General
-
Target
44f2b176d49109d497dd2adbee8376bb_JaffaCakes118
-
Size
252KB
-
Sample
241015-awpl4aybrm
-
MD5
44f2b176d49109d497dd2adbee8376bb
-
SHA1
e288dcf13a6faf8a02876340f8a4277fb6031256
-
SHA256
b6c180579747a886eabea186cf0dc2924a94fcaacba5fc2938e4099a9368cf6b
-
SHA512
f2a0bea897dc2fcab309a21d9ce2caff8da39fc9c21a2942cc98ad707a3320d4b64f7e670844b3a178fa2ebe6d4adcb203be4713531850c347b88a4eb3db4d87
-
SSDEEP
1536:YIgtZkCGTDGyG5ThFH/oGP+tfwQomF2uP:/zCGPGyihZ/oftYzmtP
Malware Config
Extracted
xtremerat
service-update1.zapto.org
Targets
-
-
Target
44f2b176d49109d497dd2adbee8376bb_JaffaCakes118
-
Size
252KB
-
MD5
44f2b176d49109d497dd2adbee8376bb
-
SHA1
e288dcf13a6faf8a02876340f8a4277fb6031256
-
SHA256
b6c180579747a886eabea186cf0dc2924a94fcaacba5fc2938e4099a9368cf6b
-
SHA512
f2a0bea897dc2fcab309a21d9ce2caff8da39fc9c21a2942cc98ad707a3320d4b64f7e670844b3a178fa2ebe6d4adcb203be4713531850c347b88a4eb3db4d87
-
SSDEEP
1536:YIgtZkCGTDGyG5ThFH/oGP+tfwQomF2uP:/zCGPGyihZ/oftYzmtP
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1