xtremerat | 838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7

Analysis

max time kernel
150s
max time network
189s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
Size

614KB
MD5

d3e489837c6dc761b9a1d355d0aea80c
SHA1

0f089235f5d4577bc5df82f44067172149786dbf
SHA256

838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7
SHA512

8444e82b0a6fa0fddf9443c6e82a7c68b96fbfdd03907f427d2243c71af0909a83ec65788e51efe860de47c98f97e267eefebdd196865fc69303fd7e95ab3311
SSDEEP

12288:aK2mhAMJ/cPld+1Ys7XVEIoXYbAgtDvfPPiyVDQBmQ48GraUCXGM00pT9t2pR:r2O/Gld+1Ysrco0iHhhQBmF8UaUCj0TH

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

alertsdanish.bounceme.net

čalertsdanish.bounceme.net

Signatures

Detect XtremeRAT payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-70-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-74-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-72-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-73-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-71-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-76-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-77-0x000000001000D0F4-mapping.dmp	family_xtremerat
behavioral1/memory/1164-79-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-81-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-83-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/1164-84-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/888-87-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/892-91-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1164-94-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/888-97-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/892-98-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat
behavioral1/memory/888-101-0x0000000010000000-0x0000000010097000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 2 IoCs

Processes:

fumic.exefumic.EXE

pid process

948 fumic.exe
1164 fumic.EXE

pid	process
948	fumic.exe
1164	fumic.EXE

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TWDB4HK2-65MQ-224E-01L2-YY6624NJV2XC}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TWDB4HK2-65MQ-224E-01L2-YY6624NJV2XC}\StubPath = "C:\\Windows\\InstallDir\\svchost.exe restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TWDB4HK2-65MQ-224E-01L2-YY6624NJV2XC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{TWDB4HK2-65MQ-224E-01L2-YY6624NJV2XC}\StubPath = "C:\\Windows\\InstallDir\\svchost.exe"	svchost.exe

Loads dropped DLL 6 IoCs

Processes:

838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exefumic.exe

pid	process
1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
948	fumic.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\svchost.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\svchost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\svchost.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\svchost.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fumic.exe

description pid process target process

PID 948 set thread context of 1164 948 fumic.exe fumic.EXE

description	pid	process	target process
PID 948 set thread context of 1164	948	fumic.exe	fumic.EXE

Drops file in Windows directory 5 IoCs

Processes:

explorer.exefumic.EXE

description	ioc	process
File opened for modification	C:\Windows\InstallDir\svchost.exe	explorer.exe
File created	C:\Windows\InstallDir\svchost.exe	explorer.exe
File opened for modification	C:\Windows\InstallDir\	explorer.exe
File created	C:\Windows\210Moto-Azabu Hills Apt 2204 Rosbacher.pdf.exe	fumic.EXE
File created	C:\Windows\210Moto-Azabu Hills Apt 2204 Rosbacher.pdf	fumic.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

fumic.exeexplorer.exeAcroRd32.exe

pid process

948 fumic.exe
892 explorer.exe
1036 AcroRd32.exe
1036 AcroRd32.exe
1036 AcroRd32.exe

pid	process
948	fumic.exe
892	explorer.exe
1036	AcroRd32.exe
1036	AcroRd32.exe
1036	AcroRd32.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exefumic.exefumic.EXE

description	pid	process	target process
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 1952 wrote to memory of 948	1952	838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe	fumic.exe
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 948 wrote to memory of 1164	948	fumic.exe	fumic.EXE
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 888	1164	fumic.EXE	svchost.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 892	1164	fumic.EXE	explorer.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe
PID 1164 wrote to memory of 1036	1164	fumic.EXE	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe
"C:\Users\Admin\AppData\Local\Temp\838f09135a6741e7dec0e91b348ce34406d0b632897f1caba00fb7eee13d09f7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\fumic.exe
  "C:\Users\Admin\AppData\Local\Temp\fumic.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\fumic.EXE
    "C:\Users\Admin\AppData\Local\Temp\fumic.EXE"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:888
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:892
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Windows\210Moto-Azabu Hills Apt 2204 Rosbacher.pdf"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fumic.EXE

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
C:\Windows\210Moto-Azabu Hills Apt 2204 Rosbacher.pdf

Filesize
308KB

MD5
23bbd7c3a81207672ed44de64c7a3289

SHA1
a190365064ad07ca95fcbe03c175b1ad575e1aa2

SHA256
d23e94dfa47e49e83e3fbd60817e2cd20701ec1d06a4310845edfdb5f784b34d

SHA512
4e1c7c423c6385376ab1bad1f660a8bb9bb9af0d94befcf65ceee7057dcc4991beb5abc4e4a5339c7c3b65a4ff60627b0381cc75cb1f1e9ae4c85ab93df397e4

Download Submit
C:\Windows\InstallDir\svchost.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
\Users\Admin\AppData\Local\Temp\Fumic.exe

Filesize
519KB

MD5
b1415073293fa408b8c1a31bdc34fcc4

SHA1
37642c6145a1f451c88b710b8573bca7afa7ba81

SHA256
39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

SHA512
b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

Download Submit
memory/888-87-0x0000000000000000-mapping.dmp

Download
memory/888-101-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/888-97-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/892-91-0x0000000000000000-mapping.dmp

Download
memory/892-98-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/892-96-0x00000000749D1000-0x00000000749D3000-memory.dmp

Filesize
8KB

Download
memory/948-60-0x0000000000000000-mapping.dmp

Download
memory/1036-93-0x0000000000000000-mapping.dmp

Download
memory/1164-83-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-68-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-81-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-70-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-84-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-74-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-77-0x000000001000D0F4-mapping.dmp

Download
memory/1164-79-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-94-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-76-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-71-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-73-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-67-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1164-72-0x0000000010000000-0x0000000010097000-memory.dmp

Filesize
604KB

Download
memory/1952-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download