{
	"id": "80992522-decd-4cf6-9cef-73f64e7955b7",
	"created_at": "2026-04-06T00:14:43.232559Z",
	"updated_at": "2026-04-10T13:13:04.31803Z",
	"deleted_at": null,
	"sha1_hash": "3b78c69a303ab03fe38b7cc6a712cc290086f23e",
	"title": "Malware.lu - Xtreme RAT analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 326037,
	"plain_text": "Malware.lu - Xtreme RAT analysis\r\nArchived: 2026-04-05 14:43:01 UTC\r\nWe received an email with an invoice from Apple (in french).\r\nOf course we never bought something from Apple!!!!\r\nThe link of the invoice seems to be : http://www.apple.com/clients/download/facture50522231823v.zip\r\nBut when we put our mouse on the link we can see the real link:\r\nhttp://editionslabonte.com/plugins/Facture147778.zip\r\nWe think that the Website “editionslabonte.com” was compromised and the attacker puts the malware on it. We\r\nsent an email to the administrator and we do not have a feedback for the moment.\r\nA debugger for dynamic analysis (in our case OllyDbg)\r\nLordPE in order to dump a memory page\r\nVolatility in order to analyse memory dump\r\nZip archive\r\nThe md5 of the archive is e0aa33dc57aa3eee43cb61933eb3241c.\r\nVirustotal score : 5/42\r\nSo we downloaded the .zip file.\r\nrootbsd@alien:~/Samples$ unzip -l Facture147778.zip\r\nArchive: Facture147778.zip\r\n Length Date Time Name\r\n--------- ---------- ----- ----\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 1 of 12\n\n176128 2012-07-14 03:05 Facture147778.pdf .scr\r\n--------- -------\r\n 176128 1 file\r\nThe .zip contains one file. To trick the user, the attacker adds several space before the extension .scr, some users\r\nmay thought that the file is really a .pdf.\r\nFirst binary\r\nrootbsd@alien:~/Samples$ yara -r packer.yara Facture147778.pdf\\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ .scr\r\njava Facture147778.pdf .scr\r\nNETexecutableMicrosoft Facture147778.pdf .scr\r\nThe file is a .NET binary.\r\nWith the strings command, we find somethink that looks like a base64.\r\nWe extract the base64 :\r\nrootbsd@alien:~/Samples$ cat base64.dmp\r\nTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v\r\nZGUuDQ0KJAAAAAAAAACZtmjHqtcGlN3XBpTd1waUpssKlNzXBpReywiU3NcGlDXIDJTW1waUNcgC\r\nlNnXBpQe2FuU1NcGlN3XB5Tg1waUNcgNlNzXBpRl0QCU3NcGlFJpY2jd1waUAAAAAAAAAABQRQAA\r\nTAEEAKYPc0oAAAAAAAAAAOAADwELAQYAAEIAAACUAAAAAAAAdE8AAAAQAAAAYAAAAABAAAAQAAAA\r\nAgAABAAAAAAAAAAEAAAAAAAAAAAQAQAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAA\r\n[...]\r\nW1EPulAAAAIAAQAgAEAAAQABADQBAAAFAAAAAQAEACAgEAABAAQA6AIAAAEAEBAQAAEABAAoAQAA\r\nAgAgIAAAAQAgAKgQAAADABAQAAABACAAaAQAAAMAUEEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAA=\r\nWe decode this file.\r\nrootbsd@alien:~/Samples$ cat base64.dmp | base64 -d \u003e base64.out\r\nrootbsd@alien:~/Samples$ file base64.out\r\nbase64.out: PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nThis base64 is a PE32 executable.\r\nSecond binary\r\nWe use yara to identify the binary:\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 2 of 12\n\nrootbsd@alien:~/Samples$ yara -r packer.yara base64.out\r\nrootbsd@alien:~/Samples$\r\nThis binary doesn’t use a well-known packer. So we decided to unpack it manually.\r\nTo unpack it, we use OllyDBG.\r\nWe are suprised by a lot of exception when we tried to debug the sample.\r\nIn fact this malware volontary uses and traps exceptions to be unpacked.\r\nSo as usual, we add breakpoint on VirtualAlloc \u0026 VirtualAllocEx calls:\r\nView\r\nExecutable modules\r\nright click on kernel32.dll -\u003e View names\r\nF2 on VirtualAlloc \u0026 VirtualAllocEx\r\nNow we run the malware with F9\r\nA lot of exception must be pass. Use shift+F9 to pass it.\r\nNow the application is break at kernel32.VirtualAllocEx :\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 3 of 12\n\nExecute the binary until the next RET with Ctrl+F9.\r\nNow we can see the allocated address of the memory in the EAX register: 0x40B61B.\r\nRight click on the EAX value, and click on “Follow in dump”.\r\nWe can see a PE value in the bottom left. If we scroll we can see the complete MZ :\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 4 of 12\n\nNow we can use lordPE to make a partial dump: - launch LordPE\r\nright click on the process\r\nDump partial\r\nset the start address to 40B51B\r\nset the size to 411000 - 40B51B = 5AE5\r\nNow we have a binary with the md5: 18e5ff1d0610341257f33e6fefe4f9a7\r\nThird binary\r\nWe used yara to identify the binary:\r\nrootbsd@alien:~/Samples$ yara -r packer.yara base64.stage2.dmp\r\nUPXv20MarkusLaszloReiser base64.stage2.dmp\r\nUPXV200V290MarkusOberhumerLaszloMolnarJohnReiser base64.stage2.dmp\r\nUPX20030XMarkusOberhumerLaszloMolnarJohnReiser base64.stage2.dmp\r\nThe binary is simply pack with UPX.\r\nrootbsd@alien:~/Samples$ upx -o base64.stage2.exe -d base64.stage2.dmp\r\n Ultimate Packer for eXecutables\r\n Copyright (C) 1996 - 2010\r\nUPX 3.07 Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Sep 08th 2010\r\n File size Ratio Format Name\r\n -------------------- ------ ----------- -----------\r\n 46821 \u003c- 23269 49.70% win32/pe base64.stage2.exe\r\nUnpacked 1 file.\r\nrootbsd@alien:~/Samples$ file base64.stage2.exe\r\nbase64.stage2.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 5 of 12\n\nWe have got the final binary.\r\nFourth binary\r\nWe easily identify a well-known RAT:\r\nrootbsd@alien:~/Samples$ strings -el base64.stage2.exe | grep RAT\r\nXtreme RAT SOFTWARE\\XtremeRAT\r\nAfter a quick search on Google, we discovered that the RAT could be buy here:\r\nhttps://sites.google.com/site/nxtremerat/.\r\nThe second interesting think is that fact that the RAT is used in Syria :\r\nhttps://www.eff.org/deeplinks/2012/03/how-find-syrian-government-malware-your-computer-and-remove-it/\r\nWe can use 3 methods to analyse the binary: the simple, the semi talented method and the full talented method.\r\nSimple\r\nWe execute it, and launch netstat.exe on Windows. The IP of the C\u0026C is 41.103.186.12 and port 2013.\r\nIt’s an IP from Alger:\r\nrootbsd@alien:~/Samples$ whois 41.103.186.12\r\n% This is the AfriNIC Whois server.\r\n% Note: this output has been filtered.\r\n%Information related to '41.103.0.0 - 41.103.255.255'\r\ninetnum: 41.103.0.0 - 41.103.255.255\r\nnetname: RegAlg1\r\ndescr: Region Alger 1\r\ncountry: DZ\r\nadmin-c: SD6-AFRINIC\r\ntech-c: SD6-AFRINIC\r\nstatus: ASSIGNED PA\r\nmnt-by: DJAWEB-MNT\r\nsource: AFRINIC # Filtered\r\nparent: 41.96.0.0 - 41.111.255.255\r\nperson: Security Departement\r\naddress: Alger\r\nphone: +21321922004\r\nfax-no: +21321922004\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 6 of 12\n\ne-mail: security@djaweb.dz\r\nnic-hdl: SD6-AFRINIC\r\nsource: AFRINIC # Filtered\r\nTo be persitent, the malware adds a value (antivirus) in the