xtremerat | 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
Size

809KB
MD5

4a06d9989a8c3a9967c2011e5baf3010
SHA1

d049b12303d0aad48a5868a1050d82ded68272d4
SHA256

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2
SHA512

09d6140a6781d700b6c5d0454add34a3d655eedc1615331d8362692059aff186da4b3543f96699ff0071ea185e81c5c4971e0d3b394ed970ed49651b38184686
SSDEEP

12288:fxaVAh64U5lwEO6MlJpy5RP5kOn9KdyYUkdve8LUj8dDwZX4ofxYlp0+EudGw9MZ:fxaVxr5+EkybBb4U028dDwjeDdT9NQ

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

good.zapto.org

Signatures

Detect XtremeRAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1400-58-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-68-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-65-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-64-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-61-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-56-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-54-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-52-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral1/memory/1400-50-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Drops startup file 1 IoCs

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

Executes dropped EXE 2 IoCs

Processes:

Micrsoft Word.exeMicrsoft Word.exe

pid	Process
2608	Micrsoft Word.exe
1400	Micrsoft Word.exe

Loads dropped DLL 7 IoCs

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exeMicrsoft Word.exe

pid	Process
1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
2608	Micrsoft Word.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Micrsoft Word.exe

pid	Process
2608	Micrsoft Word.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Micrsoft Word.exe

description	pid	Process	procid_target
PID 2608 set thread context of 1400	2608	Micrsoft Word.exe	33

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exeWINWORD.EXEMicrsoft Word.exeMicrsoft Word.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Micrsoft Word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Micrsoft Word.exe

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2408	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEMicrsoft Word.exeMicrsoft Word.exe

pid	Process
2408	WINWORD.EXE
2408	WINWORD.EXE
2608	Micrsoft Word.exe
1400	Micrsoft Word.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exeMicrsoft Word.exeWINWORD.EXE

description	pid	Process	procid_target
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2408	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	30
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 1928 wrote to memory of 2608	1928	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	32
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2608 wrote to memory of 1400	2608	Micrsoft Word.exe	33
PID 2408 wrote to memory of 1860	2408	WINWORD.EXE	36
PID 2408 wrote to memory of 1860	2408	WINWORD.EXE	36
PID 2408 wrote to memory of 1860	2408	WINWORD.EXE	36
PID 2408 wrote to memory of 1860	2408	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
"C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\temp\Word.doc"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1860
- C:\temp\Micrsoft Word.exe
  "C:\temp\Micrsoft Word.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\temp\Micrsoft Word.exe
    "C:\temp\Micrsoft Word.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\temp\Word.doc

Filesize
54KB

MD5
2884d2ac372fd9dce678e539f247b18d

SHA1
f391f40f04f44326450a274867c1987ab7da2765

SHA256
230c808c8e60d25423da6a814430f40af90eaca995cd4f985191ad0356e6e00a

SHA512
d9328beb0e708f18e029b4f6dcd6ff6f5b2994efe5c31a01c185c55597542943230871a636d491c87c2b801fe4597796cf29dc8c50c0ed1b1b78c2610cfd3b5e

Download Submit
\temp\Micrsoft Word.exe

Filesize
700KB

MD5
4dc0bcdcfb3f3d794175b21872a76079

SHA1
148aa40c7a14c87fc9c326396b2041223a27308a

SHA256
533ef10438f29b8f38bbe15f14e7377edfd530b15d41e2f001859ed00fdc9054

SHA512
c1953b4198bf046a83d8c0fab0faf0539be8615524b6842b2ce8d51f3e6757e69b71e374c763bae4f610d1e60cce12dfb1fc1118e9095a90b8d519a6a1bcab8f

Download Submit
memory/1400-52-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-61-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-46-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-48-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-50-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-58-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-68-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-54-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-56-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-65-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-64-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/1400-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1928-41-0x00000000038C0000-0x0000000003C24000-memory.dmp

Filesize
3.4MB

Download
memory/1928-10-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2408-13-0x000000007163D000-0x0000000071648000-memory.dmp

Filesize
44KB

Download
memory/2408-11-0x000000002F051000-0x000000002F052000-memory.dmp

Filesize
4KB

Download
memory/2408-12-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2408-82-0x000000002F051000-0x000000002F052000-memory.dmp

Filesize
4KB

Download
memory/2408-83-0x000000007163D000-0x0000000071648000-memory.dmp

Filesize
44KB

Download
memory/2608-66-0x0000000003050000-0x00000000033B4000-memory.dmp

Filesize
3.4MB

Download
memory/2608-67-0x00000000002B0000-0x0000000000614000-memory.dmp

Filesize
3.4MB

Download
memory/2608-43-0x00000000002B0000-0x0000000000614000-memory.dmp

Filesize
3.4MB

Download