Overview

overview

10

Static

static

39ecc03892...3b.exe

windows7-x64

10

39ecc03892...3b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

  • Size

    519KB

  • Sample

    221123-rxelyshg24

  • MD5

    b1415073293fa408b8c1a31bdc34fcc4

  • SHA1

    37642c6145a1f451c88b710b8573bca7afa7ba81

  • SHA256

    39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

  • SHA512

    b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

  • SSDEEP

    12288:RnCOMDRxONM9eVXeHwv70Kd5hLVxKHx6KoUur6iQafK:RnCjDFHVKd5bKofhc

Score
10/10
xtremeratpersistenceratspyware

Malware Config

Extracted

Family

xtremerat

C2

alertsdanish.bounceme.net

čalertsdanish.bounceme.net

Targets

    • Target

      39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

    • Size

      519KB

    • MD5

      b1415073293fa408b8c1a31bdc34fcc4

    • SHA1

      37642c6145a1f451c88b710b8573bca7afa7ba81

    • SHA256

      39ecc03892d92ca63c0393580cee198b7cdd3b6ce2be337aed947802c882753b

    • SHA512

      b48214ddc7006268a2c2f273602b70e45aca4e909025e44b41b890455e527f94bbf36796fac7e0b1af656cefdfab5d79dff85d31b14f310990bba0c72fddb25b

    • SSDEEP

      12288:RnCOMDRxONM9eVXeHwv70Kd5hLVxKHx6KoUur6iQafK:RnCjDFHVKd5bKofhc

    Score
    10/10
    xtremeratpersistenceratspyware

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks