General
-
Target
437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab
-
Size
2.3MB
-
Sample
221122-yz9y7sff62
-
MD5
f942983eab75ee4330bd2af72bc61c47
-
SHA1
d4cbf2557d58e759409eb8190000b8d88cc95593
-
SHA256
437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab
-
SHA512
47882b6b94431b5481c14efb1dcdc25de783ff3d936b677c051a6a993049bf280ae22697863ee88641405b654bbf0134487e23ade4520d7e9e48ed2b5704aaf6
-
SSDEEP
49152:nJKU16q0aQudo82qcMrUMpaOgxGUwWvrGGNa8WH3yxeLOcsKRRA+:Jrr1u82qcZMptWbPvrGG08WHi4LOvKRv
Static task
static1
Behavioral task
behavioral1
Sample
437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab.exe
Resource
win7-20220812-en
Malware Config
Extracted
xtremerat
zaetoona.ignorelist.com
Targets
-
-
Target
437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab
-
Size
2.3MB
-
MD5
f942983eab75ee4330bd2af72bc61c47
-
SHA1
d4cbf2557d58e759409eb8190000b8d88cc95593
-
SHA256
437b11beab07fde500e8284f0445a71d3139c35a17772fae38575963dbe065ab
-
SHA512
47882b6b94431b5481c14efb1dcdc25de783ff3d936b677c051a6a993049bf280ae22697863ee88641405b654bbf0134487e23ade4520d7e9e48ed2b5704aaf6
-
SSDEEP
49152:nJKU16q0aQudo82qcMrUMpaOgxGUwWvrGGNa8WH3yxeLOcsKRRA+:Jrr1u82qcZMptWbPvrGG08WHi4LOvKRv
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-