xtremerat | 97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f

Analysis

max time kernel
266s
max time network
364s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe
Size

69KB
MD5

54d37a0bf6862350be8ba31a88e7c91c
SHA1

eaf1fadc671b4e1afdc87f2dd25fe26e32cd0acb
SHA256

97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f
SHA512

12cb9578cb146d3acc04a55e650ab0be77102a2955de4c23c57d0f118fd6c4bc6c412a940261c3107e18fd04127f12cc7d638a8c84d4cd5f47f435e77b571719
SSDEEP

1536:rGxvCUew0tWmedelq8PyZ6vU6X3xDoP2pt8Hm6KfIN:rG1NevOelq8KZ6vLpZYG9m

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

sl-s7.no-ip.org

Signatures

Detect XtremeRAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/1768-73-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/1768-74-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/1060-78-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1060-80-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/960-83-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1768-84-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/960-86-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/1060-88-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PR6AR3W4-SVR2-UB47-125H-I58F31ECO6E0}	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PR6AR3W4-SVR2-UB47-125H-I58F31ECO6E0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart"	notepad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{PR6AR3W4-SVR2-UB47-125H-I58F31ECO6E0}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{PR6AR3W4-SVR2-UB47-125H-I58F31ECO6E0}\StubPath = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1768-64-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1768-66-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1768-67-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1768-72-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1768-73-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1768-74-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1060-80-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1768-84-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/960-86-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/1060-88-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe"	notepad.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1348 set thread context of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1684 set thread context of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\Server.exe	notepad.exe
File created	C:\Windows\InstallDir\Server.exe	notepad.exe
File opened for modification	C:\Windows\InstallDir\	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe
1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE
960	notepad.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1348 wrote to memory of 1684	1348	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	28
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1684 wrote to memory of 1768	1684	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE	29
PID 1768 wrote to memory of 1060	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	30
PID 1768 wrote to memory of 1060	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	30
PID 1768 wrote to memory of 1060	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	30
PID 1768 wrote to memory of 1060	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	30
PID 1768 wrote to memory of 1060	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	30
PID 1768 wrote to memory of 960	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	31
PID 1768 wrote to memory of 960	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	31
PID 1768 wrote to memory of 960	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	31
PID 1768 wrote to memory of 960	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	31
PID 1768 wrote to memory of 960	1768	97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe	31

C:\Users\Admin\AppData\Local\Temp\97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe
"C:\Users\Admin\AppData\Local\Temp\97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE
  "C:\Users\Admin\AppData\Local\Temp\97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe
    C:\Users\Admin\AppData\Local\Temp\97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:1060
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Modifies Installed Components in the registry
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\InstallDir\Server.exe

Filesize
69KB

MD5
54d37a0bf6862350be8ba31a88e7c91c

SHA1
eaf1fadc671b4e1afdc87f2dd25fe26e32cd0acb

SHA256
97ad592f5bc5bdd7920f322ef9bea8a6eef9198ee46f46a4d114ff54c926097f

SHA512
12cb9578cb146d3acc04a55e650ab0be77102a2955de4c23c57d0f118fd6c4bc6c412a940261c3107e18fd04127f12cc7d638a8c84d4cd5f47f435e77b571719

Download Submit
memory/960-86-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1060-88-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1060-80-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1348-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1348-54-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1684-57-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1684-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1768-64-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-73-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-74-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-75-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1768-72-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-71-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/1768-84-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-67-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-66-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/1768-63-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads