xtremerat | dbe6dd2f04ddf1e9a2e11e8f74bf9589233e53a1078c8d4d15b8bbe7c608e660

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 03:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c9b2c54fb123e5d59db8fbfd81af71a7.exe
Size

144KB
MD5

c9b2c54fb123e5d59db8fbfd81af71a7
SHA1

ee19e4cbacf375c630b2d04a7944728cc026c915
SHA256

dbe6dd2f04ddf1e9a2e11e8f74bf9589233e53a1078c8d4d15b8bbe7c608e660
SHA512

8223cf20009933e1ce8cf4af1407090b484a1766b4c71f7790561317461c7bf01d84f81c9904492fc8c8f474fb5c761eb828483d718599253853247f01427a0f
SSDEEP

3072:iAubulC9iFK8YRsMKOJykBlWzBBeG4PN5fQ27nvyRlCLVXr:RubulC9AKtRB9mBBP4LQ2LF

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/2792-3-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2792-4-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2792-6-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2792-7-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/1208-13-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat
behavioral2/memory/2792-16-0x0000000000C80000-0x0000000000C92000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\explor.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	c9b2c54fb123e5d59db8fbfd81af71a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\InstallDir\\explor.exe restart"	c9b2c54fb123e5d59db8fbfd81af71a7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\explor.exe"	c9b2c54fb123e5d59db8fbfd81af71a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\explor.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\explor.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\explor.exe"	c9b2c54fb123e5d59db8fbfd81af71a7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InstallDir\explor.exe	c9b2c54fb123e5d59db8fbfd81af71a7.exe
File created	C:\Windows\InstallDir\explor.exe	c9b2c54fb123e5d59db8fbfd81af71a7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe
2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2156 wrote to memory of 2792	2156	c9b2c54fb123e5d59db8fbfd81af71a7.exe	91
PID 2792 wrote to memory of 1208	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	92
PID 2792 wrote to memory of 1208	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	92
PID 2792 wrote to memory of 1208	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	92
PID 2792 wrote to memory of 1208	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	92
PID 2792 wrote to memory of 5036	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	93
PID 2792 wrote to memory of 5036	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	93
PID 2792 wrote to memory of 5036	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	93
PID 2792 wrote to memory of 1688	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	94
PID 2792 wrote to memory of 1688	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	94
PID 2792 wrote to memory of 1688	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	94
PID 2792 wrote to memory of 220	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	95
PID 2792 wrote to memory of 220	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	95
PID 2792 wrote to memory of 220	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	95
PID 2792 wrote to memory of 724	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	96
PID 2792 wrote to memory of 724	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	96
PID 2792 wrote to memory of 724	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	96
PID 2792 wrote to memory of 1700	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	97
PID 2792 wrote to memory of 1700	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	97
PID 2792 wrote to memory of 1700	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	97
PID 2792 wrote to memory of 3936	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	99
PID 2792 wrote to memory of 3936	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	99
PID 2792 wrote to memory of 3936	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	99
PID 2792 wrote to memory of 3632	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	100
PID 2792 wrote to memory of 3632	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	100
PID 2792 wrote to memory of 3632	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	100
PID 2792 wrote to memory of 1188	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	102
PID 2792 wrote to memory of 1188	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	102
PID 2792 wrote to memory of 1188	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	102
PID 2792 wrote to memory of 4576	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	103
PID 2792 wrote to memory of 4576	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	103
PID 2792 wrote to memory of 4576	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	103
PID 2792 wrote to memory of 3976	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	107
PID 2792 wrote to memory of 3976	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	107
PID 2792 wrote to memory of 3976	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	107
PID 2792 wrote to memory of 4892	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	108
PID 2792 wrote to memory of 4892	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	108
PID 2792 wrote to memory of 4892	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	108
PID 2792 wrote to memory of 2992	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	111
PID 2792 wrote to memory of 2992	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	111
PID 2792 wrote to memory of 2992	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	111
PID 2792 wrote to memory of 4708	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	113
PID 2792 wrote to memory of 4708	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	113
PID 2792 wrote to memory of 4708	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	113
PID 2792 wrote to memory of 3620	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	114
PID 2792 wrote to memory of 3620	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	114
PID 2792 wrote to memory of 3620	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	114
PID 2792 wrote to memory of 1400	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	115
PID 2792 wrote to memory of 1400	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	115
PID 2792 wrote to memory of 1400	2792	c9b2c54fb123e5d59db8fbfd81af71a7.exe	115

C:\Users\Admin\AppData\Local\Temp\c9b2c54fb123e5d59db8fbfd81af71a7.exe
"C:\Users\Admin\AppData\Local\Temp\c9b2c54fb123e5d59db8fbfd81af71a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\c9b2c54fb123e5d59db8fbfd81af71a7.exe
  "C:\Users\Admin\AppData\Local\Temp\c9b2c54fb123e5d59db8fbfd81af71a7.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:1208
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:220
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:724
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\InstallDir\explor.exe

Filesize
144KB

MD5
c9b2c54fb123e5d59db8fbfd81af71a7

SHA1
ee19e4cbacf375c630b2d04a7944728cc026c915

SHA256
dbe6dd2f04ddf1e9a2e11e8f74bf9589233e53a1078c8d4d15b8bbe7c608e660

SHA512
8223cf20009933e1ce8cf4af1407090b484a1766b4c71f7790561317461c7bf01d84f81c9904492fc8c8f474fb5c761eb828483d718599253853247f01427a0f

Download Submit
memory/1208-13-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2156-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2156-5-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-3-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2792-4-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2792-6-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2792-7-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2792-16-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads