General

  • Target

    ad792d3388b9d55ebb8fe5a79aec97b67cac275c9d65e0bf7e215ba8f8719de8

  • Size

    515KB

  • Sample

    221122-ztj19scc2s

  • MD5

    0ee3c04db009256f7b1e4ca95a932e86

  • SHA1

    c01ff8fa748745c5704df17600cd1abd46f57a10

  • SHA256

    ad792d3388b9d55ebb8fe5a79aec97b67cac275c9d65e0bf7e215ba8f8719de8

  • SHA512

    8453f561c2a1e80998de6ccc6bffbf3b5db3ec215ef15ee5018963b3e790bf9d33ece0224fabec0131cfa253a8175956f92094d730d68cf32a01613959acc7ee

  • SSDEEP

    12288:pVDNRR3by+eblK3vxVFihFbzwKiiLJ53+eYnd:pVDNRR3byp83vxihlVP3+eGd

Malware Config

Targets

    • Target

      ad792d3388b9d55ebb8fe5a79aec97b67cac275c9d65e0bf7e215ba8f8719de8

    • Size

      515KB

    • MD5

      0ee3c04db009256f7b1e4ca95a932e86

    • SHA1

      c01ff8fa748745c5704df17600cd1abd46f57a10

    • SHA256

      ad792d3388b9d55ebb8fe5a79aec97b67cac275c9d65e0bf7e215ba8f8719de8

    • SHA512

      8453f561c2a1e80998de6ccc6bffbf3b5db3ec215ef15ee5018963b3e790bf9d33ece0224fabec0131cfa253a8175956f92094d730d68cf32a01613959acc7ee

    • SSDEEP

      12288:pVDNRR3by+eblK3vxVFihFbzwKiiLJ53+eYnd:pVDNRR3byp83vxihlVP3+eGd

    • Modifies WinLogon for persistence

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks