General

  • Target

    545db24961a2e96ce9ad8c202b4a7b44e6d625feaabff7ced60ccffb8e4e81cc

  • Size

    555KB

  • Sample

    221122-y1srbaff83

  • MD5

    2d996bf8b4d9193a83089eef92c3cf97

  • SHA1

    298c7901f97ea9df2d152f04bb0da959047894af

  • SHA256

    545db24961a2e96ce9ad8c202b4a7b44e6d625feaabff7ced60ccffb8e4e81cc

  • SHA512

    17753f66afc7e83e2e44a2f93a992cffa6eacc480f59404d3c23e11d154f40d294db201e818071e2b7a32a951c8850778ecfb46761974de80b019ec1dd6094ea

  • SSDEEP

    12288:c6Wq4aaE6KwyF5L0Y2D1PqLUodnFAWTC9wLka77h0fN8tO47IcIl:athEVaPqLbPTSY/0fR4fO

Malware Config

Extracted

Family

xtremerat

C2

썹嚫ᄀ蠀C:\Prograp1215.servemp3.com

Targets

    • Target

      545db24961a2e96ce9ad8c202b4a7b44e6d625feaabff7ced60ccffb8e4e81cc

    • Size

      555KB

    • MD5

      2d996bf8b4d9193a83089eef92c3cf97

    • SHA1

      298c7901f97ea9df2d152f04bb0da959047894af

    • SHA256

      545db24961a2e96ce9ad8c202b4a7b44e6d625feaabff7ced60ccffb8e4e81cc

    • SHA512

      17753f66afc7e83e2e44a2f93a992cffa6eacc480f59404d3c23e11d154f40d294db201e818071e2b7a32a951c8850778ecfb46761974de80b019ec1dd6094ea

    • SSDEEP

      12288:c6Wq4aaE6KwyF5L0Y2D1PqLUodnFAWTC9wLka77h0fN8tO47IcIl:athEVaPqLbPTSY/0fR4fO

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks