xtremerat | 6773a1dea04f85014e151bdb7a7d547e0fea820d8c876f0c613643c4801081c5

General

Target

4e12a4b08833b1b00197fbe49ac5326c.exe
Size

166KB
MD5

4e12a4b08833b1b00197fbe49ac5326c
SHA1

091b492d8f8889d5c04512f094448cb6abb3531f
SHA256

6773a1dea04f85014e151bdb7a7d547e0fea820d8c876f0c613643c4801081c5
SHA512

f00ea2f87f3fed8b8c7341e8b9f12a62074a41ca8a5938af0f4d1c0f5d08bb663c368c1086a76ec16b3e4869645ecd516b9add6251b710dda598c9edf4c596a9
SSDEEP

3072:AFH27pMR+Y3U+SbekDwHKyfnicvizbuPZcRW+SdgDqWgUdsI76UqjfGcMumsG8xG:AFH27pBY31CrK4uBcRW+SdgDsUXOHfUV

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

basss.no-ip.info

晻㍴㄀蠀C:\Userbasss.no-ip.info

蠀C:\Windows\system32\prnfldrbasss.no-ip.info

Signatures

Detect XtremeRAT payload 7 IoCs

resource	yara_rule
behavioral2/memory/1232-7-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1232-9-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1232-12-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2692-13-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2692-11-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1232-6-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/1232-5-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	4e12a4b08833b1b00197fbe49ac5326c.exe
File created	C:\Windows\assembly\Desktop.ini	4e12a4b08833b1b00197fbe49ac5326c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	4e12a4b08833b1b00197fbe49ac5326c.exe
File created	C:\Windows\assembly\Desktop.ini	4e12a4b08833b1b00197fbe49ac5326c.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4e12a4b08833b1b00197fbe49ac5326c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1444	2692	WerFault.exe	19
5036	2692	WerFault.exe	19

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	4e12a4b08833b1b00197fbe49ac5326c.exe
Token: 33	4148	4e12a4b08833b1b00197fbe49ac5326c.exe
Token: SeIncBasePriorityPrivilege	4148	4e12a4b08833b1b00197fbe49ac5326c.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 4148 wrote to memory of 1232	4148	4e12a4b08833b1b00197fbe49ac5326c.exe	26
PID 1232 wrote to memory of 2692	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	19
PID 1232 wrote to memory of 2692	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	19
PID 1232 wrote to memory of 2692	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	19
PID 1232 wrote to memory of 2692	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	19
PID 1232 wrote to memory of 4716	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	25
PID 1232 wrote to memory of 4716	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	25
PID 1232 wrote to memory of 4716	1232	4e12a4b08833b1b00197fbe49ac5326c.exe	25

C:\Users\Admin\AppData\Local\Temp\4e12a4b08833b1b00197fbe49ac5326c.exe
"C:\Users\Admin\AppData\Local\Temp\4e12a4b08833b1b00197fbe49ac5326c.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\4e12a4b08833b1b00197fbe49ac5326c.exe
  "C:\Users\Admin\AppData\Local\Temp\4e12a4b08833b1b00197fbe49ac5326c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1232

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
PID:2692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 476
  2⤵
  - Program crash
  PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 480
  2⤵
  - Program crash
  PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2692 -ip 2692
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2692 -ip 2692
1⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-7-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1232-9-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1232-12-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1232-6-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1232-5-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2692-13-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2692-11-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/4148-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4148-1-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/4148-0-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4148-10-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing