xtremerat

General

Target

239a6e9d655f69032bdcd8e0dd05335c82cd866713a2a39453783e5d4b42668a
Size

224KB
Sample

221020-mh1hnahga5
MD5

a05e9c78f9d6d317f8faaa3f28f7e3ad
SHA1

51172978c5b97718a1d3a15fb645f685e2be8711
SHA256

239a6e9d655f69032bdcd8e0dd05335c82cd866713a2a39453783e5d4b42668a
SHA512

f01d16d010244105957b4ddda81c7ef061dc06875b12257954564d53f07eea43320077788a14d12cfd6ee1fef608d93f27731266f80ecc44f8bab6d4d6ee6223
SSDEEP

1536:dwYL9p89qvUhhhhhOjY1CnhMZhmbQtahhhhhhhhhhhhhhfER+TIlyX8JWLAdKP0z:KynfS

Score

10^/10

Malware Config

Extracted

Family

xtremerat

C2

sajenhaker.no-ip.info

Targets

- Target
  
  239a6e9d655f69032bdcd8e0dd05335c82cd866713a2a39453783e5d4b42668a
- Size
  
  224KB
- MD5
  
  a05e9c78f9d6d317f8faaa3f28f7e3ad
- SHA1
  
  51172978c5b97718a1d3a15fb645f685e2be8711
- SHA256
  
  239a6e9d655f69032bdcd8e0dd05335c82cd866713a2a39453783e5d4b42668a
- SHA512
  
  f01d16d010244105957b4ddda81c7ef061dc06875b12257954564d53f07eea43320077788a14d12cfd6ee1fef608d93f27731266f80ecc44f8bab6d4d6ee6223
- SSDEEP
  
  1536:dwYL9p89qvUhhhhhOjY1CnhMZhmbQtahhhhhhhhhhhhhhfER+TIlyX8JWLAdKP0z:KynfS
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect XtremeRAT payload

Modifies Installed Components in the registry

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2