xtremerat | 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84

General

Target

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
Size

984KB
MD5

6edee3f6a9eee3733d27991a3a6d5608
SHA1

47eb27c4e6f1e86e45eedd63f744aa7c426b3918
SHA256

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84
SHA512

ae4e927c5d808292359b34eacf44ebc0d0ecf107c60e209555afaf596ff17d19acced2195229c8eca214dc4320739ef68cf9087182f89dd65a31e248f84255de
SSDEEP

24576:YN74AuHCuqcpjN0Va63ViVIOqccf5RTNRXkdOGObsOm:mMAICuqcv0wNIvVN9kdOGObZm

Score

10^/10

xtremerat evasion persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1912-136-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1912-135-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1912-138-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1912-143-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

pid process

2212 96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	pid	process	target process
PID 2212 set thread context of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

pid	process
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

pid	process
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.execmd.exenet.exe96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe

description	pid	process	target process
PID 2212 wrote to memory of 3324	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 2212 wrote to memory of 3324	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 2212 wrote to memory of 3324	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	cmd.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 2212 wrote to memory of 1912	2212	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
PID 3324 wrote to memory of 4800	3324	cmd.exe	net.exe
PID 3324 wrote to memory of 4800	3324	cmd.exe	net.exe
PID 3324 wrote to memory of 4800	3324	cmd.exe	net.exe
PID 4800 wrote to memory of 4668	4800	net.exe	net1.exe
PID 4800 wrote to memory of 4668	4800	net.exe	net1.exe
PID 4800 wrote to memory of 4668	4800	net.exe	net1.exe
PID 1912 wrote to memory of 3760	1912	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	msedge.exe
PID 1912 wrote to memory of 3760	1912	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	msedge.exe
PID 1912 wrote to memory of 3760	1912	96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
"C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
C:\Users\Admin\AppData\Local\Temp\96fff1d8e819a6f87c10e54b7c14caa75965e5eacd6b6e260f998f6c87ce9b84.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-138-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1912-144-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1912-134-0x0000000000000000-mapping.dmp

Download
memory/1912-143-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1912-136-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1912-135-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2212-137-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2212-140-0x0000000004520000-0x0000000004524000-memory.dmp

Filesize
16KB

Download
memory/2212-139-0x0000000077360000-0x0000000077503000-memory.dmp

Filesize
1.6MB

Download
memory/2212-132-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3324-133-0x0000000000000000-mapping.dmp

Download
memory/4668-142-0x0000000000000000-mapping.dmp

Download
memory/4800-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads