xtremerat | 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84

General

Target

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
Size

984KB
MD5

6edee3f6a9eee3733d27991a3a6d5608
SHA1

47eb27c4e6f1e86e45eedd63f744aa7c426b3918
SHA256

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84
SHA512

ae4e927c5d808292359b34eacf44ebc0d0ecf107c60e209555afaf596ff17d19acced2195229c8eca214dc4320739ef68cf9087182f89dd65a31e248f84255de
SSDEEP

24576:YN74AuHCuqcpjN0Va63ViVIOqccf5RTNRXkdOGObsOm:mMAICuqcv0wNIvVN9kdOGObZm

Score

10^/10

xtremerat evasion persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2024-62-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2024-65-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2024-66-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2024-64-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2024-63-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2024-68-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2024-69-0x000000001000D0F4-mapping.dmp	family_xtremerat
behavioral1/memory/2024-70-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

pid process

1708 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	pid	process	target process
PID 1708 set thread context of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

pid	process
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

pid	process
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.execmd.exenet.exe

description	pid	process	target process
PID 1708 wrote to memory of 1352	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 1708 wrote to memory of 1352	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 1708 wrote to memory of 1352	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 1708 wrote to memory of 1352	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1708 wrote to memory of 2024	1708	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 1352 wrote to memory of 1792	1352	cmd.exe	net.exe
PID 1352 wrote to memory of 1792	1352	cmd.exe	net.exe
PID 1352 wrote to memory of 1792	1352	cmd.exe	net.exe
PID 1352 wrote to memory of 1792	1352	cmd.exe	net.exe
PID 1792 wrote to memory of 364	1792	net.exe	net1.exe
PID 1792 wrote to memory of 364	1792	net.exe	net1.exe
PID 1792 wrote to memory of 364	1792	net.exe	net1.exe
PID 1792 wrote to memory of 364	1792	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
"C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2⤵
PID:2024

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-77-0x0000000000000000-mapping.dmp

Download
memory/1352-58-0x0000000000000000-mapping.dmp

Download
memory/1708-71-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-55-0x0000000077540000-0x00000000776C0000-memory.dmp

Filesize
1.5MB

Download
memory/1708-56-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-57-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-54-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1708-75-0x00000000006C0000-0x00000000006C4000-memory.dmp

Filesize
16KB

Download
memory/1708-74-0x0000000077540000-0x00000000776C0000-memory.dmp

Filesize
1.5MB

Download
memory/1792-73-0x0000000000000000-mapping.dmp

Download
memory/2024-59-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-63-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-68-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-69-0x000000001000D0F4-mapping.dmp

Download
memory/2024-70-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-64-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-66-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-65-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-62-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2024-76-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2024-60-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads