xtremerat | 5c76abec68896a7befcdf1b99cc80b01e19a6a3b8da3c61ed975ff546d4d12db | Triage

Submit
Reports

Overview

overview

Static

static

3

982d7a0d9f...dc.exe

windows7-x64

982d7a0d9f...dc.exe

windows10-2004-x64

Sharing

General

Target

982d7a0d9f3d9e6e7780d33257975ddc
Size

404KB
Sample

240213-b9mv4aaa77
MD5

982d7a0d9f3d9e6e7780d33257975ddc
SHA1

3cff42ac645492a5c6f5787d76ff657205c4281d
SHA256

5c76abec68896a7befcdf1b99cc80b01e19a6a3b8da3c61ed975ff546d4d12db
SHA512

18952a296c26901bc147c1fc2e657f67d85e3f4307110d26517c3e6fe2782264f4d1a6c2a0856fc16ff24ad52b77480a4c58ed6c29898ac02fa15121e48015a8
SSDEEP

12288:P19Nk9NHoWb2D6dIEGpzK6FSkFvsAeF0CxYgdb2:N9Nk9NvY6i5pzv9enYE2

Score

10^/10

xtremerat persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

982d7a0d9f3d9e6e7780d33257975ddc.exe

Resource

win7-20231215-en

xtremerat persistence rat spyware

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

982d7a0d9f3d9e6e7780d33257975ddc.exe

Resource

win10v2004-20231222-en

xtremerat persistence rat spyware

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

hassan12345.no-ip.biz

Targets

- Target
  
  982d7a0d9f3d9e6e7780d33257975ddc
- Size
  
  404KB
- MD5
  
  982d7a0d9f3d9e6e7780d33257975ddc
- SHA1
  
  3cff42ac645492a5c6f5787d76ff657205c4281d
- SHA256
  
  5c76abec68896a7befcdf1b99cc80b01e19a6a3b8da3c61ed975ff546d4d12db
- SHA512
  
  18952a296c26901bc147c1fc2e657f67d85e3f4307110d26517c3e6fe2782264f4d1a6c2a0856fc16ff24ad52b77480a4c58ed6c29898ac02fa15121e48015a8
- SSDEEP
  
  12288:P19Nk9NHoWb2D6dIEGpzK6FSkFvsAeF0CxYgdb2:N9Nk9NvY6i5pzv9enYE2
Score

10^/10

xtremerat persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratpersistenceratspyware

behavioral2

xtremeratpersistenceratspyware

© 2018-2025

Terms | Privacy