xtremerat | 5579a050c744e49900d7e5d3cabbd61125a82da6bd7ff7e8e18f87fb50c2889e

General

Target

7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
Size

765KB
MD5

7bbc50af11ca46a958cecb2898884860
SHA1

3acad220a592a55cf544462bfa9cda995d62145c
SHA256

5579a050c744e49900d7e5d3cabbd61125a82da6bd7ff7e8e18f87fb50c2889e
SHA512

d8f3b5deb8550f91caceb50c6de2d9fe7384ea2a45ded5a27535784376f185fe22213efd78692f6a0e58cd5f9bb781fdd0cb5f7b1e54e60ff9b9299e1d553687
SSDEEP

12288:ChkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a36Ph9y2d71YlRC:iRmJkcoQricOIQxiZY1ia0yY71YlE

Score

10^/10

xtremerat persistence rat spyware

Malware Config

Signatures

Detect XtremeRAT payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/636-11-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-14-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-21-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-20-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-19-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-18-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-15-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-12-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-13-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2528-28-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2644-32-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/636-33-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat
behavioral1/memory/2644-35-0x0000000000C80000-0x0000000000C93000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsDDL\\dlhost.exe restart"	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsDDL\\dlhost.exe restart"	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gFa57A = "C:\\Users\\Admin\\nCh71K\\svchost.exe"	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsDDL\\dlhost.exe"	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsDDL\\dlhost.exe"	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WindowsDDL\dlhost.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe

description	pid	process	target process
PID 1948 set thread context of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2644 explorer.exe

pid	process
2644	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe

description	pid	process	target process
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 1948 wrote to memory of 636	1948	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
PID 636 wrote to memory of 2528	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	svchost.exe
PID 636 wrote to memory of 2528	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	svchost.exe
PID 636 wrote to memory of 2528	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	svchost.exe
PID 636 wrote to memory of 2528	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	svchost.exe
PID 636 wrote to memory of 2528	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	svchost.exe
PID 636 wrote to memory of 2624	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	iexplore.exe
PID 636 wrote to memory of 2624	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	iexplore.exe
PID 636 wrote to memory of 2624	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	iexplore.exe
PID 636 wrote to memory of 2624	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	iexplore.exe
PID 636 wrote to memory of 2644	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	explorer.exe
PID 636 wrote to memory of 2644	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	explorer.exe
PID 636 wrote to memory of 2644	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	explorer.exe
PID 636 wrote to memory of 2644	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	explorer.exe
PID 636 wrote to memory of 2644	636	7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\7bbc50af11ca46a958cecb2898884860_NeikiAnalytics.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    PID:2528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yJt37W.GH8

Filesize
45KB

MD5
1ef026dc957131222733f734a365e078

SHA1
41e7d57fff3ae81d7147cc8476759d174e0445e5

SHA256
14b065bb0ef18f10421742800c1539c051383c820abff5793318b50bdad4e1f8

SHA512
9f5470514eaf806ce31cb470339082a57e9a383c4354813ce990ec645f43b6e8c90bd76c82e3571ca1be3e4adf3e356e88fa3830c8b530d751ee7a357a35b60e

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDDL\dlhost.exe

Filesize
765KB

MD5
7bbc50af11ca46a958cecb2898884860

SHA1
3acad220a592a55cf544462bfa9cda995d62145c

SHA256
5579a050c744e49900d7e5d3cabbd61125a82da6bd7ff7e8e18f87fb50c2889e

SHA512
d8f3b5deb8550f91caceb50c6de2d9fe7384ea2a45ded5a27535784376f185fe22213efd78692f6a0e58cd5f9bb781fdd0cb5f7b1e54e60ff9b9299e1d553687

Download Submit
memory/636-16-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/636-15-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-21-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-20-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-19-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-18-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-11-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-14-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-12-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-10-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-13-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-33-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/636-9-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2528-28-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2644-32-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download
memory/2644-35-0x0000000000C80000-0x0000000000C93000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads