xtremerat | eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

General

Target

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Size

532KB
MD5

80c2838bc5c5ebe29e4f87bc02d0bc01
SHA1

1182ed800987cad18ec1cda2cd9a833e1abd9687
SHA256

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf
SHA512

70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1
SSDEEP

12288:86Wq4aaE6KwyF5L0Y2D1PqLaD0+dj3kuLkv3cH8:6thEVaPqLZ+dj0uLEMc

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

golij.redirectme.net

蠀C:\Usertiriberk.ddns.net

nikberkactivi.ddns.net

Signatures

Detect XtremeRAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1456-138-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1456-139-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/4172-140-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4172-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2428-132-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral2/memory/1456-134-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2428-136-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral2/memory/1456-137-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1456-138-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1456-139-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/4172-141-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/2428-136-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

description	pid	process	target process
PID 2428 set thread context of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

svchost.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

pid	process
2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

pid	process
2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

description	pid	process	target process
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 2428 wrote to memory of 1456	2428	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 1456 wrote to memory of 4172	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1456 wrote to memory of 4172	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1456 wrote to memory of 4172	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1456 wrote to memory of 4172	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1456 wrote to memory of 2036	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2036	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2036	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3760	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3760	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3760	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2956	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2956	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2956	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2924	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2924	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 2924	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 448	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 448	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 448	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3736	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3736	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3736	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3104	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3104	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3104	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3216	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe
PID 1456 wrote to memory of 3216	1456	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
"C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
"C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe"
2⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies registry class
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:3216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
memory/1456-133-0x0000000000000000-mapping.dmp

Download
memory/1456-134-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1456-137-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1456-138-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1456-139-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2428-132-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2428-136-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/4172-140-0x0000000000000000-mapping.dmp

Download
memory/4172-141-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads