xtremerat

General

Target

7ed3c71399fb4b0984ffb527a5877f928a7ede1295edf36f67690e2fe71d3798
Size

307KB
Sample

221125-we9ftsdb87
MD5

a08047f1fa8e332a725732d7a1ea611b
SHA1

69036578f0a7031cb291d33989b58f8a730755b4
SHA256

7ed3c71399fb4b0984ffb527a5877f928a7ede1295edf36f67690e2fe71d3798
SHA512

c9886b71bc612a067058d273967e51ba48ef0177221c130e064fd6dac687c0dac47836cd4d37b1ae5f22cdf29d8b37278e3c184152a353fd30f90086964608f4
SSDEEP

6144:ptr90yDeOuPn4OU9Mp7uJPoupIh6u8Q/7dM4p/jiDQzHylOqG9:pt3XutqWuaXpp/j7H2W

Score

10^/10

Malware Config

Extracted

Family

xtremerat

C2

golij.redirectme.net

tiriberk.ddns.net

nikberkactivi.ddns.net

Targets

- Target
  
  1020457285.exe
- Size
  
  421KB
- MD5
  
  1f13d71974214e02ba361af8d9558288
- SHA1
  
  987c2c52cedb24cf2c094158a2597b9728edbe87
- SHA256
  
  b58f539f5c6d37ee35710aab52871e3c400d360486f706870b219e86ebb15ffa
- SHA512
  
  d5eca31b6f971b5e1f62acfaf520814c579d357f747c0f2005b8a6ff2966a0db68f1f2a81b1ca1e065e679e3ad6b52d7179ceae835232721e1f2f62f49a27951
- SSDEEP
  
  6144:buIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLDOD6HHVdCcJmOd:C6Wq4aaE6KwyF5L0Y2D1PqLS6nucJvd
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect XtremeRAT payload

Executes dropped EXE

Modifies Installed Components in the registry

UPX packed file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2