xtremerat | ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a.exe
Size

288KB
MD5

cba17e1418112ac9f33120229be7b9ef
SHA1

9ef4f9d75e4ddfc82af8c9196bb21a38c10ae04c
SHA256

ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a
SHA512

2872396eb0e8b2fdc52db3aa6e8d6210a88e55c6afe19cc710403f95c743158d28a690a871bdc537b33e86449808f78ad8e38e689beb57d6505bf7c14f7cdb31
SSDEEP

1536:8T8qnT8qDqQ8K9MK3tGjbNwPZ6oIeXHWEptp4duRGA:qqMyKdcPeXHWEptpTRG

Score

10^/10

xtremerat

Malware Config

Extracted

Family

xtremerat

net16.net

uriel-productions.net16.n

Signatures

Detect XtremeRAT payload 1 IoCs

resource	yara_rule
sample	family_xtremerat

Xtremerat family
xtremerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a.exe

Files

ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a.exe
.exe windows:4 windows x86 arch:x86

241c6d90a3d1dbb1f11f354ca72be0e0

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
WideCharToMultiByte
MultiByteToWideChar
GetThreadLocale
GetStartupInfoA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
ExitProcess
ExitThread
CreateThread
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
lstrlenW
WriteProcessMemory
WriteFile
WaitForSingleObject
VirtualProtectEx
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
TerminateThread
TerminateProcess
Sleep
SizeofResource
SetThreadPriority
SetThreadContext
SetFilePointer
SetFileAttributesW
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ReadProcessMemory
ReadFile
LockResource
LoadResource
LoadLibraryA
InitializeCriticalSection
GlobalUnlock
GlobalSize
GlobalLock
GetWindowsDirectoryW
GetThreadContext
GetTempPathW
GetSystemDirectoryW
GetModuleHandleA
GetModuleFileNameW
GetLocalTime
GetLastError
GetFileSize
GetFileAttributesW
GetCommandLineW
FreeResource
InterlockedIncrement
InterlockedDecrement
FindResourceW
FindFirstFileW
FindClose
ExitProcess
DeleteFileW
DeleteCriticalSection
CreateThread
CreateRemoteThread
CreateProcessW
CreateMutexW
CreateFileW
CreateEventA
CreateDirectoryW
CopyFileW
CloseHandle

user32

GetKeyboardType
MessageBoxA
CreateWindowExW
UnregisterClassW
UnhookWindowsHookEx
TranslateMessage
ShowWindow
SetWindowsHookExW
SetClipboardViewer
SendMessageA
RegisterWindowMessageW
RegisterClassW
PostMessageA
PeekMessageA
OpenClipboard
MapVirtualKeyW
GetWindowThreadProcessId
GetWindowTextW
GetWindowRect
GetKeyboardLayout
GetKeyState
GetForegroundWindow
GetDesktopWindow
GetClipboardData
DispatchMessageA
DefWindowProcA
CloseClipboard
CharUpperW
CharNextW
CharLowerW
CallNextHookEx
GetKeyboardState
ToUnicodeEx

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyW
RegCloseKey

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen

shlwapi

SHDeleteKeyW
SHDeleteValueW
SHDeleteKeyW

shell32

SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetMalloc
FindExecutableW
ShellExecuteW

ntdll

NtUnmapViewOfSection

Sections

CODE
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: 204KB - Virtual size: 204KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

241c6d90a3d1dbb1f11f354ca72be0e0

Headers

File Characteristics

Imports

kernel32

user32

advapi32

oleaut32

shlwapi

shell32

ntdll

Sections

CODE Size: 48KB - Virtual size: 48KB

DATA Size: 4KB - Virtual size: 4KB

BSS Size: 204KB - Virtual size: 204KB

.idata Size: 4KB - Virtual size: 4KB

.tls Size: 4KB - Virtual size: 4KB

.rdata Size: 4KB - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 4KB

.rsrc Size: 12KB - Virtual size: 12KB

CODE
Size: 48KB - Virtual size: 48KB

DATA
Size: 4KB - Virtual size: 4KB

BSS
Size: 204KB - Virtual size: 204KB

.idata
Size: 4KB - Virtual size: 4KB

.tls
Size: 4KB - Virtual size: 4KB

.rdata
Size: 4KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 12KB - Virtual size: 12KB