registry:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\r\nThe malware is stored in the directory: C:\\Windows\\Browser\\Web.exe\r\nA configuration file is available here: C:\\Documents and Settings\\rootbsd\\Application\r\nData\\Microsoft\\Windows\\S5tVn.cfg\r\nSemi talented\r\nWe can use a memory dump to analyse the binary. We use volatility to analyse the binary:\r\nrootbsd@alien:~/Samples$ volatility/vol.py -f output pslist\r\nVolatile Systems Volatility Framework 2.0\r\n Offset(V) Name PID PPID Thds Hnds Time\r\n---------- -------------------- ------ ------ ------ ------ -------------------\r\n0x812ed020 System 4 0 54 247 1970-01-01 00:00:00\r\n0xffbaeb10 smss.exe 368 4 3 19 2012-05-21 15:20:54\r\n0x811248e0 csrss.exe 584 368 10 379 2012-05-21 15:20:54\r\n0x81197248 winlogon.exe 608 368 21 514 2012-05-21 15:20:54\r\n0x811275a8 services.exe 652 608 16 253 2012-05-21 15:20:54\r\n0x8112d7e0 lsass.exe 664 608 23 338 2012-05-21 15:20:54\r\n0xffbd7a78 VBoxService.exe 820 652 8 106 2012-05-21 15:20:54\r\n0x81180c30 svchost.exe 864 652 19 197 2012-05-21 06:20:56\r\n0x811a6b28 svchost.exe 952 652 9 237 2012-05-21 06:20:56\r\n0xffac4218 svchost.exe 1044 652 79 1367 2012-05-21 06:20:56\r\n0xffabbd08 svchost.exe 1092 652 6 76 2012-05-21 06:20:56\r\n0x8116cda0 svchost.exe 1132 652 13 172 2012-05-21 06:20:56\r\n0x8112eca8 spoolsv.exe 1544 652 14 111 2012-05-21 06:20:57\r\n0xffa93b00 explorer.exe 1556 1504 17 477 2012-05-21 06:20:57\r\n0x8112fda0 VBoxTray.exe 1700 1556 6 58 2012-05-21 06:20:57\r\n0xffb95da0 svchost.exe 1904 652 4 106 2012-05-21 06:21:05\r\n0xffa01a98 alg.exe 1076 652 6 107 2012-05-21 06:21:09\r\n0x81178278 wscntfy.exe 1188 1044 1 31 2012-05-21 06:21:11\r\n0x81188da0 wuauclt.exe 1956 1044 8 180 2012-05-21 06:21:51\r\n0x811323c0 wuauclt.exe 248 1044 4 133 2012-05-21 06:22:05\r\n0x8119ada0 svchost.exe 2000 1488 2 41 2012-07-20 19:15:47\r\n0x8118b888 svchost.exe 1404 1488 8 188 2012-07-20 19:15:47\r\nThe 2 last svchost.exe are stange. The date is not logic.\r\nWhen you list the dll you can see that the malware change his name to svchost.exe:\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 7 of 12\n\nrootbsd@alien:~/Samples$ ../Pentest/volatility/vol.py -f output -p 2000 dlllist\r\nVolatile Systems Volatility Framework 2.0\r\n************************************************************************\r\nsvchost.exe pid: 2000\r\nCommand line : svchost.exe\r\nService Pack 3\r\nBase Size Path\r\n0x00400000 0x038000 E:\\essai\\svchost.exe\r\n0x7c900000 0x0b2000 C:\\WINXP\\system32\\ntdll.dll\r\n0x7c800000 0x0f6000 C:\\WINXP\\system32\\kernel32.dll\r\n0x7e410000 0x091000 C:\\WINXP\\system32\\user32.dll\r\n0x77f10000 0x049000 C:\\WINXP\\system32\\GDI32.dll\r\n0x76390000 0x01d000 C:\\WINXP\\system32\\IMM32.DLL\r\n0x77dd0000 0x09b000 C:\\WINXP\\system32\\ADVAPI32.dll\r\n0x77e70000 0x093000 C:\\WINXP\\system32\\RPCRT4.dll\r\n0x77fe0000 0x011000 C:\\WINXP\\system32\\Secur32.dll\r\n0x7c9c0000 0x818000 C:\\WINXP\\system32\\shell32.dll\r\n0x77c10000 0x058000 C:\\WINXP\\system32\\msvcrt.dll\r\n0x77f60000 0x076000 C:\\WINXP\\system32\\SHLWAPI.dll\r\n0x773d0000 0x103000 C:\\WINXP\\WinSxS\\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x\r\n0x5d090000 0x09a000 C:\\WINXP\\system32\\comctl32.dll\r\nWe make a memory dump of the process 1404 :\r\nrootbsd@alien:~/Samples$ volatility/vol.py -f output -p 1404 memdump -D .