xtremerat | 215b3350b74a68b685582e93b42c4763c6626df94cc2243281bf997d7d83d581

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

971548addc373b70e70c748ddb279cfd.exe
Size

885KB
MD5

971548addc373b70e70c748ddb279cfd
SHA1

0e77d592c9a243a172a4d72069f07b6d79a7209d
SHA256

215b3350b74a68b685582e93b42c4763c6626df94cc2243281bf997d7d83d581
SHA512

c98b06ffc9b809b7ddd22a35d5dade65b080268ca76f7b836d9110e7140056d0db022b1e8f06ff99713aec33565e82c0a1b338caf2d0c18a30a3b8da17e9a1b0
SSDEEP

12288:s2cjEJnk5y6/FOD1ho6zWD07N0RoG5XS6SarFLhzFAkNoDF/UE5VmKT+A/ixVDN:spjEJ5cO5h/7N0RtpfFAkNkFzBZ

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

Ꟙstabilhayko.no-ip.org

Signatures

Detect XtremeRAT payload 7 IoCs

resource	yara_rule
behavioral1/memory/2284-6-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2284-10-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2284-7-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2284-12-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2144-15-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2284-26-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2144-37-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 2 IoCs

pid	Process
2676	372mYNET.EXE
2992	svchostei.exe

Loads dropped DLL 5 IoCs

pid	Process
776	971548addc373b70e70c748ddb279cfd.exe
2284	971548addc373b70e70c748ddb279cfd.exe
2284	971548addc373b70e70c748ddb279cfd.exe
2676	372mYNET.EXE
2676	372mYNET.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-0-0x0000000000400000-0x0000000000506800-memory.dmp	upx
behavioral1/memory/776-11-0x0000000000400000-0x0000000000506800-memory.dmp	upx
behavioral1/memory/2284-9-0x0000000000400000-0x0000000000506800-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU Key = "C:\\Users\\Admin\\AppData\\Roaming\\svchostei.exe"	svchostei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM Key = "C:\\Users\\Admin\\AppData\\Roaming\\svchostei.exe"	svchostei.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zorluadm.dll	971548addc373b70e70c748ddb279cfd.exe
File created	C:\Windows\SysWOW64\372mYNET.EXE.exe	971548addc373b70e70c748ddb279cfd.exe
File created	C:\Windows\SysWOW64\372mYNET.EXE	971548addc373b70e70c748ddb279cfd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
776	971548addc373b70e70c748ddb279cfd.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 776 wrote to memory of 2284	776	971548addc373b70e70c748ddb279cfd.exe	28
PID 2284 wrote to memory of 2144	2284	971548addc373b70e70c748ddb279cfd.exe	29
PID 2284 wrote to memory of 2144	2284	971548addc373b70e70c748ddb279cfd.exe	29
PID 2284 wrote to memory of 2144	2284	971548addc373b70e70c748ddb279cfd.exe	29
PID 2284 wrote to memory of 2144	2284	971548addc373b70e70c748ddb279cfd.exe	29
PID 2284 wrote to memory of 2144	2284	971548addc373b70e70c748ddb279cfd.exe	29
PID 2284 wrote to memory of 2152	2284	971548addc373b70e70c748ddb279cfd.exe	30
PID 2284 wrote to memory of 2152	2284	971548addc373b70e70c748ddb279cfd.exe	30
PID 2284 wrote to memory of 2152	2284	971548addc373b70e70c748ddb279cfd.exe	30
PID 2284 wrote to memory of 2152	2284	971548addc373b70e70c748ddb279cfd.exe	30
PID 2284 wrote to memory of 2152	2284	971548addc373b70e70c748ddb279cfd.exe	30
PID 2284 wrote to memory of 2676	2284	971548addc373b70e70c748ddb279cfd.exe	31
PID 2284 wrote to memory of 2676	2284	971548addc373b70e70c748ddb279cfd.exe	31
PID 2284 wrote to memory of 2676	2284	971548addc373b70e70c748ddb279cfd.exe	31
PID 2284 wrote to memory of 2676	2284	971548addc373b70e70c748ddb279cfd.exe	31
PID 2676 wrote to memory of 2992	2676	372mYNET.EXE	32
PID 2676 wrote to memory of 2992	2676	372mYNET.EXE	32
PID 2676 wrote to memory of 2992	2676	372mYNET.EXE	32
PID 2676 wrote to memory of 2992	2676	372mYNET.EXE	32

C:\Users\Admin\AppData\Local\Temp\971548addc373b70e70c748ddb279cfd.exe
"C:\Users\Admin\AppData\Local\Temp\971548addc373b70e70c748ddb279cfd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Local\Temp\971548addc373b70e70c748ddb279cfd.exe
  C:\Users\Admin\AppData\Local\Temp\971548addc373b70e70c748ddb279cfd.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2144
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\372mYNET.EXE
    "C:\Windows\system32\372mYNET.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Roaming\svchostei.exe
      "C:\Users\Admin\AppData\Roaming\svchostei.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\372mYNET.EXE

Filesize
11KB

MD5
6752d654cbaf37dc2ca6539019f62ba3

SHA1
1db60d9831fa818a39b60b6843f2dc431110ca4c

SHA256
1021676e9ed6507fe9d814b2b65fc613812fc3e89fbf7b17ba06f792663a985f

SHA512
2d595f14a0b16218176f5916960184d8dd2b51bf040086d3b8c2bff93c08159973bd3d40ff7c6de9206780e9b7d1bd9a4fcd9d206aa42548d84e3aadca254c2f

Download Submit
\Windows\SysWOW64\zorluadm.dll

Filesize
1.3MB

MD5
df5c622697dc8c743f3884914a9e4d99

SHA1
cdfc6345080dfa9c45d323f15532ad9274385d2f

SHA256
0ca52bc5cf854e274e15ba07df97b2e75ec4e1fc2d90f23676da7fa3c95da089

SHA512
59867bb9608c250661a6eb823f06c907d334eb4f638b04f21cf10213e5163035c37261f5213642c703dd382871a5d3ae764839c1b93e18e833d85ac0e3409f90

Download Submit
memory/776-8-0x0000000002E50000-0x0000000002F57000-memory.dmp

Filesize
1.0MB

Download
memory/776-11-0x0000000000400000-0x0000000000506800-memory.dmp

Filesize
1.0MB

Download
memory/776-0-0x0000000000400000-0x0000000000506800-memory.dmp

Filesize
1.0MB

Download
memory/2144-13-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2144-15-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2144-37-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-10-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-9-0x0000000000400000-0x0000000000506800-memory.dmp

Filesize
1.0MB

Download
memory/2284-7-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-12-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-6-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2284-26-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads