xtremerat | f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e

General

Target

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
Size

996KB
MD5

376830294e3248b64e3cc045379d866f
SHA1

da7c94266ae4703e1533b0bf55223c317b1e8dd4
SHA256

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e
SHA512

b9b7d2f6cf171140cd0cb9c33f35be13ab2028ea852f52a16c3e361d65ccce5fb42dde74f4f53bfa6f536e9384d6709b80e3fed80c181dc0f7c48c110c90ca87
SSDEEP

24576:Ynp5kzfilDo0Vu5CZzTmgF9RS+gzEJeoGJ7ohnWepS3iG:QDaiDo0RzTbFgLoWD3z

Score

10^/10

xtremerat evasion persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3688-136-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3688-137-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3688-141-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3688-144-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/3688-145-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

pid process

3276 f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	pid	process	target process
PID 3276 set thread context of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

pid	process
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

pid	process
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.execmd.exenet.exef02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe

description	pid	process	target process
PID 3276 wrote to memory of 2056	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 3276 wrote to memory of 2056	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 3276 wrote to memory of 2056	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	cmd.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 3276 wrote to memory of 3688	3276	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
PID 2056 wrote to memory of 4292	2056	cmd.exe	net.exe
PID 2056 wrote to memory of 4292	2056	cmd.exe	net.exe
PID 2056 wrote to memory of 4292	2056	cmd.exe	net.exe
PID 4292 wrote to memory of 2024	4292	net.exe	net1.exe
PID 4292 wrote to memory of 2024	4292	net.exe	net1.exe
PID 4292 wrote to memory of 2024	4292	net.exe	net1.exe
PID 3688 wrote to memory of 1908	3688	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	msedge.exe
PID 3688 wrote to memory of 1908	3688	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	msedge.exe
PID 3688 wrote to memory of 1908	3688	f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
"C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\SysWOW64\cmd.exe
/c net stop MpsSvc
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\net.exe
net stop MpsSvc
3⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
4⤵
PID:2024

C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
C:\Users\Admin\AppData\Local\Temp\f02036dc1354e47bb1ed9f1b81a6626b01928a9f7dc24d24abd801f4ce5d657e.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
3⤵
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-143-0x0000000000000000-mapping.dmp

Download
memory/2056-134-0x0000000000000000-mapping.dmp

Download
memory/3276-139-0x0000000077390000-0x0000000077533000-memory.dmp

Filesize
1.6MB

Download
memory/3276-133-0x0000000077390000-0x0000000077533000-memory.dmp

Filesize
1.6MB

Download
memory/3276-132-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3276-140-0x0000000004660000-0x0000000004664000-memory.dmp

Filesize
16KB

Download
memory/3276-138-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3688-135-0x0000000000000000-mapping.dmp

Download
memory/3688-137-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3688-141-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3688-136-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3688-144-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3688-145-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4292-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads