General
-
Target
52171c1b12574958a59d8ca87abfada6_JaffaCakes118
-
Size
1.4MB
-
Sample
241017-pxaxnaxfpf
-
MD5
52171c1b12574958a59d8ca87abfada6
-
SHA1
e79f89e3285fc44a8716cc38de70cd0a6a9437b4
-
SHA256
56744b15681e76b326b8d8a51d47a28a3c102bf3bb04c776ad6340f3c86b8f93
-
SHA512
95033c47d22e2371c5746afb519ccfd00f6675b605356b384378f27e3609276809d8fbeea07561320d117108afc3a7d821be0aac7dd7c6fff0d565ae83815853
-
SSDEEP
24576:R9Oq+q3BODItgPHVW0XTD/HkXemkf8Ej9IicA+k9s6po8SCf:R9OJIOZMGD/HQLY9hcAH9Xo8J
Malware Config
Extracted
xtremerat
mody122.no-ip.biz
Targets
-
-
Target
52171c1b12574958a59d8ca87abfada6_JaffaCakes118
-
Size
1.4MB
-
MD5
52171c1b12574958a59d8ca87abfada6
-
SHA1
e79f89e3285fc44a8716cc38de70cd0a6a9437b4
-
SHA256
56744b15681e76b326b8d8a51d47a28a3c102bf3bb04c776ad6340f3c86b8f93
-
SHA512
95033c47d22e2371c5746afb519ccfd00f6675b605356b384378f27e3609276809d8fbeea07561320d117108afc3a7d821be0aac7dd7c6fff0d565ae83815853
-
SSDEEP
24576:R9Oq+q3BODItgPHVW0XTD/HkXemkf8Ej9IicA+k9s6po8SCf:R9OJIOZMGD/HQLY9hcAH9Xo8J
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1