win.extreme_rat (Back to overview)

Xtreme RAT

aka: ExtRat

Actor(s): Molerats

URLhaus      

There is no description at this point.

References
https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html
https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html
https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017
https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat
Yara Rules
[TLP:WHITE] win_extreme_rat_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_extreme_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { e8???????? 8bf0 83feff 74?? c645d6ff c645d7fe 6a00 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   74??                 |                     
            //   c645d6ff             | mov                 byte ptr [ebp - 0x2a], 0xff
            //   c645d7fe             | mov                 byte ptr [ebp - 0x29], 0xfe
            //   6a00                 | push                0

        $sequence_1 = { 50 6a00 e8???????? a3???????? 6a00 6a00 6a00 }
            // n = 7, score = 300
            //   50                   | push                eax
            //   6a00                 | push                0
            //   e8????????           |                     
            //   a3????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_2 = { 03f8 8bc7 6a04 6800100000 50 6a00 e8???????? }
            // n = 7, score = 300
            //   03f8                 | add                 edi, eax
            //   8bc7                 | mov                 eax, edi
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   50                   | push                eax
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_3 = { 6a00 e8???????? 8b45fc 33d2 e8???????? 0f8????????? }
            // n = 6, score = 300
            //   6a00                 | push                0
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   33d2                 | xor                 edx, edx
            //   e8????????           |                     
            //   0f8?????????         |                     

        $sequence_4 = { 50 a1???????? 50 a1???????? 50 e8???????? 8d85c6fcffff }
            // n = 7, score = 300
            //   50                   | push                eax
            //   a1????????           |                     
            //   50                   | push                eax
            //   a1????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d85c6fcffff         | lea                 eax, [ebp - 0x33a]

        $sequence_5 = { 68000000c0 a1???????? 50 e8???????? a3???????? }
            // n = 5, score = 300
            //   68000000c0           | push                0xc0000000
            //   a1????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   a3????????           |                     

        $sequence_6 = { e8???????? 84c0 0f8????????? 837df400 75?? 837df000 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f8?????????         |                     
            //   837df400             | cmp                 dword ptr [ebp - 0xc], 0
            //   75??                 |                     
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0

        $sequence_7 = { 64ff30 648920 8d45f8 50 56 6a00 e8???????? }
            // n = 7, score = 300
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   56                   | push                esi
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_8 = { 31db 699308a0c80005840808 42 899308a0c800 f7e2 89d0 }
            // n = 6, score = 300
            //   31db                 | xor                 ebx, ebx
            //   699308a0c80005840808     | imul    edx, dword ptr [ebx + 0xc8a008], 0x8088405
            //   42                   | inc                 edx
            //   899308a0c800         | mov                 dword ptr [ebx + 0xc8a008], edx
            //   f7e2                 | mul                 edx
            //   89d0                 | mov                 eax, edx

        $sequence_9 = { 8bc3 b928020000 e8???????? 8d45fc b928020000 ba01000000 }
            // n = 6, score = 300
            //   8bc3                 | mov                 eax, ebx
            //   b928020000           | mov                 ecx, 0x228
            //   e8????????           |                     
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   b928020000           | mov                 ecx, 0x228
            //   ba01000000           | mov                 edx, 1

    condition:
        7 of them
}
[TLP:WHITE] win_extreme_rat_w0   (20170517 | Xtrem RAT v3.5)
rule win_extreme_rat_w0 {
	meta:
		author = "Jean-Philippe Teissier / @Jipe_"
		description = "Xtrem RAT v3.5"
		date = "2012-07-12" 
		version = "1.0" 
		filetype = "memory"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/xTremRat.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$a = "XTREME" wide
		$b = "XTREMEBINDER" wide
		$c = "STARTSERVERBUFFER" wide
		$d = "SOFTWARE\\XtremeRAT" wide
		$e = "XTREMEUPDATE" wide
		$f = "XtremeKeylogger" wide
		$g = "myversion|3.5" wide
		$h = "xtreme rat" wide nocase
	condition:
		2 of them
}
[TLP:WHITE] win_extreme_rat_w1   (20170517 | XtremeRAT)
rule win_extreme_rat_w1 {
    meta:
        description = "XtremeRAT"
        author = "Seth Hardy <seth.hardy@utoronto.ca>"
        last_modified = "2014-07-09"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/xTremRat.yar"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        // call; fstp st
        $code1 = { E8 ?? ?? ?? ?? DD D8 }
        // hiding string
        $code2 = { C6 85 ?? ?? ?? ?? 4D C6 85 ?? ?? ?? ?? 70 C6 85 ?? ?? ?? ?? 64 C6 85 ?? ?? ?? ?? 62 C6 85 ?? ?? ?? ?? 6D }
        $str1 = "dqsaazere"
        $str2 = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32"
        
    condition:
       all of ($code*) or any of ($str*)
}
Download all Yara Rules