xtremerat | 599f324a79ef699b2e11162c50b8c0aa799641225563d689d06b7a580621e015

Analysis

max time kernel
146s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06a70a53226775297ac4aae5c3a3a993.exe
Size

65KB
MD5

06a70a53226775297ac4aae5c3a3a993
SHA1

d413a464cc5c3bd447bf4067ad8b6478f5be8cdb
SHA256

599f324a79ef699b2e11162c50b8c0aa799641225563d689d06b7a580621e015
SHA512

561dbf3abbb6f6a1f9390ff43479ab19ab4f49407c5842522c8a7e82d7c8316429d2ef7aecd9951522722d7289048546b7c28b9ca89ebfacbf1bedda9ed9f5ae
SSDEEP

768:88m1Sq4NQErBsH1tzoisBKQI6dObAG/dq8uW29Ifnca/yyR+P2ujfGiXsbs8Hszx:esq+QV4rObAdXWpf/y+Ya8o

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

rakannaber.zapto.org

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/2404-1-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2364-2-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2364-0-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3404	2364	WerFault.exe	20
5044	2364	WerFault.exe	20

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2364	2404	06a70a53226775297ac4aae5c3a3a993.exe	20
PID 2404 wrote to memory of 2364	2404	06a70a53226775297ac4aae5c3a3a993.exe	20
PID 2404 wrote to memory of 2364	2404	06a70a53226775297ac4aae5c3a3a993.exe	20
PID 2404 wrote to memory of 2364	2404	06a70a53226775297ac4aae5c3a3a993.exe	20
PID 2404 wrote to memory of 2480	2404	06a70a53226775297ac4aae5c3a3a993.exe	21
PID 2404 wrote to memory of 2480	2404	06a70a53226775297ac4aae5c3a3a993.exe	21
PID 2404 wrote to memory of 2480	2404	06a70a53226775297ac4aae5c3a3a993.exe	21

C:\Users\Admin\AppData\Local\Temp\06a70a53226775297ac4aae5c3a3a993.exe
"C:\Users\Admin\AppData\Local\Temp\06a70a53226775297ac4aae5c3a3a993.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 480
    3⤵
    - Program crash
    PID:3404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 488
    3⤵
    - Program crash
    PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2364 -ip 2364
1⤵
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2364 -ip 2364
1⤵
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-2-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2364-0-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2404-1-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download