xtremerat | e6f8559599f741c5c51425d32fe66103d669985ef697a4d3ad47066762cf3c2d

Analysis

max time kernel
7s
max time network
168s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a1832d01da648109a9e6e530c96b2d6.exe
Size

588KB
MD5

1a1832d01da648109a9e6e530c96b2d6
SHA1

ac5b176e8882e5b2e63a267dcaf2584bd2a5dee9
SHA256

e6f8559599f741c5c51425d32fe66103d669985ef697a4d3ad47066762cf3c2d
SHA512

cd1d30d188c9ad9d63904e460ede16a0322d244c9127518beadfa9e6547137c5eff470a47a176476ae333a790fdfcd8cd069cb6f1f3981cba49371e52300c247
SSDEEP

12288:FyHVRIMGGtpRbRi1H0xNYTpc0dbm2fABXBN4aCvvm1zq5:AVRIMGGtpxg6YG0dbm2fokkm

Score

10^/10

xtremerat bootkit persistence rat spyware

Malware Config

Extracted

Family

xtremerat

finders.hopto.org

powned.no-ip.org

Signatures

Detect XtremeRAT payload 22 IoCs

resource	yara_rule
behavioral1/memory/472-83-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-87-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-84-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-93-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1648-102-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/2388-120-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1912-124-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/472-128-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1648-110-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/1096-129-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1648-100-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/1648-101-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/1648-99-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/1648-134-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/472-97-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-90-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-82-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-81-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/472-80-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/2388-138-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1912-139-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral1/memory/1096-140-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 5 IoCs

pid	Process
2676	xt1006.exe
2824	9AP0.exe
1092	xt1006.exe
2592	9AP0.exe
472	xt1006.exe

Loads dropped DLL 7 IoCs

pid	Process
2364	1a1832d01da648109a9e6e530c96b2d6.exe
2364	1a1832d01da648109a9e6e530c96b2d6.exe
2364	1a1832d01da648109a9e6e530c96b2d6.exe
2364	1a1832d01da648109a9e6e530c96b2d6.exe
2676	xt1006.exe
2824	9AP0.exe
1092	xt1006.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	1a1832d01da648109a9e6e530c96b2d6.exe
File opened for modification	\??\PhysicalDrive0	xt1006.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2676 set thread context of 1092	2676	xt1006.exe	38
PID 2824 set thread context of 2592	2824	9AP0.exe	31
PID 1092 set thread context of 472	1092	xt1006.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2184	1a1832d01da648109a9e6e530c96b2d6.exe
2364	1a1832d01da648109a9e6e530c96b2d6.exe
2676	xt1006.exe
2824	9AP0.exe
1092	xt1006.exe
2592	9AP0.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2184 wrote to memory of 2364	2184	1a1832d01da648109a9e6e530c96b2d6.exe	30
PID 2364 wrote to memory of 2676	2364	1a1832d01da648109a9e6e530c96b2d6.exe	29
PID 2364 wrote to memory of 2676	2364	1a1832d01da648109a9e6e530c96b2d6.exe	29
PID 2364 wrote to memory of 2676	2364	1a1832d01da648109a9e6e530c96b2d6.exe	29
PID 2364 wrote to memory of 2676	2364	1a1832d01da648109a9e6e530c96b2d6.exe	29
PID 2364 wrote to memory of 2824	2364	1a1832d01da648109a9e6e530c96b2d6.exe	28
PID 2364 wrote to memory of 2824	2364	1a1832d01da648109a9e6e530c96b2d6.exe	28
PID 2364 wrote to memory of 2824	2364	1a1832d01da648109a9e6e530c96b2d6.exe	28
PID 2364 wrote to memory of 2824	2364	1a1832d01da648109a9e6e530c96b2d6.exe	28
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2676 wrote to memory of 1092	2676	xt1006.exe	38
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 2824 wrote to memory of 2592	2824	9AP0.exe	31
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32
PID 1092 wrote to memory of 472	1092	xt1006.exe	32

C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe
"C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2364

C:\Users\Admin\AppData\Local\Temp\9AP0.exe
"C:\Users\Admin\AppData\Local\Temp\9AP0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\9AP0.exe
  "C:\Users\Admin\AppData\Local\Temp\9AP0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\9AP0.exe
    "C:\Users\Admin\AppData\Local\Temp\9AP0.exe"
    3⤵
    PID:1648

C:\Users\Admin\AppData\Local\Temp\xt1006.exe
"C:\Users\Admin\AppData\Local\Temp\xt1006.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\xt1006.exe
  "C:\Users\Admin\AppData\Local\Temp\xt1006.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1092

C:\Users\Admin\AppData\Local\Temp\xt1006.exe
"C:\Users\Admin\AppData\Local\Temp\xt1006.exe"
1⤵
- Executes dropped EXE
PID:472
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2388
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1096

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-81-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-82-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-97-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-93-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-84-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-78-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-79-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-80-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-87-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-83-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-128-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/472-90-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1092-62-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1092-51-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1092-44-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1092-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1092-46-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1092-95-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1096-141-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1096-140-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1096-129-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1648-110-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-94-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-92-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-102-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-98-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-100-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-101-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-99-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1648-134-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1912-124-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/1912-139-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2364-14-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-39-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-6-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2364-12-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2388-120-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2388-138-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2592-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-70-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-74-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-55-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-50-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2592-112-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads