xtremerat | a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
Size

1.2MB
MD5

175ca66946610b34717444893bc93845
SHA1

59f04ef5f86eb915abb5b238783ff4103dd3b796
SHA256

a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957
SHA512

0964b10b5c4dfed8322de675bb9d5cce8149cf7e529d3ea0421e5c57feca1bacaf81ef3eb6d011d8b8a9596c0e8239812e606cbbea364174d3679ede8680f9b1
SSDEEP

12288:HZsQYcBw+32JsgijZKfXxV3pc+BCwM8qtdV/4va11OFGRGnrgq1Gc:HyQbB57ZKvHZc4JRqt3QS1gFGRh3c

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

baseeem.no-ip.biz

Signatures

Detect XtremeRAT payload 8 IoCs

resource	yara_rule
behavioral2/memory/4068-142-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4068-143-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/4068-144-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/4068-147-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/4068-149-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/2852-150-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral2/memory/4068-152-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat
behavioral2/memory/2852-153-0x0000000010000000-0x0000000010045000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4528 set thread context of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 set thread context of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4424	2852	WerFault.exe	78
4704	2852	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 1672	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	76
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 4528 wrote to memory of 4068	4528	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	77
PID 1672 wrote to memory of 532	1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	30
PID 1672 wrote to memory of 532	1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	30
PID 4068 wrote to memory of 2852	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	78
PID 4068 wrote to memory of 2852	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	78
PID 4068 wrote to memory of 2852	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	78
PID 1672 wrote to memory of 532	1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	30
PID 1672 wrote to memory of 532	1672	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	30
PID 4068 wrote to memory of 2852	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	78
PID 4068 wrote to memory of 4260	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	79
PID 4068 wrote to memory of 4260	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	79
PID 4068 wrote to memory of 4260	4068	a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe	79

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:532
- C:\Users\Admin\AppData\Local\Temp\a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
  "C:\Users\Admin\AppData\Local\Temp\a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
    "C:\Users\Admin\AppData\Local\Temp\a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1672
- - C:\Users\Admin\AppData\Local\Temp\a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe
    "C:\Users\Admin\AppData\Local\Temp\a66b115784c8fbd1509e746fc6534b0f1868ea06646ee37716cc7f6ed1029957.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 480
        5⤵
        Program crash
        
        PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 488
        5⤵
        Program crash
        
        PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2852 -ip 2852
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2852 -ip 2852
1⤵
PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-145-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1672-151-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1672-139-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1672-141-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/2852-153-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4068-143-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4068-144-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4068-147-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4068-149-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4068-152-0x0000000010000000-0x0000000010045000-memory.dmp

Filesize
276KB

Download
memory/4528-132-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4528-146-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4528-148-0x0000000002300000-0x0000000002339000-memory.dmp

Filesize
228KB

Download
memory/4528-137-0x0000000002300000-0x0000000002339000-memory.dmp

Filesize
228KB

Download
memory/4528-136-0x00000000006D0000-0x00000000006D4000-memory.dmp

Filesize
16KB

Download
memory/4528-135-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download