xtremerat | b9021561415bff1468c140ce32431baf1ee6f94aeacf450634f2b76232055438 | Triage

Submit
Reports

Overview

overview

Static

static

f0e35d7526...18.exe

windows7-x64

f0e35d7526...18.exe

windows10-2004-x64

Sharing

General

Target

f0e35d7526ac18475f1cfcdd6c772a8c_JaffaCakes118
Size

211KB
Sample

240415-mztfnsfa3t
MD5

f0e35d7526ac18475f1cfcdd6c772a8c
SHA1

525a6d099216ae252d803f0e47806a55621e6d9e
SHA256

b9021561415bff1468c140ce32431baf1ee6f94aeacf450634f2b76232055438
SHA512

923ccad09ede28890165792c9229076ba55683efb989da85dea14048abed45abd8ca40af77d4a086f5701daabbcc6da415e0c737bb98029dfcf411b2a0c3ab0a
SSDEEP

6144:dqZ7oEYoRAQaUbRZH+CHRSwI7PTn422b4HuwIAXbPZcry+wNKevSK0b4EeU:da7TFUUbRMCf

Score

10^/10

xtremerat persistence rat spyware

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

f0e35d7526ac18475f1cfcdd6c772a8c_JaffaCakes118.exe

Resource

win7-20240221-en

xtremerat persistence rat spyware

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

f0e35d7526ac18475f1cfcdd6c772a8c_JaffaCakes118.exe

Resource

win10v2004-20240412-en

xtremerat persistence rat spyware

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

abcdgl.mooo.com

88.net

ƁᏘ캸glhacker.zapto.org

glhacwthackupdate.no-ip.biz

ƁᏘ캸winrarsfx.linkpc.net

winraabcdgl.mooo.com

.net

Targets

- Target
  
  f0e35d7526ac18475f1cfcdd6c772a8c_JaffaCakes118
- Size
  
  211KB
- MD5
  
  f0e35d7526ac18475f1cfcdd6c772a8c
- SHA1
  
  525a6d099216ae252d803f0e47806a55621e6d9e
- SHA256
  
  b9021561415bff1468c140ce32431baf1ee6f94aeacf450634f2b76232055438
- SHA512
  
  923ccad09ede28890165792c9229076ba55683efb989da85dea14048abed45abd8ca40af77d4a086f5701daabbcc6da415e0c737bb98029dfcf411b2a0c3ab0a
- SSDEEP
  
  6144:dqZ7oEYoRAQaUbRZH+CHRSwI7PTn422b4HuwIAXbPZcry+wNKevSK0b4EeU:da7TFUUbRMCf
Score

10^/10

xtremerat persistence rat spyware
- Detect XtremeRAT payload
- Modifies WinLogon for persistence
  persistence
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Adds policy Run key to start application
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xtremeratpersistenceratspyware

behavioral2

xtremeratpersistenceratspyware

© 2018-2024

Terms | Privacy