xtremerat | d5f343c90024ae4e5e427b813ab4cb009d12f5bc3d2ff33990418b0bfa76022d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
Size

376KB
MD5

f05a02ef611cc0db1a64bb859a069497
SHA1

6f873621db30814be163f4ae3ddf2d71cb8fb2fa
SHA256

d5f343c90024ae4e5e427b813ab4cb009d12f5bc3d2ff33990418b0bfa76022d
SHA512

baa22020e303ab74c737e37c896ef518aecbe8658f120994898ae60912ce8e6dda4ba0d340c97aa4c587fde81a0b4e8f58fbf0f6ed36015dcd45208710892563
SSDEEP

6144:l1db49+rEg024fpLZazEjvE/rbay19tSt4bO2BaDmeBJe59aI3yN5gyNA4:ljkArEN249AyE/rbaMct4bO2/VJyYyz

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Signatures

Detect XtremeRAT payload 9 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\00.exe	family_xtremerat
C:\Users\Admin\AppData\Local\Temp\0.exe	family_xtremerat
behavioral2/memory/3276-18-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral2/memory/4392-19-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral2/memory/4392-20-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral2/memory/4392-21-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral2/memory/4392-22-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral2/memory/4392-23-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat
behavioral2/memory/4392-27-0x0000000010000000-0x0000000010048000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Executes dropped EXE 2 IoCs

Processes:

00.exe0.exe

pid process

4392 00.exe
3276 0.exe

pid	process
4392	00.exe
3276	0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4024-0-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/4024-16-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4024-16-0x0000000000400000-0x00000000004C1000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe

description	pid	process	target process
PID 4024 wrote to memory of 4392	4024	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 4024 wrote to memory of 4392	4024	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 4024 wrote to memory of 4392	4024	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	00.exe
PID 4024 wrote to memory of 3276	4024	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe
PID 4024 wrote to memory of 3276	4024	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe
PID 4024 wrote to memory of 3276	4024	f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe	0.exe

C:\Users\Admin\AppData\Local\Temp\f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f05a02ef611cc0db1a64bb859a069497_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\00.exe
C:\Users\Admin\AppData\Local\Temp/00.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\0.exe
C:\Users\Admin\AppData\Local\Temp/0.exe
2⤵
- Executes dropped EXE
PID:3276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.exe
Filesize
65KB

MD5
5a98f8f5e1b03fefb69bee161ff8bad7

SHA1
5fd4fa720f4cabf4f2052b8852913588e89c7620

SHA256
6d69b703f18dfbe14729b1e64fa027a1d7d86020308749c7722ea33326503536

SHA512
ca4e4c0c280b0e28ba0440272fb0f535c5935c4f53751c68d1cbb727c37c6d680a84a8c7e6369178e39ddc998c8398f0debb25c7fa6246c0d59df8b44189cd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00.exe
Filesize
65KB

MD5
3e44cbf60321d5e8a6f6e93071d472fc

SHA1
265824f327c150c58463c2785573741cbb272108

SHA256
930013f511bfe51d64e6f4d9f505ad39d7aa5b5c3b6d51659b53da2e9ce13d6e

SHA512
aac31e49023e6e785516e9114146dceb17167c6b65cd4d0bdf77825872eea7a761b7f065007d536a198ba8766e938a528c0966189af979a66ccdb38a7f42547c

Download Submit
memory/3276-18-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4024-0-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4024-16-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4392-19-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4392-20-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4392-21-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4392-22-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4392-23-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download
memory/4392-27-0x0000000010000000-0x0000000010048000-memory.dmp

Filesize
288KB

Download