General

  • Target

    8cda651a2958930a5c233d841940c2d9

  • Size

    187KB

  • Sample

    240203-vfd6msdhh8

  • MD5

    8cda651a2958930a5c233d841940c2d9

  • SHA1

    af7949a15390e8e1f3251e8bf9344d3b4c0538fc

  • SHA256

    4b2f8f49063ee9b973867f0d1e72923dd72df98c2c0b607ce619bf71a9810eb6

  • SHA512

    9ce7913ecbbb9425740b7dd7e3dc883f8cdfac1cafdae765ec3f1bec84ddbb426523ea8e058ee7d897924cddb70c8f8b55f617eb276ff3432ad82f1b7302a317

  • SSDEEP

    3072:Vd6RjrfJVUmYrfpR7yx4KS7PkSjRJ9f5c7G22OxGaXeGFdQT8VC1eZuVO8G93Px:7A3rUmSpdgUscF5c7G22OxGaXeGFdQTK

Malware Config

Extracted

Family

xtremerat

C2

stylor.no-ip.org

Targets

    • Target

      8cda651a2958930a5c233d841940c2d9

    • Size

      187KB

    • MD5

      8cda651a2958930a5c233d841940c2d9

    • SHA1

      af7949a15390e8e1f3251e8bf9344d3b4c0538fc

    • SHA256

      4b2f8f49063ee9b973867f0d1e72923dd72df98c2c0b607ce619bf71a9810eb6

    • SHA512

      9ce7913ecbbb9425740b7dd7e3dc883f8cdfac1cafdae765ec3f1bec84ddbb426523ea8e058ee7d897924cddb70c8f8b55f617eb276ff3432ad82f1b7302a317

    • SSDEEP

      3072:Vd6RjrfJVUmYrfpR7yx4KS7PkSjRJ9f5c7G22OxGaXeGFdQT8VC1eZuVO8G93Px:7A3rUmSpdgUscF5c7G22OxGaXeGFdQTK

    • Detect XtremeRAT payload

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks