xtremerat

Sharing

Copy URL

Twitter E-mail

General

Target

355f0c922b2efadca99bba365abcc99d_JaffaCakes118
Size

443KB
Sample

241011-saf2yatakr
MD5

355f0c922b2efadca99bba365abcc99d
SHA1

2be8b4795a73cc4a7ffe0dfb0b5d14fea1ae745d
SHA256

e146e730603dc35dbd9676292fa24bd27043927b8a8e51a41aeafcf20a0274d6
SHA512

d3c44a057ff402a61e77c2778e2699a29db0e7d89914cadd7478b47df0507861b839e5432d2b4e1f2ac99686d7ba5a754a4abe3afd5ebdef18e6c9736f062f4c
SSDEEP

12288:+qvd7TxMNVCvJexkoLLT2e/Dx0bHE9brK4pC93vJ:+qNxMN8vJcjLLT2eLxe+JwtvJ

Score

10^/10

Malware Config

Targets

- Target
  
  355f0c922b2efadca99bba365abcc99d_JaffaCakes118
- Size
  
  443KB
- MD5
  
  355f0c922b2efadca99bba365abcc99d
- SHA1
  
  2be8b4795a73cc4a7ffe0dfb0b5d14fea1ae745d
- SHA256
  
  e146e730603dc35dbd9676292fa24bd27043927b8a8e51a41aeafcf20a0274d6
- SHA512
  
  d3c44a057ff402a61e77c2778e2699a29db0e7d89914cadd7478b47df0507861b839e5432d2b4e1f2ac99686d7ba5a754a4abe3afd5ebdef18e6c9736f062f4c
- SSDEEP
  
  12288:+qvd7TxMNVCvJexkoLLT2e/Dx0bHE9brK4pC93vJ:+qNxMN8vJcjLLT2eLxe+JwtvJ
Score

10^/10

xtremerat discovery persistence rat spyware upx
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $TEMP/Yipaparopip.dll
- Size
  
  4KB
- MD5
  
  8c2d927ad3d4122ffce2ec017511346f
- SHA1
  
  c9de4693006190b42b6cdb64fa1bf1f2a6f20dd9
- SHA256
  
  d48ce7c3f7e8dde461c3e6ab094c219b274865ff8bb45b48bc9787bd84df5282
- SHA512
  
  203895334640b4b5051702a9a6c9494917695295ac1d600bd697de2f15c40887e4ad5ce721753afdcdacc332aee71a2805671a1da0ab891c9281d2725c744def
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $TEMP/kilajiboxaz.dll
- Size
  
  3KB
- MD5
  
  c59eec013266dca85084fbf25873c1b1
- SHA1
  
  a3485cfa01e16290596f8582074f8f99299181f0
- SHA256
  
  4768c4906f70aea55489569e6ecec2d537909dc56cfb7e95f0928f76c65ad779
- SHA512
  
  ead586254e84e594e0cc44718bae1950bd340d563c440c991ec10f6249d78493cd690f7c5aeb47fd0b294642df70fe7d0792b18adbfde4801d57dcfedd0e8464
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $TEMP/xumusukezel.dll
- Size
  
  11KB
- MD5
  
  a5ddfed34e1bc07bc1def60ea15fc7b4
- SHA1
  
  a6c091b576386ec987e1217ef44a952f705395e5
- SHA256
  
  25acb7776cbb8f8ace077bb83a4f2f998d5549c4967beda373d5e7ed26d99511
- SHA512
  
  a4c5ed24f1ccf48681086165a01ee2d370fbac8d3fa268432640cb6b5f682b2fe702fe0c30746244c0a3f1f25305f9ff508c9815cb3aa7635444f08d1264eb47
- SSDEEP
  
  192:sA+Q2Vg9WN2BEJiikgImN64xgefo98xfSRwQt4DM:N2i9WNUzCVxg78xfSaJM
Score

3^/10

discovery
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10