xtremerat | ed592745082654d911f9772af28ab85a29f155a358c8e5bf761f2c58d24ebaaf | Triage

Submit
Reports

Overview

overview

Static

static

3

8e887fd1b8...18.exe

windows7-x64

8e887fd1b8...18.exe

windows10-2004-x64

Sharing

General

Target

8e887fd1b8c409695e6410269e6968a9_JaffaCakes118
Size

4.2MB
Sample

240602-ssmbnsgd69
MD5

8e887fd1b8c409695e6410269e6968a9
SHA1

73284fbd809be6ef0e52fa7caa3ab665e8b68fdb
SHA256

ed592745082654d911f9772af28ab85a29f155a358c8e5bf761f2c58d24ebaaf
SHA512

0205cca408651caef44ffd6cee5f2f7a9ca672648676aa053c10c80d20b1c900233211f35c4edfbe9f089fa7c5e0d75191459670c4f78dae3c9e7412107cbd6d
SSDEEP

98304:S556NtlDeQGxsUtkfM3IkwA7N7a/KrrBqgxstvCBH:SiNtl1GxftIA7UyrkgxmvCV

Score

10^/10

xtremerat persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe

Resource

win7-20240221-en

xtremerat persistence rat spyware

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

8e887fd1b8c409695e6410269e6968a9_JaffaCakes118.exe

Resource

win10v2004-20240226-en

xtremerat persistence rat spyware

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

renansoares1209.ddns.net

Targets

- Target
  
  8e887fd1b8c409695e6410269e6968a9_JaffaCakes118
- Size
  
  4.2MB
- MD5
  
  8e887fd1b8c409695e6410269e6968a9
- SHA1
  
  73284fbd809be6ef0e52fa7caa3ab665e8b68fdb
- SHA256
  
  ed592745082654d911f9772af28ab85a29f155a358c8e5bf761f2c58d24ebaaf
- SHA512
  
  0205cca408651caef44ffd6cee5f2f7a9ca672648676aa053c10c80d20b1c900233211f35c4edfbe9f089fa7c5e0d75191459670c4f78dae3c9e7412107cbd6d
- SSDEEP
  
  98304:S556NtlDeQGxsUtkfM3IkwA7N7a/KrrBqgxstvCBH:SiNtl1GxftIA7UyrkgxmvCV
Score

10^/10

xtremerat persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratpersistenceratspyware

behavioral2

xtremeratpersistenceratspyware

© 2018-2024

Terms | Privacy