xtremerat | b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6 | Triage

Submit
Reports

Overview

overview

Static

static

b65f9a85fa...d6.exe

windows7-x64

b65f9a85fa...d6.exe

windows10-2004-x64

3

Sharing

General

Target

b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6
Size

543KB
Sample

221125-pm8e6sbe9w
MD5

c3df04ac5a1a56bcba1540b19d7dbcbe
SHA1

5dbec40f26acb54d7d741af50255398ad4ff2361
SHA256

b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6
SHA512

45d6f83dfda93bd307fd25815740a54d06ff8a95ca8ec5fa6fecf17d929c36c33b2dbf4b5783be0d1a37cf4d7778f7bb53c5a7f451fd00e582a6909a084b27e4
SSDEEP

6144:KqYG79Blo6G/EIva2/m8CpUCWZuhAY0eyYuF8nkisYDcANpLLXWuM4AIY0:Pxjod/EM/mFpZzALIbsYZpu54AIX

Score

10^/10

xtremerat persistence rat spyware upx

Static task

static1

Behavioral task

behavioral1

Sample

b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6.exe

Resource

win7-20221111-en

xtremerat persistence rat spyware upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6.exe

Resource

win10v2004-20220901-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Targets

- Target
  
  b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6
- Size
  
  543KB
- MD5
  
  c3df04ac5a1a56bcba1540b19d7dbcbe
- SHA1
  
  5dbec40f26acb54d7d741af50255398ad4ff2361
- SHA256
  
  b65f9a85fa52ea4a6c8e1c703cfc0d16f2101a6bbe82e953142c22471febe0d6
- SHA512
  
  45d6f83dfda93bd307fd25815740a54d06ff8a95ca8ec5fa6fecf17d929c36c33b2dbf4b5783be0d1a37cf4d7778f7bb53c5a7f451fd00e582a6909a084b27e4
- SSDEEP
  
  6144:KqYG79Blo6G/EIva2/m8CpUCWZuhAY0eyYuF8nkisYDcANpLLXWuM4AIY0:Pxjod/EM/mFpZzALIbsYZpu54AIX
Score

10^/10

xtremerat persistence rat spyware upx
- Modifies WinLogon for persistence
  persistence
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratpersistenceratspywareupx

behavioral2

© 2018-2024

Terms | Privacy