xtremerat | 1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536 | Triage

Submit
Reports

Overview

overview

Static

static

3

ea95c71d3c...18.exe

windows7-x64

ea95c71d3c...18.exe

windows10-2004-x64

Sharing

General

Target

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118
Size

226KB
Sample

240410-jmha4abf8v
MD5

ea95c71d3c8f55d6a51ae43dd9cde9d9
SHA1

25460dbd2c7e996de80285971e787fb83e38d32e
SHA256

1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536
SHA512

789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60
SSDEEP

6144:J9evRcgVy2FIMB4TyQOI5JgpcvqNplce+f+hU5P4g0oa:J46gVPOT0Iw5preDk

Score

10^/10

xtremerat bootkit persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe

Resource

win7-20240221-en

xtremerat bootkit persistence rat spyware upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118.exe

Resource

win10v2004-20231215-en

xtremerat persistence rat spyware upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

a411.no-ip.info

Targets

- Target
  
  ea95c71d3c8f55d6a51ae43dd9cde9d9_JaffaCakes118
- Size
  
  226KB
- MD5
  
  ea95c71d3c8f55d6a51ae43dd9cde9d9
- SHA1
  
  25460dbd2c7e996de80285971e787fb83e38d32e
- SHA256
  
  1aa75d1bfc89d1efdf0ee23cf3ba489d95d0fc73d1fb43358b3aa7e416b89536
- SHA512
  
  789a95758a1a7b680bdeb0a169834406fc68e14e9063bf6fe897ca1fb19d4b6628464a674aa9f6e0a65eff5ebeb8762ace692cd46fc39a3cb21de2ae91e77e60
- SSDEEP
  
  6144:J9evRcgVy2FIMB4TyQOI5JgpcvqNplce+f+hU5P4g0oa:J46gVPOT0Iw5preDk
Score

10^/10

xtremerat bootkit persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xtremeratbootkitpersistenceratspywareupx

behavioral2

xtremeratpersistenceratspywareupx

© 2018-2024

Terms | Privacy