General
-
Target
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf
-
Size
532KB
-
Sample
221124-k3897adb97
-
MD5
80c2838bc5c5ebe29e4f87bc02d0bc01
-
SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687
-
SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf
-
SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1
-
SSDEEP
12288:86Wq4aaE6KwyF5L0Y2D1PqLaD0+dj3kuLkv3cH8:6thEVaPqLZ+dj0uLEMc
Malware Config
Extracted
xtremerat
golij.redirectme.net
蠀C:\Usertiriberk.ddns.net
nikberkactivi.ddns.net
Targets
-
-
Target
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf
-
Size
532KB
-
MD5
80c2838bc5c5ebe29e4f87bc02d0bc01
-
SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687
-
SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf
-
SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1
-
SSDEEP
12288:86Wq4aaE6KwyF5L0Y2D1PqLaD0+dj3kuLkv3cH8:6thEVaPqLZ+dj0uLEMc
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-