General

  • Target

    f87408ebdf5ac0c037bcb70aecaeb7cb1ff03c1c574ee4172acac571168a0728

  • Size

    515KB

  • Sample

    221122-ztdjgsgg66

  • MD5

    fc597388e9659a66600e39273b973b81

  • SHA1

    4239ff23a8cc849f10c13f6284d870eef5bf1c9f

  • SHA256

    f87408ebdf5ac0c037bcb70aecaeb7cb1ff03c1c574ee4172acac571168a0728

  • SHA512

    20afba105703b56cfba285da0679c036bd4631aa6792d6f808f9028b28bfa17c7680e6aac198ef0de9c7ac5ad535673aa99d8951bd5d59ef8c2e6ca489e6a3da

  • SSDEEP

    12288:JtDNRR3b4H0iPVxML0K8WY56FXaj9fg/gwfLxfodz2d9x+zE:JtDNRR3b4H0i9xDKHY5NqJLVqz2dWQ

Malware Config

Targets

    • Target

      f87408ebdf5ac0c037bcb70aecaeb7cb1ff03c1c574ee4172acac571168a0728

    • Size

      515KB

    • MD5

      fc597388e9659a66600e39273b973b81

    • SHA1

      4239ff23a8cc849f10c13f6284d870eef5bf1c9f

    • SHA256

      f87408ebdf5ac0c037bcb70aecaeb7cb1ff03c1c574ee4172acac571168a0728

    • SHA512

      20afba105703b56cfba285da0679c036bd4631aa6792d6f808f9028b28bfa17c7680e6aac198ef0de9c7ac5ad535673aa99d8951bd5d59ef8c2e6ca489e6a3da

    • SSDEEP

      12288:JtDNRR3b4H0iPVxML0K8WY56FXaj9fg/gwfLxfodz2d9x+zE:JtDNRR3b4H0i9xDKHY5NqJLVqz2dWQ

    • Modifies WinLogon for persistence

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks