Malware Analysis Report

2025-06-16 01:06

Sample ID 231226-whf9fsdgg8
Target 821e4c194c721f6f40b6a63b71229677
SHA256 b95a5e2ae5653e4de504a1d230857b40b1c251c5b832057a3f3ac67ec4cdb408
Tags
xtremerat persistence rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b95a5e2ae5653e4de504a1d230857b40b1c251c5b832057a3f3ac67ec4cdb408

Threat Level: Known bad

The file 821e4c194c721f6f40b6a63b71229677 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware

Detect XtremeRAT payload

XtremeRAT

Modifies Installed Components in the registry

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 17:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 17:55

Reported

2024-01-06 23:12

Platform

win7-20231215-en

Max time kernel

156s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN} C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8T14QPY-7Y46-5QEV-21J8-V8SC54R564PN}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE
PID 1756 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE
PID 1756 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE
PID 1756 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE
PID 2408 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\svchost.exe
PID 2408 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 2408 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE C:\Windows\SysWOW64\explorer.exe
PID 1756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE
PID 1756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE
PID 1756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE
PID 2600 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2600 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 2600 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe

"C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 keohack.no-ip.biz udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

MD5 3ded0d9f3644be4ee425101d53c9d531
SHA1 c19997e0c8da2243beb858d8d4e992710718705f
SHA256 bfc0210ee77bb884d89be9c24dff0f44866355dfbfb5eae0d1d2a5c93d908467
SHA512 5643a5828206ae6e92f3cc52ac1d35284b1ae2a81549a31f6d25d1e209bdb4222ccb114a6ea6d62936ad431775ecce8905421a62055f653c3503c764a38a1bd1

memory/2408-9-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2584-10-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2584-12-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2408-16-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2736-15-0x0000000010000000-0x00000000100C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ACELER~1.EXE

MD5 90ad798c72c142c27204801a41483630
SHA1 ae45cb70ac04c135fc5f1bd1f5eb5093ef9bf676
SHA256 ec5e60507ed862673894935dcc2c7dfd281b166ab5480e094991d3a8779ce665
SHA512 f12c32c801124ec13efd0f48c434e96194352af0d2dcac29d5f611ece31ba62d812242970be45a7f7cdea4372db980e1ae6f353a1f61a34a2bee7e093e22f037

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

MD5 873a2bcda208068625b9a744f4062a29
SHA1 f5a306be7467e86ac4fd21d1ea1e319f3e196b89
SHA256 9aaceb5705833ab09ad60bbdf6c41b7d4175d3d2b0b74133037595b2db0f4441
SHA512 e0d828d82adb69d8dc4a921ceda03844abbacdb12daa621a697eb8954815948b58f966766ccbc2a15809c2ae4d245dbcf74684484aa4e5f407ae7e9eacf09a96

memory/2736-24-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2736-23-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2600-25-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

memory/2600-26-0x0000000001EC0000-0x0000000001F40000-memory.dmp

memory/2600-27-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

memory/2736-28-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/3036-29-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/2584-31-0x0000000010000000-0x00000000100C5000-memory.dmp

memory/2600-32-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

memory/2600-33-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 17:55

Reported

2024-01-06 23:11

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe

"C:\Users\Admin\AppData\Local\Temp\821e4c194c721f6f40b6a63b71229677.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MINEEE~1.EXE

MD5 3ded0d9f3644be4ee425101d53c9d531
SHA1 c19997e0c8da2243beb858d8d4e992710718705f
SHA256 bfc0210ee77bb884d89be9c24dff0f44866355dfbfb5eae0d1d2a5c93d908467
SHA512 5643a5828206ae6e92f3cc52ac1d35284b1ae2a81549a31f6d25d1e209bdb4222ccb114a6ea6d62936ad431775ecce8905421a62055f653c3503c764a38a1bd1