General

  • Target

    18e4f2358487e5d0db1bae9c8148d2dc82de6520e7baff249c3c860f02a4091f

  • Size

    644KB

  • Sample

    221123-3xtxesgg6s

  • MD5

    05eb346fa01dcbb00854b6ee00843fc2

  • SHA1

    a0810a5daccea77705378e5b0731ef8b52492a60

  • SHA256

    18e4f2358487e5d0db1bae9c8148d2dc82de6520e7baff249c3c860f02a4091f

  • SHA512

    ab2d1d34c7aaac7dd92db61bad73102324df8385d4c9445879a675a19aa372904bd6714202bc52bbb87cc0ce64982eeb8165d486b392d429ba5207abe7f5f6de

  • SSDEEP

    12288:fVdmSge/iLZGKbwjm67rGNrkty0fkhA7VzYKj86sc0:rjgdLuhErmyFA7pYOC

Malware Config

Extracted

Family

xtremerat

C2

仠㍈moi150.no-ip.biz

Targets

    • Target

      18e4f2358487e5d0db1bae9c8148d2dc82de6520e7baff249c3c860f02a4091f

    • Size

      644KB

    • MD5

      05eb346fa01dcbb00854b6ee00843fc2

    • SHA1

      a0810a5daccea77705378e5b0731ef8b52492a60

    • SHA256

      18e4f2358487e5d0db1bae9c8148d2dc82de6520e7baff249c3c860f02a4091f

    • SHA512

      ab2d1d34c7aaac7dd92db61bad73102324df8385d4c9445879a675a19aa372904bd6714202bc52bbb87cc0ce64982eeb8165d486b392d429ba5207abe7f5f6de

    • SSDEEP

      12288:fVdmSge/iLZGKbwjm67rGNrkty0fkhA7VzYKj86sc0:rjgdLuhErmyFA7pYOC

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks