xtremerat | efff17caa85cf12923caa783477206e90197fabecae18e2f719400207483323d

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
Size

1.3MB
MD5

ee2137ca6fc3ad1710e1ad4fd0419625
SHA1

4f9e275901f9a2d65512a793422c316cd0f74361
SHA256

efff17caa85cf12923caa783477206e90197fabecae18e2f719400207483323d
SHA512

bef89fc269a7ca3a3f731e921a26869f134448323dcc4520ce12908623b85255541744e17614a8c0d937f0b1603f3c351c290e5d027aefaa94199050c4c4f041
SSDEEP

24576:LFE//Tct4bOski47Ersh4TP96Rw9PsbgwRe6aegxiu32exMfAmULP:hSVkv7qsWP96cPQRe6Ru322MImU7

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

godfathergos123.no-ip.biz

Signatures

Detect XtremeRAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2712-47-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2712-46-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat
behavioral1/memory/2712-53-0x0000000010000000-0x000000001004D000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Executes dropped EXE 4 IoCs

pid	Process
2072	bebers.exe
2852	MP3Cutter.exe
2712	bebers.exe
2800	is-6SVJH.tmp

Loads dropped DLL 10 IoCs

pid	Process
2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
2072	bebers.exe
2852	MP3Cutter.exe
2852	MP3Cutter.exe
2852	MP3Cutter.exe
2852	MP3Cutter.exe
2800	is-6SVJH.tmp
2800	is-6SVJH.tmp

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2448-28-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2712	2072	bebers.exe	33

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2448-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2448-28-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/2712-38-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2712-35-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2712-34-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2712-47-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2712-46-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2712-45-0x0000000010000000-0x000000001004D000-memory.dmp	upx
behavioral1/memory/2712-53-0x0000000010000000-0x000000001004D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-6SVJH.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bebers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MP3Cutter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bebers.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2072	bebers.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2072	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2072	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2072	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2072	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2448 wrote to memory of 2852	2448	ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe	32
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2072 wrote to memory of 2712	2072	bebers.exe	33
PID 2712 wrote to memory of 2276	2712	bebers.exe	34
PID 2712 wrote to memory of 2276	2712	bebers.exe	34
PID 2712 wrote to memory of 2276	2712	bebers.exe	34
PID 2712 wrote to memory of 2276	2712	bebers.exe	34
PID 2712 wrote to memory of 2276	2712	bebers.exe	34
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35
PID 2852 wrote to memory of 2800	2852	MP3Cutter.exe	35

C:\Users\Admin\AppData\Local\Temp\ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee2137ca6fc3ad1710e1ad4fd0419625_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\bebers.exe
  C:\Users\Admin\AppData\Local\Temp/bebers.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\bebers.exe
    C:\Users\Admin\AppData\Local\Temp\bebers.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2276
- C:\Users\Admin\AppData\Local\Temp\MP3Cutter.exe
  C:\Users\Admin\AppData\Local\Temp/MP3Cutter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\is-1GN1V.tmp\is-6SVJH.tmp
    C:\Users\Admin\AppData\Local\Temp\is-1GN1V.tmp\is-6SVJH.tmp /SL4 $D0152 C:\Users\Admin\AppData\Local\Temp\MP3Cutter.exe 949089 68096
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MP3Cutter.exe

Filesize
935KB

MD5
433d89ab2e25de2c4df585d9de3d8826

SHA1
504f78c9527088dc638f0f100b3593081d2277f2

SHA256
6f24345093fb88cc2299f15aa7ce53d98bf6f9781e737bb6b0d7c4437b300449

SHA512
8bf1f2c748880bc20815a2cee27e9f935296adb227c04b24d62fc973098e7d7ac43dde5da9f92e6a128d2346fa2ce6c8e106512ddfc28d2ab7243d1b9f01c673

Download Submit
C:\Users\Admin\AppData\Local\Temp\bebers.exe

Filesize
70KB

MD5
9dc2f8113a65f305d8ce70b387b5b5b8

SHA1
d6261cbdacafa66fdef41f57c2c7a1dfa47f98ee

SHA256
797020db930f76f9f5cf236a8b21b66d1c578143eaf41f393210fd64551ecfdd

SHA512
038841ff2d3022391e762bb2db1e58cb842eba7dc32e68bfd399b59acbd9bb1c36acd44eeffa33396da2b7fa751cff0d4ac6fb914ab42cc316173d7bdeee71b2

Download Submit
\Users\Admin\AppData\Local\Temp\is-1GN1V.tmp\is-6SVJH.tmp

Filesize
550KB

MD5
f8af304447fc04618285f448d0651220

SHA1
ec2dd2c8b931501f977eefef5449b37373734415

SHA256
f0678194ef4b80ed8ec73ef78e5dff621c2602df47fb90e43800b6ab30c33d59

SHA512
c2e4cca9a38c8a5616936b2c643596c6125782bf32619eb9e890f9a7b4a293504151b22478e308656f43fc30e7ba4d9859e1a8ac1aba5e72169b8ded7cf39289

Download Submit
\Users\Admin\AppData\Local\Temp\is-D7F4U.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2072-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2072-43-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2072-40-0x0000000000330000-0x0000000000362000-memory.dmp

Filesize
200KB

Download
memory/2448-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2448-28-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2448-19-0x0000000003A00000-0x0000000003A32000-memory.dmp

Filesize
200KB

Download
memory/2448-18-0x0000000003A00000-0x0000000003A32000-memory.dmp

Filesize
200KB

Download
memory/2712-38-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-35-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-34-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-33-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-47-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-46-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-45-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2712-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-41-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2712-53-0x0000000010000000-0x000000001004D000-memory.dmp

Filesize
308KB

Download
memory/2800-74-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-80-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-94-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-67-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-69-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-72-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-92-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-76-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-78-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-90-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-82-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-84-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-86-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2800-88-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2852-55-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2852-51-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2852-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download