xtremerat | 0a180a3adc1cbd3632d69a195a2bb2f60dd91aee498c5079da30593b59660e90

Sharing

Copy URL

Twitter E-mail

General

Target

0a180a3adc1cbd3632d69a195a2bb2f60dd91aee498c5079da30593b59660e90
Size

36KB
MD5

8fd2df7631c214d572dba902def34e96
SHA1

12d7661192e8baf00b8eb8bf02c949f5231929a0
SHA256

0a180a3adc1cbd3632d69a195a2bb2f60dd91aee498c5079da30593b59660e90
SHA512

90279e7fa242464e311a16bf129561da788b6c925a9f1d0911c9e206b5b4f4abda1014db14fd3fd134a6515a82026d4ac10bdc683852cc6413f6798750101789
SSDEEP

768:FE+h4xhiaD7WRhLol0XOgLYXtu5zVx3gJCncX85TrFHUmNgha6AeS7:FE+KxkiWRhLocqu57ICnM8V5HU6J

Score

10^/10

xtremerat

Malware Config

Extracted

Family

xtremerat

net16.net

uriel-productions.net16.n

Signatures

Detect XtremeRAT payload 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a.exe	family_xtremerat

Xtremerat family
xtremerat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a.exe

Files

0a180a3adc1cbd3632d69a195a2bb2f60dd91aee498c5079da30593b59660e90
.zip

Password: infected
ba565ff6b970cc298347b0c900c3faa474b6aeddab5459cf4d08bfaee75fa26a.exe
.exe windows:4 windows x86 arch:x86

241c6d90a3d1dbb1f11f354ca72be0e0

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

kernel32

DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
WideCharToMultiByte
MultiByteToWideChar
GetThreadLocale
GetStartupInfoA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
ExitProcess
ExitThread
CreateThread
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
lstrlenW
WriteProcessMemory
WriteFile
WaitForSingleObject
VirtualProtectEx
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
TerminateThread
TerminateProcess
Sleep
SizeofResource
SetThreadPriority
SetThreadContext
SetFilePointer
SetFileAttributesW
SetEvent
SetErrorMode
SetEndOfFile
ResumeThread
ReadProcessMemory
ReadFile
LockResource
LoadResource
LoadLibraryA
InitializeCriticalSection
GlobalUnlock
GlobalSize
GlobalLock
GetWindowsDirectoryW
GetThreadContext
GetTempPathW
GetSystemDirectoryW
GetModuleHandleA
GetModuleFileNameW
GetLocalTime
GetLastError
GetFileSize
GetFileAttributesW
GetCommandLineW
FreeResource
InterlockedIncrement
InterlockedDecrement
FindResourceW
FindFirstFileW
FindClose
ExitProcess
DeleteFileW
DeleteCriticalSection
CreateThread
CreateRemoteThread
CreateProcessW
CreateMutexW
CreateFileW
CreateEventA
CreateDirectoryW
CopyFileW
CloseHandle

user32

GetKeyboardType
MessageBoxA
CreateWindowExW
UnregisterClassW
UnhookWindowsHookEx
TranslateMessage
ShowWindow
SetWindowsHookExW
SetClipboardViewer
SendMessageA
RegisterWindowMessageW
RegisterClassW
PostMessageA
PeekMessageA
OpenClipboard
MapVirtualKeyW
GetWindowThreadProcessId
GetWindowTextW
GetWindowRect
GetKeyboardLayout
GetKeyState
GetForegroundWindow
GetDesktopWindow
GetClipboardData
DispatchMessageA
DefWindowProcA
CloseClipboard
CharUpperW
CharNextW
CharLowerW
CallNextHookEx
GetKeyboardState
ToUnicodeEx

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyW
RegCloseKey

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen

shlwapi

SHDeleteKeyW
SHDeleteValueW
SHDeleteKeyW

shell32

SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetMalloc
FindExecutableW
ShellExecuteW

ntdll

NtUnmapViewOfSection

Sections

CODE
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: 204KB - Virtual size: 204KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

241c6d90a3d1dbb1f11f354ca72be0e0

Headers

File Characteristics

Imports

kernel32

user32

advapi32

oleaut32

shlwapi

shell32

ntdll

Sections

CODE Size: 48KB - Virtual size: 48KB

DATA Size: 4KB - Virtual size: 4KB

BSS Size: 204KB - Virtual size: 204KB

.idata Size: 4KB - Virtual size: 4KB

.tls Size: 4KB - Virtual size: 4KB

.rdata Size: 4KB - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 4KB

.rsrc Size: 12KB - Virtual size: 12KB

CODE
Size: 48KB - Virtual size: 48KB

DATA
Size: 4KB - Virtual size: 4KB

BSS
Size: 204KB - Virtual size: 204KB

.idata
Size: 4KB - Virtual size: 4KB

.tls
Size: 4KB - Virtual size: 4KB

.rdata
Size: 4KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 12KB - Virtual size: 12KB