Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-y6cmaafa6y
Target 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922
SHA256 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922

Threat Level: Known bad

The file 7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Detect XtremeRAT payload

XtremeRAT

Executes dropped EXE

UPX packed file

Modifies Installed Components in the registry

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 20:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 20:23

Reported

2022-11-23 23:21

Platform

win7-20221111-en

Max time kernel

211s

Max time network

282s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0} C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe
PID 1276 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe
PID 1276 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe
PID 1276 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe
PID 896 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe
PID 896 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe

"C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"

C:\Users\Admin\AppData\Local\Temp\taskgen.exe

"C:\Users\Admin\AppData\Local\Temp\taskgen.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 yocymusic.zapto.org udp

Files

memory/1276-55-0x000007FEF2DD0000-0x000007FEF3E66000-memory.dmp

memory/1276-56-0x0000000000B06000-0x0000000000B25000-memory.dmp

memory/896-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\taskgen.exe

MD5 ff53c2e05032c76a8457f2cde3ba1d3a
SHA1 15acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256 d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512 c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe

memory/896-59-0x0000000075E81000-0x0000000075E83000-memory.dmp

memory/1276-60-0x0000000000B06000-0x0000000000B25000-memory.dmp

memory/896-61-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\taskgen.exe

MD5 ff53c2e05032c76a8457f2cde3ba1d3a
SHA1 15acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256 d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512 c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe

memory/896-63-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1356-66-0x0000000000000000-mapping.dmp

memory/1356-64-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Windows\InstallDir\Server.exe

MD5 ff53c2e05032c76a8457f2cde3ba1d3a
SHA1 15acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256 d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512 c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe

memory/1356-68-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1448-72-0x0000000000000000-mapping.dmp

memory/1448-74-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/896-75-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1448-76-0x0000000000C80000-0x0000000000C96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 20:23

Reported

2022-11-23 23:20

Platform

win10v2004-20221111-en

Max time kernel

174s

Max time network

180s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0} C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0VX3O085-5WIK-A1Q4-ALGM-730EJ4851YA0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
File created C:\Windows\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
File opened for modification C:\Windows\InstallDir\ C:\Users\Admin\AppData\Local\Temp\taskgen.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe

"C:\Users\Admin\AppData\Local\Temp\7b6fea8906a1311e38bafb8e37f92ee5a149f63db64abcdbb4b1e590d3655922.exe"

C:\Users\Admin\AppData\Local\Temp\taskgen.exe

"C:\Users\Admin\AppData\Local\Temp\taskgen.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 104.109.143.76:443 tcp
N/A 104.109.143.76:443 tcp
N/A 104.109.143.76:443 tcp
N/A 104.109.143.76:443 tcp
N/A 8.238.20.126:80 tcp
N/A 52.109.8.86:443 tcp
N/A 72.21.91.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 51.132.193.105:443 tcp
N/A 72.21.91.29:80 tcp
N/A 8.238.23.254:80 tcp
N/A 8.238.23.254:80 tcp
N/A 8.238.23.254:80 tcp
N/A 20.224.254.73:443 tcp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 104.109.143.76:443 tcp
N/A 52.242.97.97:443 tcp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 20.31.106.135:443 tcp
N/A 20.31.106.135:443 tcp
N/A 20.31.106.135:443 tcp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.8.8.8:53 yocymusic.zapto.org udp
N/A 8.247.210.254:80 tcp

Files

memory/1504-132-0x00007FFAEE0B0000-0x00007FFAEEAE6000-memory.dmp

memory/1504-133-0x00000000013C9000-0x00000000013CF000-memory.dmp

memory/1504-134-0x00000000013C9000-0x00000000013CF000-memory.dmp

memory/1504-135-0x000000001F400000-0x000000001F404000-memory.dmp

memory/1504-136-0x000000001F404000-0x000000001F407000-memory.dmp

memory/1504-137-0x000000001F407000-0x000000001F40C000-memory.dmp

memory/1504-138-0x000000001F40C000-0x000000001F411000-memory.dmp

memory/1504-139-0x000000001F400000-0x000000001F404000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\taskgen.exe

MD5 ff53c2e05032c76a8457f2cde3ba1d3a
SHA1 15acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256 d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512 c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe

memory/4756-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\taskgen.exe

MD5 ff53c2e05032c76a8457f2cde3ba1d3a
SHA1 15acfd27138b871a866f7aa5ffdfc6357d865cc1
SHA256 d2eaf2bda7a45563939d7ead777666263d1f9fcb94c5d3cf970aa90bad498c88
SHA512 c2bd5bb00fd3a1da735e1e598e2a7b1e7d1fe73e3911fa3cfa53f27d55d49df5ad947e37a7497eff252803c138b5d4c5471b48bf930a8b69e283ef222b2393fe

memory/4756-143-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1504-144-0x00000000013C9000-0x00000000013CF000-memory.dmp

memory/1504-145-0x000000001F404000-0x000000001F407000-memory.dmp

memory/1504-147-0x000000001F40C000-0x000000001F411000-memory.dmp

memory/1504-146-0x000000001F407000-0x000000001F40C000-memory.dmp

memory/2472-148-0x0000000000000000-mapping.dmp

memory/2472-149-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/4756-150-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2472-151-0x0000000000C80000-0x0000000000C96000-memory.dmp