xtremerat | f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e

General

Target

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
Size

996KB
MD5

376830294e3248b64e3cc045379d866f
SHA1

da7c94266ae4703e1533b0bf55223c317b1e8dd4
SHA256

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e
SHA512

b9b7d2f6cf171140cd0cb9c33f35be13ab2028ea852f52a16c3e361d65ccce5fb42dde74f4f53bfa6f536e9384d6709b80e3fed80c181dc0f7c48c110c90ca87
SSDEEP

24576:Ynp5kzfilDo0Vu5CZzTmgF9RS+gzEJeoGJ7ohnWepS3iG:QDaiDo0RzTbFgLoWD3z

Score

10^/10

xtremerat evasion persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-62-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-63-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-64-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-65-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-66-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-68-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-71-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-70-0x000000001000D0F4-mapping.dmp	family_xtremerat
behavioral1/memory/1724-76-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1724-80-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Wine	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

pid process

1744 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	pid	process	target process
PID 1744 set thread context of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

pid	process
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

pid	process
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.execmd.exenet.exef02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	pid	process	target process
PID 1744 wrote to memory of 1656	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 1744 wrote to memory of 1656	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 1744 wrote to memory of 1656	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 1744 wrote to memory of 1656	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1744 wrote to memory of 1724	1744	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 1656 wrote to memory of 1536	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 1536	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 1536	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 1536	1656	cmd.exe	net.exe
PID 1536 wrote to memory of 1884	1536	net.exe	net1.exe
PID 1536 wrote to memory of 1884	1536	net.exe	net1.exe
PID 1536 wrote to memory of 1884	1536	net.exe	net1.exe
PID 1536 wrote to memory of 1884	1536	net.exe	net1.exe
PID 1724 wrote to memory of 840	1724	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	iexplore.exe
PID 1724 wrote to memory of 840	1724	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	iexplore.exe
PID 1724 wrote to memory of 840	1724	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	iexplore.exe
PID 1724 wrote to memory of 840	1724	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	iexplore.exe
PID 1724 wrote to memory of 840	1724	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
"C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-69-0x0000000000000000-mapping.dmp

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download
memory/1724-68-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-70-0x000000001000D0F4-mapping.dmp

Download
memory/1724-78-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1724-59-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-60-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-62-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-63-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-64-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-71-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-66-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-80-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-76-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1724-65-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1744-56-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1744-72-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1744-75-0x0000000000790000-0x0000000000794000-memory.dmp

Filesize
16KB

Download
memory/1744-77-0x0000000005170000-0x000000000534E000-memory.dmp

Filesize
1.9MB

Download
memory/1744-57-0x0000000076301000-0x0000000076303000-memory.dmp

Filesize
8KB

Download
memory/1744-55-0x0000000077430000-0x00000000775B0000-memory.dmp

Filesize
1.5MB

Download
memory/1744-79-0x0000000077430000-0x00000000775B0000-memory.dmp

Filesize
1.5MB

Download
memory/1744-54-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1884-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads