General

  • Target

    d50aa22618e547ef5b0f05cdd694d57cd54554b0c8e3cb4b88c085d1d278bc20

  • Size

    188KB

  • Sample

    221123-3z7ajaha41

  • MD5

    43c75cbb2809f5d7aab9f58e0784f018

  • SHA1

    481e0b2a1a2d20d7977cb0ec2cf21a60ff3322d5

  • SHA256

    d50aa22618e547ef5b0f05cdd694d57cd54554b0c8e3cb4b88c085d1d278bc20

  • SHA512

    eb218b9d66110f7a0533041ea4247bcd0beba64015b38317befaa4f60498c7dc2d6c5a15e7ddfdeef14d1f42fc850ec01cbc230d99bd902831ea3924a4fe4454

  • SSDEEP

    3072:t9tN1Gs6kWVUzLZPsR7Uj30PlmaiKVOdHYxcvSbxlPH9kkEVSJj16b0s:tXNwszWuZPET9maVQHY9PPH9Gcn6Z

Malware Config

Extracted

Family

xtremerat

C2

apple.servehttp.com

Targets

    • Target

      d50aa22618e547ef5b0f05cdd694d57cd54554b0c8e3cb4b88c085d1d278bc20

    • Size

      188KB

    • MD5

      43c75cbb2809f5d7aab9f58e0784f018

    • SHA1

      481e0b2a1a2d20d7977cb0ec2cf21a60ff3322d5

    • SHA256

      d50aa22618e547ef5b0f05cdd694d57cd54554b0c8e3cb4b88c085d1d278bc20

    • SHA512

      eb218b9d66110f7a0533041ea4247bcd0beba64015b38317befaa4f60498c7dc2d6c5a15e7ddfdeef14d1f42fc850ec01cbc230d99bd902831ea3924a4fe4454

    • SSDEEP

      3072:t9tN1Gs6kWVUzLZPsR7Uj30PlmaiKVOdHYxcvSbxlPH9kkEVSJj16b0s:tXNwszWuZPET9maVQHY9PPH9Gcn6Z

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks