xtremerat | bffaaa5f1a96f135524630d67c944bf297e81009e45a26aea5ce6ce8db896de6 | Triage

Sharing

General

Target

673cba7b91b43866a8e63bccb4163df2_JaffaCakes118
Size

125KB
Sample

241021-y5me4awdrq
MD5

673cba7b91b43866a8e63bccb4163df2
SHA1

78829d73bf718b98829a780fae4079123fa10003
SHA256

bffaaa5f1a96f135524630d67c944bf297e81009e45a26aea5ce6ce8db896de6
SHA512

a709ef8d3b54c7f605de11dd5e4b7f6a7b71c848645f7aac162a69b77bd8575506643f36a6ffd1cbac066963c594cdd5cc1df790e4876faf676e8d777318d879
SSDEEP

3072:FGNW7dEvotvXjz1brx4Dn6J7VYvDhCHR05sJ+gtN5:FGNW7mvIfRWnpLha05s5X

Score

10^/10

xtremerat discovery evasion persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

C2

the-looord.no-ip.biz

Targets

- Target
  
  673cba7b91b43866a8e63bccb4163df2_JaffaCakes118
- Size
  
  125KB
- MD5
  
  673cba7b91b43866a8e63bccb4163df2
- SHA1
  
  78829d73bf718b98829a780fae4079123fa10003
- SHA256
  
  bffaaa5f1a96f135524630d67c944bf297e81009e45a26aea5ce6ce8db896de6
- SHA512
  
  a709ef8d3b54c7f605de11dd5e4b7f6a7b71c848645f7aac162a69b77bd8575506643f36a6ffd1cbac066963c594cdd5cc1df790e4876faf676e8d777318d879
- SSDEEP
  
  3072:FGNW7dEvotvXjz1brx4Dn6J7VYvDhCHR05sJ+gtN5:FGNW7mvIfRWnpLha05s5X
Score

10^/10

xtremerat discovery persistence rat spyware upx evasion
- Detect XtremeRAT payload
- Modifies firewall policy service
  evasion
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspywareupx

behavioral2

xtremeratdiscoveryevasionpersistenceratspywareupx