General

  • Target

    df99c9b15fa52468a639c6b488d71041c3259b04a9713531996a2c0235326a99

  • Size

    21KB

  • Sample

    221124-d3x4lahf5x

  • MD5

    86956c0ee2b0aef3f31788c3f86d56d6

  • SHA1

    2ffd2c08ba51c6f9898a56d34b1fb0ad76b4654b

  • SHA256

    df99c9b15fa52468a639c6b488d71041c3259b04a9713531996a2c0235326a99

  • SHA512

    3d0af6dc90f4bc626b63de11b0b0018b9adfd49091659cd52cd88f572b389ea0501bd56ec771ddaa54e8b8ea3743455a1f5da84f93edcc7931dcb5d03f57bb79

  • SSDEEP

    384:QlIdmF+TXCsj0DOgEm6/glRXC+MGCIe/fobROTinQP8NRLR:QlIsF8ysqjGWyjkCgRO0ya

Malware Config

Extracted

Family

xtremerat

C2

kobani11.no-ip.org

Targets

    • Target

      df99c9b15fa52468a639c6b488d71041c3259b04a9713531996a2c0235326a99

    • Size

      21KB

    • MD5

      86956c0ee2b0aef3f31788c3f86d56d6

    • SHA1

      2ffd2c08ba51c6f9898a56d34b1fb0ad76b4654b

    • SHA256

      df99c9b15fa52468a639c6b488d71041c3259b04a9713531996a2c0235326a99

    • SHA512

      3d0af6dc90f4bc626b63de11b0b0018b9adfd49091659cd52cd88f572b389ea0501bd56ec771ddaa54e8b8ea3743455a1f5da84f93edcc7931dcb5d03f57bb79

    • SSDEEP

      384:QlIdmF+TXCsj0DOgEm6/glRXC+MGCIe/fobROTinQP8NRLR:QlIsF8ysqjGWyjkCgRO0ya

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks