xtremerat

Sharing

Copy URL

Twitter E-mail

General

Target

b4e12063070e64a2592eccae4aa85bf7_JaffaCakes118
Size

1.9MB
Sample

240821-y1ppnasbql
MD5

b4e12063070e64a2592eccae4aa85bf7
SHA1

f983637dfc6567c8d0f2f6f9f890cb1b9e2e951e
SHA256

b1830c3e13f039852a93dee4a54036a568253d8a73282b8255218cec81f27e7f
SHA512

215012cc6f87fc4d9a8db6f503c75ca1c86bec1df13a87c2fd69f66eef1c816ef9707c09244a2e79e0bea015c445d9eb0b616948eabd9b4e1494ae8213529a2f
SSDEEP

49152:5OZJ+0HLSCXTKMgwy9vxL60akE9P9TX+q+gamIZOuhVqrscZsb:5gHWCjUbx20akETTIRVCU

Score

10^/10

Malware Config

Extracted

Family

xtremerat

yourchance19.no-ip.biz

Targets

- Target
  
  ne-bot/ne-bot beta v.1.1 (x64).exe
- Size
  
  1.1MB
- MD5
  
  ccd462320dcd0eae2437c9fc92bb97cd
- SHA1
  
  db95847f3a592c8959ad381099e20641da350348
- SHA256
  
  6ffdbe1d18a5f9cf4f3f8de9f230a5cb59d9d403df10b2d7eef859a144500412
- SHA512
  
  08061b7fcef132c90f779aaa0f7ff9338e51686769214431fbaee4ef96091f7d22b91483eea8122bca3b242d9c688e22b0d29a469273c95f308f07dc85b64c9c
- SSDEEP
  
  24576:y2DW/xbHX2YIbCQsu3/PNL7Q/Hyc8lOuQ2VdEz43:y2EjXHQsW/PN3Qf1UOuQadEzK
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  ne-bot/ne-bot beta v.1.1 (x86).exe
- Size
  
  596KB
- MD5
  
  8ead6aa52c8f84637c95a64deef536c5
- SHA1
  
  d1e6fd86f7b47ccd11b8ffadc7f74b9721f9bb2e
- SHA256
  
  76ebd0d9944b3557c7f2575ae985774950a00156d84e524dd963986e352222ac
- SHA512
  
  ec878cfbec7e0bac0b9db02c7529e2886639870f255b5a30ba46b49d72e2a86744dd12d0056c4d3a3d700226280cb283c34be5cc6e635619cb5bc16305471166
- SSDEEP
  
  12288:fjkArEN249AyE/rbaMct4bO2/VEU5fXIyNOFF2VdEmmVCPf:MFE//Tct4bOsLQYOz2VdEz43
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  ne-bot/ne-bot edc.dll
- Size
  
  604KB
- MD5
  
  1f55c7c1e338047dc5e329011a781fb3
- SHA1
  
  fbaacc4c5c2a6cf0dfb980a4ba94bbda8e86c723
- SHA256
  
  1fd4a2c44dddce33dec60e13ce3b7315782f310955cc13d7416eb10865a00229
- SHA512
  
  9bab5541d5ce08dda5306835a9069c0db75c2dfc0cc336d57000c4dd276282096ec77df4fa5ab1fcc4f56915c32ca1dc39cbf391eebc80ce59a5b24ee05eac63
- SSDEEP
  
  6144:53iyn569/L1Uc5gAeDOxwfENtHO5JZ5SQV3YwQwnAU1ZOhefo5EJ5:5X5mLWu06UEP0Z5z39jjyao
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  ne-bot/ne-bot.dll
- Size
  
  2.0MB
- MD5
  
  f9e79fa16bac237b5e635f9fcc2a377c
- SHA1
  
  ddfcae2db65bfea608a4f6f6d33bfe588bc0b84e
- SHA256
  
  844f1418e05dfd12a127095c736406bd53e12cf7658cc9fd719c8e5ef6d11348
- SHA512
  
  030d91885e4106e31859000353bdee108044d1d99240fb9b5cc66b154e8548ca8b23ada4d196a176a809daaeb34dcb0c7b2ceaa2424141fb2fee769e761737cd
- SSDEEP
  
  24576:NH4El2AjGSEDLiAq1+C3MNNOCrXHKHn7YJcRaWK7EjhOg4e9:NH17jGSE/C1+pNNbrXHa7YJc4Et/N
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  ne-bot/ne_up.exe
- Size
  
  33KB
- MD5
  
  cbaa5c06c1d253f33980175fa09de48b
- SHA1
  
  17dea142b13a915d4816b1665286d6314ae5026d
- SHA256
  
  2e7fdcac629313ff20d0310564442a641f4371440853c6e60b1e38c55db1baee
- SHA512
  
  671cbfdceeef3f6051d68f358ca1a4213664366c995d691509f6c80b7a54ddea25eb4fdac1dc7d791233cd5ca81617d277b50c1344a05e1dccbc6fda1caa9e8f
- SSDEEP
  
  768:SMuijtHf5g7/IIG3bGcYDBSvFIWuePQtv66lktACxAIBwY:PNW71rcYDAWeotvXlyDxM
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect XtremeRAT payload

Boot or Logon Autostart Execution: Active Setup

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Detect XtremeRAT payload

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

UPX packed file

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Detect XtremeRAT payload

XtremeRAT

Boot or Logon Autostart Execution: Active Setup

UPX packed file

Adds Run key to start application

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10