Overview

overview

10

Static

static

8

d24fb93675...38.exe

windows7-x64

10

d24fb93675...38.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

  • Size

    328KB

  • Sample

    221125-s3lswsca2s

  • MD5

    d5205d99667a7463991311ba1d86fbbc

  • SHA1

    02449a330e4f0c1d499581a89a6cef3b6a719ee0

  • SHA256

    d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

  • SHA512

    8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

  • SSDEEP

    6144:MuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLku0dCcKNUDkO:n6Wq4aaE6KwyF5L0Y2D1PqLXcu+kO

Score
10/10
xtremeratpersistenceratspywareupx

Malware Config

Extracted

Family

xtremerat

C2

藈㶮က蠀C:\windrap1215.servemp3.com

Targets

    • Target

      d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

    • Size

      328KB

    • MD5

      d5205d99667a7463991311ba1d86fbbc

    • SHA1

      02449a330e4f0c1d499581a89a6cef3b6a719ee0

    • SHA256

      d24fb936751180bc70cacf97c43ec75082c94213451d624f4787a30c84ee4e38

    • SHA512

      8082fadbe2fe5a694f85a6f4c5a3a5a15e812bc47853246e2f63bec3a5c4b6a31c01fee077b4047fa09d1aaf4bda86395b361810b73b615b8ac362b44f9ba691

    • SSDEEP

      6144:MuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLku0dCcKNUDkO:n6Wq4aaE6KwyF5L0Y2D1PqLXcu+kO

    Score
    10/10
    xtremeratpersistenceratspywareupx

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks