xtremerat | e6f8559599f741c5c51425d32fe66103d669985ef697a4d3ad47066762cf3c2d

General

Target

1a1832d01da648109a9e6e530c96b2d6.exe
Size

588KB
MD5

1a1832d01da648109a9e6e530c96b2d6
SHA1

ac5b176e8882e5b2e63a267dcaf2584bd2a5dee9
SHA256

e6f8559599f741c5c51425d32fe66103d669985ef697a4d3ad47066762cf3c2d
SHA512

cd1d30d188c9ad9d63904e460ede16a0322d244c9127518beadfa9e6547137c5eff470a47a176476ae333a790fdfcd8cd069cb6f1f3981cba49371e52300c247
SSDEEP

12288:FyHVRIMGGtpRbRi1H0xNYTpc0dbm2fABXBN4aCvvm1zq5:AVRIMGGtpxg6YG0dbm2fokkm

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

powned.no-ip.org

finders.hopto.org

Signatures

Detect XtremeRAT payload 17 IoCs

resource	yara_rule
behavioral2/memory/4280-44-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4280-51-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4768-54-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/4768-59-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3612-65-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3636-68-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/5012-72-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/5012-71-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4280-67-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/5012-66-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4768-73-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/3636-61-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4768-56-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/4280-55-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/4768-49-0x0000000013140000-0x000000001315C000-memory.dmp	family_xtremerat
behavioral2/memory/4280-47-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/5012-77-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process
2152	3636	WerFault.exe
4392	3636	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2952	1a1832d01da648109a9e6e530c96b2d6.exe
4540	1a1832d01da648109a9e6e530c96b2d6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70
PID 2952 wrote to memory of 4540	2952	1a1832d01da648109a9e6e530c96b2d6.exe	70

C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe
"C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe
  "C:\Users\Admin\AppData\Local\Temp\1a1832d01da648109a9e6e530c96b2d6.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\9AP0.exe
    "C:\Users\Admin\AppData\Local\Temp\9AP0.exe"
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\9AP0.exe
      "C:\Users\Admin\AppData\Local\Temp\9AP0.exe"
      4⤵
      PID:4176
    - - C:\Users\Admin\AppData\Local\Temp\9AP0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9AP0.exe"
        5⤵
        
        PID:4768
- - C:\Users\Admin\AppData\Local\Temp\xt1006.exe
    "C:\Users\Admin\AppData\Local\Temp\xt1006.exe"
    3⤵
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\xt1006.exe
      "C:\Users\Admin\AppData\Local\Temp\xt1006.exe"
      4⤵
      PID:1112

C:\Users\Admin\AppData\Local\Temp\xt1006.exe
"C:\Users\Admin\AppData\Local\Temp\xt1006.exe"
1⤵
PID:4280
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:5012
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3636 -ip 3636
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3636 -ip 3636
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 488
1⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 480
1⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\xt1006.exe

Filesize
224KB

MD5
70894ac90195f81b7b714406982c1b2d

SHA1
b842869c0470a9ead6e4e6336656b78c35c426cb

SHA256
00245d48c1c39e91c672ce9d168f88601dc45e340e31a275cedf08efab76a3d5

SHA512
856bf97490278c48cdbdc0437aee418bcd5d05a7f16ece4afe9701ec8116afdb1e01c4d1016d014958b44ccd6e24ca75532714d25b70aebe3248dc731dda463a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xt1006.exe

Filesize
92KB

MD5
80636a94eaad00fec642a18d8dd42c75

SHA1
20b6b4ea39c26873544583b151dbad402ca76c9e

SHA256
897268bb188810301715b39046615c60254df3f3b9499784b36dc8ee54de2c96

SHA512
d08059aef601bad6ec31b006986a9da447294da18a21653365763d7b83acbddaa1f0d75fb6874491d4b843030f345a3116a559641f2221568f78fedfe1290395

Download Submit
memory/1112-37-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1112-34-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1112-50-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3612-65-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3636-61-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/3636-68-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4176-39-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4176-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4176-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4280-67-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4280-44-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4280-47-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4280-51-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4280-55-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4540-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4540-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4540-75-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4540-4-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4540-7-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4768-56-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4768-49-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4768-59-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4768-54-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/4768-73-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/5012-72-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/5012-71-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/5012-66-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/5012-77-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/5012-81-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing