xtremerat | e0849ba088740afd3f09558cc1d9001b019f3bc4901563f5bc7bfedea2d38860

General

Target

982ec0a7e4cc9470cb6885b8d816fa45.exe
Size

956KB
MD5

982ec0a7e4cc9470cb6885b8d816fa45
SHA1

9c550995ab7251f60ad625e5d0251374e7ca73f6
SHA256

e0849ba088740afd3f09558cc1d9001b019f3bc4901563f5bc7bfedea2d38860
SHA512

9c5c7ae76d406057d75b7c64f776fdc5b519bbc4b0fa29c4263e41df097ef0a05e9b934ddd95fb65ba6d1e4bfb0672c395fb22ae4f0524169a0900f03b9be7fd
SSDEEP

12288:A/gctSVTWOWOdT/zvTjv95cTGMaqRL2nOxr/JZLYi8gPRyw7V57R8b8oOmn:A/FtATE67LjeJR7nV1k8Z0

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

goshare.dyndns.biz

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4756-29-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/732-30-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral2/memory/4756-31-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	982ec0a7e4cc9470cb6885b8d816fa45.exe

Executes dropped EXE 1 IoCs

pid	Process
732	server.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002312f-18.dat	upx
behavioral2/memory/732-26-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4756-29-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/732-30-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral2/memory/4756-31-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
460	4756	WerFault.exe	86
2452	4756	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe
4592	982ec0a7e4cc9470cb6885b8d816fa45.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	982ec0a7e4cc9470cb6885b8d816fa45.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 732	4592	982ec0a7e4cc9470cb6885b8d816fa45.exe	85
PID 4592 wrote to memory of 732	4592	982ec0a7e4cc9470cb6885b8d816fa45.exe	85
PID 4592 wrote to memory of 732	4592	982ec0a7e4cc9470cb6885b8d816fa45.exe	85
PID 732 wrote to memory of 4756	732	server.exe	86
PID 732 wrote to memory of 4756	732	server.exe	86
PID 732 wrote to memory of 4756	732	server.exe	86
PID 732 wrote to memory of 4756	732	server.exe	86
PID 732 wrote to memory of 1892	732	server.exe	87
PID 732 wrote to memory of 1892	732	server.exe	87
PID 732 wrote to memory of 1892	732	server.exe	87

C:\Users\Admin\AppData\Local\Temp\982ec0a7e4cc9470cb6885b8d816fa45.exe
"C:\Users\Admin\AppData\Local\Temp\982ec0a7e4cc9470cb6885b8d816fa45.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 480
      4⤵
      Program crash
      PID:460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 504
      4⤵
      Program crash
      PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4756 -ip 4756
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4756 -ip 4756
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
33KB

MD5
687476c1c257083237b9c35c78c991f2

SHA1
792778a5488896d20f6598730dd62b66b2807699

SHA256
63f92f378777374ec67301a0e519694083ad9961ef64d07d69653c4f2444e52e

SHA512
73d829223bba35bf4d0bf22ce01b83b1fb5e782dfdaf5746c3e78af5d424f15448d1a2e9cd9a79f8e792bd18b2da657b326f88cb1644d8a2adbbd393f1f17bf9

Download Submit
C:\Users\Admin\Documents\explorer.exe

Filesize
1KB

MD5
5086e32e2215de761a965efa17a74aa9

SHA1
470bc208058f04397f3990ced6e235adc7dd73ab

SHA256
a0c6fe2557751b2073688fb956cf2ec0bfce7e7b5b372b2a573c39b3979df278

SHA512
f697ff0551600b5026a9af9be22fa201c85ce782418eca639ba931cbfc31e5b8c799139289abc1d419b062412d7643e64985abffcbf9dcc49828cdaa613a3aa6

Download Submit
memory/732-30-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/732-26-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4592-5-0x000000001BF50000-0x000000001BFB2000-memory.dmp

Filesize
392KB

Download
memory/4592-4-0x000000001B790000-0x000000001BC5E000-memory.dmp

Filesize
4.8MB

Download
memory/4592-6-0x000000001C4C0000-0x000000001C514000-memory.dmp

Filesize
336KB

Download
memory/4592-7-0x000000001C8A0000-0x000000001C93C000-memory.dmp

Filesize
624KB

Download
memory/4592-8-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-9-0x000000001BED0000-0x000000001BED8000-memory.dmp

Filesize
32KB

Download
memory/4592-10-0x000000001E1A0000-0x000000001E1EC000-memory.dmp

Filesize
304KB

Download
memory/4592-0-0x00007FFC3A180000-0x00007FFC3AB21000-memory.dmp

Filesize
9.6MB

Download
memory/4592-2-0x000000001B210000-0x000000001B2B6000-memory.dmp

Filesize
664KB

Download
memory/4592-3-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-34-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-1-0x00007FFC3A180000-0x00007FFC3AB21000-memory.dmp

Filesize
9.6MB

Download
memory/4592-33-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4592-32-0x00007FFC3A180000-0x00007FFC3AB21000-memory.dmp

Filesize
9.6MB

Download
memory/4756-31-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/4756-29-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing