xtremerat | 784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087

General

Target

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
Size

984KB
MD5

b9c359c50e9eae0510f482e9beb70a22
SHA1

e8557e38f7c292847fc17c890f55d2e7d38053c8
SHA256

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087
SHA512

517ca9aa7c12c3d159e9ad1ff52724d9f0d6ab1c3455043833ad13d0107adfbb8c76569ea7a1217fb107ade3019f0ccb19582226c8aac593c12dfa25f3708ddc
SSDEEP

12288:YMXh9i82/wsLLC67/gjiMx585zHcF0CkoHYM0pk/bHLkXC7XrT4iiHyk7DHChxtg:YMxg/ZCu5oFZiM7DQXEd9ODHChXjHuyO

Score

10^/10

xtremerat evasion persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2824-135-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2824-136-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2824-142-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2824-144-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2824-145-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Wine	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

pid process

1904 784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

description	pid	process	target process
PID 1904 set thread context of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

pid	process
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

pid	process
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.execmd.exenet.exe784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe

description	pid	process	target process
PID 1904 wrote to memory of 2844	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	cmd.exe
PID 1904 wrote to memory of 2844	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	cmd.exe
PID 1904 wrote to memory of 2844	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	cmd.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 1904 wrote to memory of 2824	1904	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
PID 2844 wrote to memory of 4044	2844	cmd.exe	net.exe
PID 2844 wrote to memory of 4044	2844	cmd.exe	net.exe
PID 2844 wrote to memory of 4044	2844	cmd.exe	net.exe
PID 4044 wrote to memory of 2008	4044	net.exe	net1.exe
PID 4044 wrote to memory of 2008	4044	net.exe	net1.exe
PID 4044 wrote to memory of 2008	4044	net.exe	net1.exe
PID 2824 wrote to memory of 4940	2824	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	msedge.exe
PID 2824 wrote to memory of 4940	2824	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	msedge.exe
PID 2824 wrote to memory of 4940	2824	784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
"C:\Users\Admin\AppData\Local\Temp\784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
C:\Users\Admin\AppData\Local\Temp\784760025ab16be9cb04f1a5aed2dfbf46c1a3a5bf9415854c40975972ff6087.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:4940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-141-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/1904-138-0x0000000002330000-0x0000000002334000-memory.dmp

Filesize
16KB

Download
memory/1904-132-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1904-139-0x0000000077260000-0x0000000077403000-memory.dmp

Filesize
1.6MB

Download
memory/1904-137-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2008-143-0x0000000000000000-mapping.dmp

Download
memory/2824-136-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2824-135-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2824-142-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2824-134-0x0000000000000000-mapping.dmp

Download
memory/2824-144-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2824-145-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2844-133-0x0000000000000000-mapping.dmp

Download
memory/4044-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads