General

  • Target

    b50672ace6a1db5fd44b15f7b3371593fa1ca3db8252f5c6554c92b7b12e8e5d

  • Size

    555KB

  • Sample

    221124-aam65sdg88

  • MD5

    9f5f5c8fe620087d70fd743a2ab21c99

  • SHA1

    ceda310cff34f3eae469c0182514a3fdcb537b96

  • SHA256

    b50672ace6a1db5fd44b15f7b3371593fa1ca3db8252f5c6554c92b7b12e8e5d

  • SHA512

    65319052646c058fa9d14d0c6d14c6892db528f94a5d15ee9129772ca1c1e0ab33d31fb829655291d548761d2128efed08ad63c5fd5679901af8aa32882dc5a5

  • SSDEEP

    12288:X6Wq4aaE6KwyF5L0Y2D1PqLUoyCSp89ZxK5xrc2Hc8:1thEVaPqLbyPpUxKTo8

Malware Config

Extracted

Family

xtremerat

C2

rap1215.servemp3.com

Targets

    • Target

      b50672ace6a1db5fd44b15f7b3371593fa1ca3db8252f5c6554c92b7b12e8e5d

    • Size

      555KB

    • MD5

      9f5f5c8fe620087d70fd743a2ab21c99

    • SHA1

      ceda310cff34f3eae469c0182514a3fdcb537b96

    • SHA256

      b50672ace6a1db5fd44b15f7b3371593fa1ca3db8252f5c6554c92b7b12e8e5d

    • SHA512

      65319052646c058fa9d14d0c6d14c6892db528f94a5d15ee9129772ca1c1e0ab33d31fb829655291d548761d2128efed08ad63c5fd5679901af8aa32882dc5a5

    • SSDEEP

      12288:X6Wq4aaE6KwyF5L0Y2D1PqLUoyCSp89ZxK5xrc2Hc8:1thEVaPqLbyPpUxKTo8

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks