-148-0x0000000010000000-0x0000000010049000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing