General

  • Target

    4f01b9e2f9f4931d83145b02dca0c2cfda4d170fe2f7a1c179038c29c7385ebc

  • Size

    324KB

  • Sample

    221122-y1a69sff63

  • MD5

    d864cbadc1bc50bdde428f2da344a587

  • SHA1

    520bca2211138e07c2e4f35f68577be66814154f

  • SHA256

    4f01b9e2f9f4931d83145b02dca0c2cfda4d170fe2f7a1c179038c29c7385ebc

  • SHA512

    39b6d1d8689e6ab2f3d525f2eb0d7229b5a6420c3816bfe2a391196de652f2195b7f817e1dae6f4fd9cef63dc674ecf071e4ef7587526088c0f48a7a721113e6

  • SSDEEP

    3072:fyRhFjcGcqCksRp9IILZ9U652V4l4aAeHjw68Ywajih0aU4nWcqCksRp9IILZ9Up:aXFjc/jUEFPYjUEFPRa

Malware Config

Extracted

Family

xtremerat

C2

oudy.no-ip.biz

Targets

    • Target

      4f01b9e2f9f4931d83145b02dca0c2cfda4d170fe2f7a1c179038c29c7385ebc

    • Size

      324KB

    • MD5

      d864cbadc1bc50bdde428f2da344a587

    • SHA1

      520bca2211138e07c2e4f35f68577be66814154f

    • SHA256

      4f01b9e2f9f4931d83145b02dca0c2cfda4d170fe2f7a1c179038c29c7385ebc

    • SHA512

      39b6d1d8689e6ab2f3d525f2eb0d7229b5a6420c3816bfe2a391196de652f2195b7f817e1dae6f4fd9cef63dc674ecf071e4ef7587526088c0f48a7a721113e6

    • SSDEEP

      3072:fyRhFjcGcqCksRp9IILZ9U652V4l4aAeHjw68Ywajih0aU4nWcqCksRp9IILZ9Up:aXFjc/jUEFPYjUEFPRa

    • Detect XtremeRAT payload

    • Modifies WinLogon for persistence

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Adds policy Run key to start application

    • Modifies Installed Components in the registry

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks