xtremerat | 7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7664d3b2b4...51.exe

windows7-x64

7664d3b2b4...51.exe

windows10-2004-x64

8

Sharing

General

Target

7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051
Size

289KB
Sample

221201-dspz8sde8y
MD5

7c5076f4818ad83b85c386d14a10a894
SHA1

506aaae1de0316b8b20b94905f35a582ef659465
SHA256

7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051
SHA512

0a1d4a9a40af1b25db0ff643cc271e1dd0edb07076fa166b20c60413bde2976fa4c83fc9048de60c60d47ba222f38c0c1e1665fd81367b862bead270331def80
SSDEEP

6144:4WqA/eRFp0yN90QE6KntvLfggDsMLDwP:R/eay904+xLfggDFDwP

Score

10^/10

xtremerat persistence rat spyware

Static task

static1

Behavioral task

behavioral1

Sample

7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe

Resource

win7-20221111-en

xtremerat persistence rat spyware

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

merlim2.no-ip.org

耀睊袸睊袌睊糨merlim2.no-ip.org

Targets

- Target
  
  7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051
- Size
  
  289KB
- MD5
  
  7c5076f4818ad83b85c386d14a10a894
- SHA1
  
  506aaae1de0316b8b20b94905f35a582ef659465
- SHA256
  
  7664d3b2b48c3af986f6a184f42988e267beb3e5cbc99562f9228ac18ba74051
- SHA512
  
  0a1d4a9a40af1b25db0ff643cc271e1dd0edb07076fa166b20c60413bde2976fa4c83fc9048de60c60d47ba222f38c0c1e1665fd81367b862bead270331def80
- SSDEEP
  
  6144:4WqA/eRFp0yN90QE6KntvLfggDsMLDwP:R/eay904+xLfggDFDwP
Score

10^/10

xtremerat persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratpersistenceratspyware

behavioral2

© 2018-2025

Terms | Privacy