xtremerat | 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051

Analysis

max time kernel
185s
max time network
216s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
Size

289KB
MD5

7c5076f4818ad83b85c386d14a10a894
SHA1

506aaae1de0316b8b20b94905f35a582ef659465
SHA256

7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051
SHA512

0a1d4a9a40af1b25db0ff643cc271e1dd0edb07076fa166b20c60413bde2976fa4c83fc9048de60c60d47ba222f38c0c1e1665fd81367b862bead270331def80
SSDEEP

6144:4WqA/eRFp0yN90QE6KntvLfggDsMLDwP:R/eay904+xLfggDFDwP

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

merlim2.no-ip.org

耀睊袸睊袌睊糨merlim2.no-ip.org

Signatures

Detect XtremeRAT payload 23 IoCs

resource	yara_rule
behavioral1/memory/1240-69-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-70-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-68-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-71-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-72-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-74-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-75-0x000000001000D07C-mapping.dmp	family_xtremerat
behavioral1/memory/1240-77-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-79-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-82-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-86-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-84-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-92-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-90-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-88-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-98-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-96-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-94-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1320-101-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1240-103-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1320-104-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1240-106-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1320-107-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 2 IoCs

pid	Process
1816	Explorer.exe
1240	Explorer.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38W2822O-7R7R-5CP5-X73M-8K43CLG2E571}\StubPath = "C:\\Windows\\system32\\System\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{38W2822O-7R7R-5CP5-X73M-8K43CLG2E571}	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38W2822O-7R7R-5CP5-X73M-8K43CLG2E571}\StubPath = "C:\\Windows\\system32\\System\\svchost.exe restart"	Explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{38W2822O-7R7R-5CP5-X73M-8K43CLG2E571}	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
1816	Explorer.exe
1816	Explorer.exe
1240	Explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\System\\svchost.exe"	Explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\System\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\System\svchost.exe	Explorer.exe
File opened for modification	C:\Windows\SysWOW64\System\	Explorer.exe
File opened for modification	C:\Windows\SysWOW64\System\svchost.exe	Explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 1240	1816	Explorer.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1816	Explorer.exe
1240	Explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 2020 wrote to memory of 1816	2020	7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe	28
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1816 wrote to memory of 1240	1816	Explorer.exe	29
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30
PID 1240 wrote to memory of 1320	1240	Explorer.exe	30

C:\Users\Admin\AppData\Local\Temp\7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe
"C:\Users\Admin\AppData\Local\Temp\7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
C:\Windows\SysWOW64\System\svchost.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Explorer.exe

Filesize
165KB

MD5
b0edea124678797b44fed1538f11ca24

SHA1
4c5bbc2f697db486257eaba821ade6839e4919f2

SHA256
26360b2600590cdedb3f1f187d164ebff66ba778d9109bdddc41cf3ce55d262c

SHA512
aac67d35a0f9a038f11a70f8e77723af03696107e9d1d2dca07a00a87e0ff6b271a0e01f8b6c33e739ca3ef49efae4affc557ad0ebcc4bad5fda3d3d752e34ad

Download Submit
memory/1240-77-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-86-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-70-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-68-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-71-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-72-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-74-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-66-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-106-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-79-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-65-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-82-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-69-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-84-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-92-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-90-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-88-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-98-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-96-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-94-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1240-103-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1320-104-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1320-107-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2020-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads