xtremerat | cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4 | Triage

Submit
Reports

Overview

overview

Static

static

cfda7f2972...c4.exe

windows7-x64

cfda7f2972...c4.exe

windows10-2004-x64

Sharing

General

Target

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4
Size

646KB
Sample

221124-bw9gyaaa57
MD5

fac9fe795014ff2760a485836bce4f3e
SHA1

1a00b3edc541d3514a2b5efef2e9dcfd7c34160a
SHA256

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4
SHA512

a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209
SSDEEP

12288:FmdibbI6DagCtX2UGsSjP+Yw0ODICU9jZ8Y7W4tJX:s3o+m/nPOD4f8YCsX

Score

10^/10

xtremerat persistence rat spyware upx

Static task

static1

Behavioral task

behavioral1

Sample

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

Resource

win7-20221111-en

xtremerat persistence rat spyware

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4.exe

Resource

win10v2004-20220812-en

xtremerat persistence rat spyware upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4
- Size
  
  646KB
- MD5
  
  fac9fe795014ff2760a485836bce4f3e
- SHA1
  
  1a00b3edc541d3514a2b5efef2e9dcfd7c34160a
- SHA256
  
  cfda7f297276d61aea2a64447e97237504b4e87fea2543d968a97d02d59c46c4
- SHA512
  
  a3edf1ab89629a3278f7197f576d37163236cb93e01df511ac686b0d2b0bd6ef65a839387e43d9aebce7e57a72c407b3b791859632ce95880b44a12989192209
- SSDEEP
  
  12288:FmdibbI6DagCtX2UGsSjP+Yw0ODICU9jZ8Y7W4tJX:s3o+m/nPOD4f8YCsX
Score

10^/10

xtremerat persistence rat spyware upx
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xtremeratpersistenceratspyware

behavioral2

xtremeratpersistenceratspywareupx

© 2018-2024

Terms | Privacy