General

  • Target

    154f9f76cc42ec0393399757b209b09f9fedf3b7000c8aa367d6d08f60783618

  • Size

    515KB

  • Sample

    221122-zwe54acc8x

  • MD5

    70bc81ae1041151a84ee2dd83d46fdeb

  • SHA1

    8ac0bd1a09d441ea6ed723eef371030c65d932e3

  • SHA256

    154f9f76cc42ec0393399757b209b09f9fedf3b7000c8aa367d6d08f60783618

  • SHA512

    a7904b0196e2c16c79cd79114832f71ae9dc1acbe593b733593d48cba6540dd96795fc6b1e76d3bb0cecb1651e1375b0edd4f42d0077485456adcfe8267e6557

  • SSDEEP

    12288:15DNRR3byu90DQY2W+yoDWczEfXGXpAFx+H2y8WLYX:15DNRR3byhQYoDWczEfmpHWy8W

Malware Config

Targets

    • Target

      154f9f76cc42ec0393399757b209b09f9fedf3b7000c8aa367d6d08f60783618

    • Size

      515KB

    • MD5

      70bc81ae1041151a84ee2dd83d46fdeb

    • SHA1

      8ac0bd1a09d441ea6ed723eef371030c65d932e3

    • SHA256

      154f9f76cc42ec0393399757b209b09f9fedf3b7000c8aa367d6d08f60783618

    • SHA512

      a7904b0196e2c16c79cd79114832f71ae9dc1acbe593b733593d48cba6540dd96795fc6b1e76d3bb0cecb1651e1375b0edd4f42d0077485456adcfe8267e6557

    • SSDEEP

      12288:15DNRR3byu90DQY2W+yoDWczEfXGXpAFx+H2y8WLYX:15DNRR3byhQYoDWczEfmpHWy8W

    • Modifies WinLogon for persistence

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks