xtremerat

Sharing

Copy URL

Twitter E-mail

General

Target

4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118
Size

457KB
Sample

241016-cl8y4a1hmr
MD5

4af88ef4a6ceca1e24db838015deac2b
SHA1

b0a62cf9928e8d6a424b4d2c962feb127ae0ab5a
SHA256

3b502edbf977c5a629a89dca66683d9f3c79588b47dcf4177fc492fe01187c43
SHA512

8ea3197dc05832b8be3de4b4900af76d989bbbc7645f81966fecfafba3d6acddd79b649037c7169ba4f702d0fdb14d7ec6cd5c460e3b6c5e70dabf64bbe39d3b
SSDEEP

12288:ptCM7BwSFbDUbQqX4l/DfTLZI0l+8Euui04MQp:pNbiX4ljACPfdp

Score

10^/10

Malware Config

Targets

- Target
  
  4af88ef4a6ceca1e24db838015deac2b_JaffaCakes118
- Size
  
  457KB
- MD5
  
  4af88ef4a6ceca1e24db838015deac2b
- SHA1
  
  b0a62cf9928e8d6a424b4d2c962feb127ae0ab5a
- SHA256
  
  3b502edbf977c5a629a89dca66683d9f3c79588b47dcf4177fc492fe01187c43
- SHA512
  
  8ea3197dc05832b8be3de4b4900af76d989bbbc7645f81966fecfafba3d6acddd79b649037c7169ba4f702d0fdb14d7ec6cd5c460e3b6c5e70dabf64bbe39d3b
- SSDEEP
  
  12288:ptCM7BwSFbDUbQqX4l/DfTLZI0l+8Euui04MQp:pNbiX4ljACPfdp
Score

10^/10

xtremerat discovery persistence rat spyware upx
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  c17103ae9072a06da581dec998343fc1
- SHA1
  
  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
  
  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
- SHA512
  
  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
- SSDEEP
  
  192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $TEMP/Nusupumewu.dll
- Size
  
  11KB
- MD5
  
  a5be4fbb8fe08060c779ee7f206f7e40
- SHA1
  
  0d7cd2613abce8133b2f0e6e88cdca345ce7afaa
- SHA256
  
  c01b3508abdfdb58dae16e0de08792a0bb26be7f16d5be9abcbdd3f7fb573810
- SHA512
  
  2db534046d3acb226813dc346923e2ae5eb666f3ce5686a7fb66a893e521bd2d17b6fc2c3c7c09fed351cfe535d441d9d85c44ea3ea154e9de83dc50caca42ae
- SSDEEP
  
  192:UGVXcbL7R1UQQZmy7eY82DX8oDwtOg9yo41uDhqi2svGfKAQNqyQwoE+:UGVeL7R1Jy7luoDOGVsjrdnoE
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  $TEMP/Penamogodiy.dll
- Size
  
  3KB
- MD5
  
  327d5dabafb66291d1203a94a63ef331
- SHA1
  
  d691cb16ec44deafdf02954f3421d2dd24f3f6a7
- SHA256
  
  43f8f8e793c3db3cc526872c8fa847850757e14034b7749da0dfc69589ab176c
- SHA512
  
  4935a6fa8f8a6efe02879c7285ae8bb111f6f937d83c46f77add46ee77686be13e5e28d9f662db7843e45a47787a728a558edd33e808718e5e2e17e4b769ecfe
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  $TEMP/Zomafoyi.dll
- Size
  
  3KB
- MD5
  
  ec2842e7e52ccfe32c3e9a18120b197e
- SHA1
  
  7106a5ba84c41d270948eb7d820322346c55e91b
- SHA256
  
  cfefaef13e409dc106c18947038fde35616b72ba5d7f63a09665e1ece1aa49be
- SHA512
  
  15999656ce30451d3e4fff18062a96aa84b13b68434f7af0fcf3e6fd04971906a85cb144bf2e2a6f7bfb907fd81fd7bf252f0f3823c5b9ef6bf60be6890d873e
Score

3^/10

discovery
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

UPX packed file

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10