General

  • Target

    829d688d6319514327336a54b5954cff

  • Size

    346KB

  • Sample

    240130-ymn6zadben

  • MD5

    829d688d6319514327336a54b5954cff

  • SHA1

    c771a0b8d570a57b17b8ecba0ec77e584385b10d

  • SHA256

    607dc11710cdbf52e8fea6df43b926634394fbd11a0136137f70c97b6fc1ab0d

  • SHA512

    e051a1e2551652052b457c247026ae12f09f4be5e28559203ca8bdffed426d56061858d03244824859815e8f3586cbea26f12068e39b550de982c8a16000fb44

  • SSDEEP

    6144:uLpeqc0Ixo540Eq2QwZ1ZbCHf9pu1W44MCQlL4vOJT4M:KAzbCVpw4SkvtM

Malware Config

Extracted

Family

xtremerat

C2

merlim2.no-ip.org

䆸໣ఀ篐痔籤merlim2.no-ip.org

Targets

    • Target

      829d688d6319514327336a54b5954cff

    • Size

      346KB

    • MD5

      829d688d6319514327336a54b5954cff

    • SHA1

      c771a0b8d570a57b17b8ecba0ec77e584385b10d

    • SHA256

      607dc11710cdbf52e8fea6df43b926634394fbd11a0136137f70c97b6fc1ab0d

    • SHA512

      e051a1e2551652052b457c247026ae12f09f4be5e28559203ca8bdffed426d56061858d03244824859815e8f3586cbea26f12068e39b550de982c8a16000fb44

    • SSDEEP

      6144:uLpeqc0Ixo540Eq2QwZ1ZbCHf9pu1W44MCQlL4vOJT4M:KAzbCVpw4SkvtM

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks