xtremerat | 0b659b5fef0f68ffc2c533e5df1040332fe9f9adb45f29514d81a5678c9f71e9

General

Target

08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe
Size

178KB
MD5

08cc3cc5f15539bf45636a0c4f0188e0
SHA1

37d99c3454166a8147b0b704b18022530a78d32b
SHA256

0b659b5fef0f68ffc2c533e5df1040332fe9f9adb45f29514d81a5678c9f71e9
SHA512

5f0477dae2dfcf41855a830c53472f80d43d45fce7d723cab5e9c5dce6f59e58af034c0f88f7c1a7d67b2850f62bbea2e7d7efcf3325ecbb5c4632f95b959b65
SSDEEP

3072:9Gu9BlfzWIbXWm+w0JI5Rjv2aduB8lro9T/djPA9GECspGKdPEKEeuYFf7sL1:9/0uoHKUJlE9GECsBdOI7U

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

invisivelno-ip.no-ip.org

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2716-64-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2500-67-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2664-68-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2664-37-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2664-35-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 4 IoCs

Processes:

1SYSMS~1.EXE1SYSMS~1.exe1SYSMS~1.EXE1SYSMS~1.exe

pid process

776 1SYSMS~1.EXE
2664 1SYSMS~1.exe
2732 1SYSMS~1.EXE
2492 1SYSMS~1.exe

pid	process
776	1SYSMS~1.EXE
2664	1SYSMS~1.exe
2732	1SYSMS~1.EXE
2492	1SYSMS~1.exe

Loads dropped DLL 10 IoCs

Processes:

08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe1SYSMS~1.EXE1SYSMS~1.exe1SYSMS~1.EXE1SYSMS~1.exe

pid	process
2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe
2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe
776	1SYSMS~1.EXE
776	1SYSMS~1.EXE
2664	1SYSMS~1.exe
2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe
2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe
2732	1SYSMS~1.EXE
2732	1SYSMS~1.EXE
2492	1SYSMS~1.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2716-64-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2500-67-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-68-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-37-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-35-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-33-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-28-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-25-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-22-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2664-21-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1SYSMS~1.EXE1SYSMS~1.EXE

description	pid	process	target process
PID 776 set thread context of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 set thread context of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1SYSMS~1.EXE1SYSMS~1.EXE

pid process

776 1SYSMS~1.EXE
2732 1SYSMS~1.EXE

pid	process
776	1SYSMS~1.EXE
2732	1SYSMS~1.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe1SYSMS~1.EXE1SYSMS~1.exe1SYSMS~1.EXE1SYSMS~1.exe

description	pid	process	target process
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 776	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 776 wrote to memory of 2664	776	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2400 wrote to memory of 2732	2400	08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe	1SYSMS~1.EXE
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2732 wrote to memory of 2492	2732	1SYSMS~1.EXE	1SYSMS~1.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2716	2664	1SYSMS~1.exe	svchost.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2664 wrote to memory of 2640	2664	1SYSMS~1.exe	iexplore.exe
PID 2492 wrote to memory of 2500	2492	1SYSMS~1.exe	svchost.exe
PID 2492 wrote to memory of 2528	2492	1SYSMS~1.exe	iexplore.exe
PID 2492 wrote to memory of 2528	2492	1SYSMS~1.exe	iexplore.exe
PID 2492 wrote to memory of 2528	2492	1SYSMS~1.exe	iexplore.exe
PID 2492 wrote to memory of 2528	2492	1SYSMS~1.exe	iexplore.exe
PID 2492 wrote to memory of 2528	2492	1SYSMS~1.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08cc3cc5f15539bf45636a0c4f0188e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2716
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2500
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\699c4b9cdebca7aaea5193cae8a50098_ad04ce47-83ca-4cca-a79e-77cdc80ce41e

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SYSMS~1.EXE

Filesize
114KB

MD5
c0c339fbd5a9b7b0435865d127cdb9a1

SHA1
bdd4a5776adf162931688092238e1376e9c64632

SHA256
5dc703078e4d137878795aa09c8a94f79b9f2ce3ec94ae25572b382a8ece1d3a

SHA512
65bd2c31d57a42822d233fda4b3250b116cac87e7968882f44194f5dd3e1469f533827a115419626d1d8b23b3a947b8ecbb2f37c845a6fe54265f03fed93928e

Download Submit
memory/776-11-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/776-15-0x00000000002D0000-0x00000000002D3000-memory.dmp

Filesize
12KB

Download
memory/776-14-0x0000000000340000-0x00000000003A3000-memory.dmp

Filesize
396KB

Download
memory/776-34-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2400-9-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2400-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2500-67-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-28-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-22-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-21-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-68-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-37-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-35-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-20-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-33-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-29-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2664-25-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2664-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-64-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2732-41-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2732-61-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2732-44-0x00000000008D0000-0x0000000000933000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads