General

  • Target

    437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab

  • Size

    2.3MB

  • Sample

    221122-yz9y7sff62

  • MD5

    f942983eab75ee4330bd2af72bc61c47

  • SHA1

    d4cbf2557d58e759409eb8190000b8d88cc95593

  • SHA256

    437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab

  • SHA512

    47882b6b94431b5481c14efb1dcdc25de783ff3d936b677c051a6a993049bf280ae22697863ee88641405b654bbf0134487e23ade4520d7e9e48ed2b5704aaf6

  • SSDEEP

    49152:nJKU16q0aQudo82qcMrUMpaOgxGUwWvrGGNa8WH3yxeLOcsKRRA+:Jrr1u82qcZMptWbPvrGG08WHi4LOvKRv

Malware Config

Extracted

Family

xtremerat

C2

zaetoona.ignorelist.com

Targets

    • Target

      437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab

    • Size

      2.3MB

    • MD5

      f942983eab75ee4330bd2af72bc61c47

    • SHA1

      d4cbf2557d58e759409eb8190000b8d88cc95593

    • SHA256

      437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab

    • SHA512

      47882b6b94431b5481c14efb1dcdc25de783ff3d936b677c051a6a993049bf280ae22697863ee88641405b654bbf0134487e23ade4520d7e9e48ed2b5704aaf6

    • SSDEEP

      49152:nJKU16q0aQudo82qcMrUMpaOgxGUwWvrGGNa8WH3yxeLOcsKRRA+:Jrr1u82qcZMptWbPvrGG08WHi4LOvKRv

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks