xtremerat | 2fc2ca2a65c0e13c02c9189ecdc0405e54f2da59fa1029df23a73a79f3efe96a | Triage

Submit
Reports

Overview

overview

Static

static

5

e33bb20314...18.exe

windows7-x64

e33bb20314...18.exe

windows10-2004-x64

Sharing

General

Target

e33bb2031416e672ef074fe9338fb175_JaffaCakes118
Size

984KB
Sample

240406-zc8cjabb54
MD5

e33bb2031416e672ef074fe9338fb175
SHA1

c79be70d4af23ba3b5f7c62a384b12bebd91eacb
SHA256

2fc2ca2a65c0e13c02c9189ecdc0405e54f2da59fa1029df23a73a79f3efe96a
SHA512

9f6deaf6755b2879dab2a61a5d25be47a6678bae3d3ffb4f29b7fc09719fb4b77459586f039460bacbffa329355717bc201395479d9f6c9ce4f071ca9b79003d
SSDEEP

12288:9CdOy3vVrKxR5CXbNjAOxK/q2n+4YG/6c1mFFja3mXgcjfRlgsUBgaky9qJbl+KL:9Cdxte/80qYLT3U1jfsWaky0DHIQ

Score

10^/10

xtremerat persistence rat spyware upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

e33bb2031416e672ef074fe9338fb175_JaffaCakes118.exe

Resource

win7-20240319-en

xtremerat persistence rat spyware upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

e33bb2031416e672ef074fe9338fb175_JaffaCakes118.exe

Resource

win10v2004-20240226-en

xtremerat persistence rat spyware upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  e33bb2031416e672ef074fe9338fb175_JaffaCakes118
- Size
  
  984KB
- MD5
  
  e33bb2031416e672ef074fe9338fb175
- SHA1
  
  c79be70d4af23ba3b5f7c62a384b12bebd91eacb
- SHA256
  
  2fc2ca2a65c0e13c02c9189ecdc0405e54f2da59fa1029df23a73a79f3efe96a
- SHA512
  
  9f6deaf6755b2879dab2a61a5d25be47a6678bae3d3ffb4f29b7fc09719fb4b77459586f039460bacbffa329355717bc201395479d9f6c9ce4f071ca9b79003d
- SSDEEP
  
  12288:9CdOy3vVrKxR5CXbNjAOxK/q2n+4YG/6c1mFFja3mXgcjfRlgsUBgaky9qJbl+KL:9Cdxte/80qYLT3U1jfsWaky0DHIQ
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- Modifies WinLogon for persistence
  persistence
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratpersistenceratspywareupx

behavioral2

xtremeratpersistenceratspywareupx

© 2018-2024

Terms | Privacy