xtremerat | 32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2

General

Target

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
Size

809KB
MD5

4a06d9989a8c3a9967c2011e5baf3010
SHA1

d049b12303d0aad48a5868a1050d82ded68272d4
SHA256

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2
SHA512

09d6140a6781d700b6c5d0454add34a3d655eedc1615331d8362692059aff186da4b3543f96699ff0071ea185e81c5c4971e0d3b394ed970ed49651b38184686
SSDEEP

12288:fxaVAh64U5lwEO6MlJpy5RP5kOn9KdyYUkdve8LUj8dDwZX4ofxYlp0+EudGw9MZ:fxaVxr5+EkybBb4U028dDwjeDdT9NQ

Score

10^/10

xtremerat discovery persistence rat spyware

Malware Config

Extracted

Family

xtremerat

C2

good.zapto.org

Signatures

Detect XtremeRAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2956-63-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-71-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-75-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-73-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-69-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-65-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-67-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat
behavioral2/memory/2956-79-0x0000000010000000-0x000000001004A000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

Drops startup file 1 IoCs

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .lnk	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

Executes dropped EXE 2 IoCs

Processes:

Micrsoft Word.exeMicrsoft Word.exe

pid process

2560 Micrsoft Word.exe
2956 Micrsoft Word.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Micrsoft Word.exe

pid process

2560 Micrsoft Word.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Micrsoft Word.exe

description pid process target process

PID 2560 set thread context of 2956 2560 Micrsoft Word.exe Micrsoft Word.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2560	Micrsoft Word.exe
2956	Micrsoft Word.exe

pid	process
2560	Micrsoft Word.exe

description	pid	process	target process
PID 2560 set thread context of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exeMicrsoft Word.exeMicrsoft Word.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Micrsoft Word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Micrsoft Word.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1952 WINWORD.EXE
1952 WINWORD.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WINWORD.EXEMicrsoft Word.exeMicrsoft Word.exe

pid	process
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
2560	Micrsoft Word.exe
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
1952	WINWORD.EXE
2956	Micrsoft Word.exe
1952	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exeMicrsoft Word.exe

description	pid	process	target process
PID 4464 wrote to memory of 1952	4464	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	WINWORD.EXE
PID 4464 wrote to memory of 1952	4464	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	WINWORD.EXE
PID 4464 wrote to memory of 2560	4464	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	Micrsoft Word.exe
PID 4464 wrote to memory of 2560	4464	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	Micrsoft Word.exe
PID 4464 wrote to memory of 2560	4464	32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe
PID 2560 wrote to memory of 2956	2560	Micrsoft Word.exe	Micrsoft Word.exe

C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe
"C:\Users\Admin\AppData\Local\Temp\32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\temp\Word.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\temp\Micrsoft Word.exe
  "C:\temp\Micrsoft Word.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\temp\Micrsoft Word.exe
    "C:\temp\Micrsoft Word.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD59.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
440B

MD5
8ba5bc9de3fa0db40c10d31687f07ecd

SHA1
1d985741732e4bbe47c19aa8c04b4412946b6b6b

SHA256
f0e78a1bb6b50841277ba58aca57d72fe25f16defed6b046a030ca6658d7c69f

SHA512
61f00683ecd633e4b2a250e733b9fcbb4e4b802dd6f7ff13030636e58f490101a9878de164ca800a435f48186949778d76ede02545e57701217ef77e046a1a14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
5a2f77aa2dd20ddc7eaf2337a3bd8b92

SHA1
6fbd7889e27ccbc0bcb6b168d907a6f6d8269d82

SHA256
db117393063264e5949dbc61c118c0cc16444a6601dd1c940eedaa5c5435e817

SHA512
c1b955ee5b39e986197f157463f119d323042f97c7cc7f8095f0b6ef35c2d4ee43d9a7dd0e58a7aa194909150b1218d29041831afafaffa189cea6730fb4ddcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c7825cff34a2d8917c5c087bc3b72750

SHA1
8e64f83100aeb1a634b6484f8b78751da89d5e09

SHA256
7e3129657b40a7dd58454ec748eb855d5d0deb2edab7cc57319723a533ac73d5

SHA512
445db51f80321ed0066b3ceec8b56f982aa6cc1e709924df73fd3418f9e2e8da993d79bbd2aff5037450025fa9c8536282532fc395a226abee8058a2c14183a4

Download Submit
C:\temp\Micrsoft Word.exe

Filesize
700KB

MD5
4dc0bcdcfb3f3d794175b21872a76079

SHA1
148aa40c7a14c87fc9c326396b2041223a27308a

SHA256
533ef10438f29b8f38bbe15f14e7377edfd530b15d41e2f001859ed00fdc9054

SHA512
c1953b4198bf046a83d8c0fab0faf0539be8615524b6842b2ce8d51f3e6757e69b71e374c763bae4f610d1e60cce12dfb1fc1118e9095a90b8d519a6a1bcab8f

Download Submit
C:\temp\Word.doc

Filesize
54KB

MD5
2884d2ac372fd9dce678e539f247b18d

SHA1
f391f40f04f44326450a274867c1987ab7da2765

SHA256
230c808c8e60d25423da6a814430f40af90eaca995cd4f985191ad0356e6e00a

SHA512
d9328beb0e708f18e029b4f6dcd6ff6f5b2994efe5c31a01c185c55597542943230871a636d491c87c2b801fe4597796cf29dc8c50c0ed1b1b78c2610cfd3b5e

Download Submit
memory/1952-28-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-20-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/1952-30-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-32-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp

Filesize
64KB

Download
memory/1952-31-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-29-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-33-0x00007FFCA6070000-0x00007FFCA6080000-memory.dmp

Filesize
64KB

Download
memory/1952-26-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-25-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-24-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-23-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/1952-27-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-22-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-21-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-19-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/1952-16-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/1952-17-0x00007FFCE830D000-0x00007FFCE830E000-memory.dmp

Filesize
4KB

Download
memory/1952-18-0x00007FFCA82F0000-0x00007FFCA8300000-memory.dmp

Filesize
64KB

Download
memory/1952-101-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-100-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/1952-99-0x00007FFCE830D000-0x00007FFCE830E000-memory.dmp

Filesize
4KB

Download
memory/1952-98-0x00007FFCE8270000-0x00007FFCE8465000-memory.dmp

Filesize
2.0MB

Download
memory/2560-45-0x0000000000C80000-0x0000000000FE4000-memory.dmp

Filesize
3.4MB

Download
memory/2560-78-0x0000000000C80000-0x0000000000FE4000-memory.dmp

Filesize
3.4MB

Download
memory/2956-67-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-79-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-65-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-69-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-73-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-76-0x0000000000C80000-0x0000000000FE4000-memory.dmp

Filesize
3.4MB

Download
memory/2956-75-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-71-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download
memory/2956-63-0x0000000010000000-0x000000001004A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads