xtremerat | 55dad181ae960c72358c7567b0a79e31c4a4f47fed9005ac8ed789449666534a

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 22:17

Target

3f8446fa1599a336632b38046241d6fc.exe
Size

65KB
MD5

3f8446fa1599a336632b38046241d6fc
SHA1

d9456f1be2af82145ca2bf207a9b3ea8297fbc7e
SHA256

55dad181ae960c72358c7567b0a79e31c4a4f47fed9005ac8ed789449666534a
SHA512

13a2c519bb26c40049a79a0dacf75766399c4a9aed4a91a8ac5e202e032ef8ee52c143445b79940993d0b021427566aa1bee0568e80f73b690005d2d37d64c27
SSDEEP

1536:18xfRb7rcmC2/dHcjfU3tRPzkXdLLel6rJZBm+1:GT7C2lgst9QtLLzJZV

Score

10^/10

Detect XtremeRAT payload 6 IoCs

resource	yara_rule
behavioral1/memory/2936-11-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2936-8-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2936-7-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2936-6-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2936-5-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral1/memory/2936-4-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	3f8446fa1599a336632b38046241d6fc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2924	2040	3f8446fa1599a336632b38046241d6fc.exe	19
PID 2040 wrote to memory of 2924	2040	3f8446fa1599a336632b38046241d6fc.exe	19
PID 2040 wrote to memory of 2924	2040	3f8446fa1599a336632b38046241d6fc.exe	19
PID 2040 wrote to memory of 2924	2040	3f8446fa1599a336632b38046241d6fc.exe	19
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18
PID 2040 wrote to memory of 2936	2040	3f8446fa1599a336632b38046241d6fc.exe	18

C:\Users\Admin\AppData\Local\Temp\3f8446fa1599a336632b38046241d6fc.exe
"C:\Users\Admin\AppData\Local\Temp\3f8446fa1599a336632b38046241d6fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\3f8446fa1599a336632b38046241d6fc.exe
  C:\Users\Admin\AppData\Local\Temp\3f8446fa1599a336632b38046241d6fc.exe
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\3f8446fa1599a336632b38046241d6fc.exe
  C:\Users\Admin\AppData\Local\Temp\3f8446fa1599a336632b38046241d6fc.exe
  2⤵
  PID:2924

memory/2040-1-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2040-0-0x0000000000230000-0x0000000000248000-memory.dmp

Filesize
96KB

Download
memory/2040-13-0x0000000074E00000-0x00000000754EE000-memory.dmp

Filesize
6.9MB

Download
memory/2936-11-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-8-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-7-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-6-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-5-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-4-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-3-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2936-2-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download