xtremerat

General

Target

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N
Size

809KB
Sample

241027-r6rb4swmhj
MD5

4a06d9989a8c3a9967c2011e5baf3010
SHA1

d049b12303d0aad48a5868a1050d82ded68272d4
SHA256

32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2
SHA512

09d6140a6781d700b6c5d0454add34a3d655eedc1615331d8362692059aff186da4b3543f96699ff0071ea185e81c5c4971e0d3b394ed970ed49651b38184686
SSDEEP

12288:fxaVAh64U5lwEO6MlJpy5RP5kOn9KdyYUkdve8LUj8dDwZX4ofxYlp0+EudGw9MZ:fxaVxr5+EkybBb4U028dDwjeDdT9NQ

Score

10^/10

Malware Config

Extracted

Family

xtremerat

C2

good.zapto.org

Targets

- Target
  
  32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2N
- Size
  
  809KB
- MD5
  
  4a06d9989a8c3a9967c2011e5baf3010
- SHA1
  
  d049b12303d0aad48a5868a1050d82ded68272d4
- SHA256
  
  32c488d34de5e6f88eb5e97169fae4d12d519e521e277c020b1a41b300badad2
- SHA512
  
  09d6140a6781d700b6c5d0454add34a3d655eedc1615331d8362692059aff186da4b3543f96699ff0071ea185e81c5c4971e0d3b394ed970ed49651b38184686
- SSDEEP
  
  12288:fxaVAh64U5lwEO6MlJpy5RP5kOn9KdyYUkdve8LUj8dDwZX4ofxYlp0+EudGw9MZ:fxaVxr5+EkybBb4U028dDwjeDdT9NQ
Score

10^/10

xtremerat discovery persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect XtremeRAT payload

Xtremerat family

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2