General
-
Target
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15
-
Size
119KB
-
Sample
221205-pm5z2sdf7z
-
MD5
6a28e5d59704120b1fed4a972d7ad56e
-
SHA1
e3dba778f11929b8616e45f2028b59052931e4cd
-
SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15
-
SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85
-
SSDEEP
1536:pgZut8Y0mh2VAaasBMfjrzpGUqVKpkhzRMecpqx+cnzkZ/qGjtc6B73Gdp+tIVRl:pQut/dzzpfqukhzvHkZ/qovBjG6gRl
Static task
static1
Behavioral task
behavioral1
Sample
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15.exe
Resource
win7-20220812-en
Malware Config
Extracted
xtremerat
tsw.no-ip.biz
Targets
-
-
Target
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15
-
Size
119KB
-
MD5
6a28e5d59704120b1fed4a972d7ad56e
-
SHA1
e3dba778f11929b8616e45f2028b59052931e4cd
-
SHA256
91c3880df0e705b267c198f4f15ba593a67db1f590f768e0b5b6176d3ce91b15
-
SHA512
28d5a459224f22415ff161bd639327a5af040ac023ef0d8d0d73789f1d793dc1b1f436f5be149882a04364d7556a0c3ed17a7bc7e92b38464e6d8ed6f6bb3c85
-
SSDEEP
1536:pgZut8Y0mh2VAaasBMfjrzpGUqVKpkhzRMecpqx+cnzkZ/qGjtc6B73Gdp+tIVRl:pQut/dzzpfqukhzvHkZ/qovBjG6gRl
-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-