\r\nVolatile Systems Volatility Framework 2.0\r\n************************************************************************\r\nWriting svchost.exe [ 1404] to 1404.dmp\r\nIn the .dmp we have got all necessary information:\r\nrootbsd@alien:~/Samples$ strings -a 1404.dmp | grep http://\r\n[...]\r\nhttp://baloobadjamel.hopto.org:2013/1234567890.functions\r\n[...]\r\nrootbsd@alien:~/Samples$ nslookup baloobadjamel.hopto.org\r\nServer: 192.168.0.254\r\nAddress: 192.168.0.254#53\r\nNon-authoritative answer:\r\nName: baloobadjamel.hopto.org\r\nAddress: 41.103.186.12\r\nAnd we find the IP.\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 8 of 12\n\nWe hope that Djamel Baloodad is not the real name of the owner of the C\u0026C ;)\r\nTalented\r\nWe open the final binary on IDA.\r\nTo help us you can find the .idb here\r\nAt loc_C889C9, we find two functions sub_C93B1C (loadConfigResource) and sub_C82914 (decondeConfig).\r\nThe fisrt function extracts a resource. This resource is the config file (in this case S5tVn.cfg).\r\nThe second function decode the configuration file. Two interesting arguments are passed ton the function: the\r\noffset of the config file \u0026 the word “CONFIG” (in unicode).\r\nThis function is composed of 3 loops. This kind of layout looks like RC4 (RC4) :\r\n2 loops KSA (KSA)\r\n1 loop for PRGA (PRGA).\r\nThe first loop:\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 9 of 12\n\nThe second loop:\r\nAnd the final loop:\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 10 of 12\n\nSo the config file is crypted with RC4 with the key “CONFIG”.\r\nTo perform a RC4 encryption we need the length of the key. To have this size the developer mades his own\r\nfunction sub_C81AF8 (StringLen) but this function does not support unicode, it returns 6 and not 12. So we must\r\nimplemente this bug in our tool to decrypt the config file.\r\nA script to decode the config file is available here\r\nrootbsd@alien:~/Samples$ ./xtremerat_config.py xtreme.exe | strings -el\r\nbaloobadjamel.hopto.org\r\nSpam2013\r\nteSpam2013\r\nWeb.exe\r\nBrowser\r\nsvchost.exe\r\nAntivirus\r\nAntivirus\r\n P8CWY65J-GY7I-CD3S-7K6Q-BD3A60R037L3\r\nServer\r\n3.5 Private\r\nS5tVn\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 11 of 12\n\nS5tVnEXIT\r\nS5tVnPERSIST\r\nftp.ftpserver.com\r\npData\\Local\r\nftpuser\r\nftppass\r\nError\r\nivateAn unexpected error occurred when starting the program.\r\nPlease try again later.\r\nWe can already see the C\u0026C, the port, etc…\r\nWe are working on the format on the configuration file, for the moment we identify this format:\r\nrootbsd@alien:~/Samples$ ./xtremerat_config.py -d xtreme.exe\r\nname10: 3.5 PrivateS5tV\r\nname11: st�S5tVnEXI\r\nname6: Antivirus\r\nname7: Antivirus\r\nhost: baloobadjamel.hopto.org\r\nnum: 101\r\nname2: teSpam2013\r\nname3: Web.exe\r\nport: 2013\r\nname8: P8CWY65J-GY7I-CD3S-7K6Q-BD3A60R037L3\r\nname9: Server\r\nname: Spam2013\r\nname4: Browser\r\nname5: svchost.exe\r\nSource: https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nhttps://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html"
	],
	"report_names": [
		"xtreme-rat-analysis.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434483,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b78c69a303ab03fe38b7cc6a712cc290086f23e.pdf",
		"text": "https://archive.orkl.eu/3b78c69a303ab03fe38b7cc6a712cc290086f23e.txt",
		"img": "https://archive.orkl.eu/3b78c69a303ab03fe38b7cc6a712cc290086f23e.jpg"
	}
}