xtremerat | f8168fcb9494edcf085245b170c4584ba9c33559559bb7ebf6ac5a06508ccad4

General

Target

c08d396078b9fa1cf6ded3e455e1b4cc.exe
Size

438KB
MD5

c08d396078b9fa1cf6ded3e455e1b4cc
SHA1

e0b51d3423144663582d8e75fa26a4f2fe4e5f32
SHA256

f8168fcb9494edcf085245b170c4584ba9c33559559bb7ebf6ac5a06508ccad4
SHA512

2f5f5d67b95eb7a7802a9fff097b14aabcf64d7c2bb7760b400a85d08568ae6febe53bc7de69e222062d9298616f43db35309589ffae32908c51061ee105aae2
SSDEEP

12288:2VFFEqmvg4nyNh+OjXG4qfROGapCB0PWdUQ:uXE1g8oxLz03GCB0P3Q

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

step6.no-ip.info

Signatures

Detect XtremeRAT payload 15 IoCs

resource	yara_rule
behavioral1/memory/2128-5-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-8-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-11-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-14-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2784-24-0x0000000000400000-0x0000000000474000-memory.dmp	family_xtremerat
behavioral1/memory/2128-26-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-25-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-20-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-17-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2536-29-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-32-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2128-33-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/files/0x000c000000014890-34.dat	family_xtremerat
behavioral1/memory/2128-35-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat
behavioral1/memory/2536-37-0x0000000000400000-0x000000000044A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Program Files (x86)\\Java\\jusched.exe"	c08d396078b9fa1cf6ded3e455e1b4cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Program Files (x86)\\Java\\jusched.exe"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Java\jusched.exe	c08d396078b9fa1cf6ded3e455e1b4cc.exe
File created	C:\Program Files (x86)\Java\jusched.exe	c08d396078b9fa1cf6ded3e455e1b4cc.exe
File opened for modification	C:\Program Files (x86)\Java\	c08d396078b9fa1cf6ded3e455e1b4cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2128	c08d396078b9fa1cf6ded3e455e1b4cc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2784 wrote to memory of 2128	2784	c08d396078b9fa1cf6ded3e455e1b4cc.exe	28
PID 2128 wrote to memory of 2536	2128	c08d396078b9fa1cf6ded3e455e1b4cc.exe	29
PID 2128 wrote to memory of 2536	2128	c08d396078b9fa1cf6ded3e455e1b4cc.exe	29
PID 2128 wrote to memory of 2536	2128	c08d396078b9fa1cf6ded3e455e1b4cc.exe	29
PID 2128 wrote to memory of 2536	2128	c08d396078b9fa1cf6ded3e455e1b4cc.exe	29
PID 2128 wrote to memory of 2536	2128	c08d396078b9fa1cf6ded3e455e1b4cc.exe	29

C:\Users\Admin\AppData\Local\Temp\c08d396078b9fa1cf6ded3e455e1b4cc.exe
"C:\Users\Admin\AppData\Local\Temp\c08d396078b9fa1cf6ded3e455e1b4cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\c08d396078b9fa1cf6ded3e455e1b4cc.exe
  "C:\Users\Admin\AppData\Local\Temp\c08d396078b9fa1cf6ded3e455e1b4cc.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds Run key to start application
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jusched.exe

Filesize
438KB

MD5
c08d396078b9fa1cf6ded3e455e1b4cc

SHA1
e0b51d3423144663582d8e75fa26a4f2fe4e5f32

SHA256
f8168fcb9494edcf085245b170c4584ba9c33559559bb7ebf6ac5a06508ccad4

SHA512
2f5f5d67b95eb7a7802a9fff097b14aabcf64d7c2bb7760b400a85d08568ae6febe53bc7de69e222062d9298616f43db35309589ffae32908c51061ee105aae2

Download Submit
memory/2128-26-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-11-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-14-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-25-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-35-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-1-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-8-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-17-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-33-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2128-32-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2536-29-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2536-37-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2784-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2784-24-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads