General
-
Target
856d1b755add5c9016d5e4af9e45277d_JaffaCakes118
-
Size
136KB
-
Sample
241102-pnm6mawrhl
-
MD5
856d1b755add5c9016d5e4af9e45277d
-
SHA1
9379d76254ee7020733fd495cfa78971a7932826
-
SHA256
e72c74b7c2e5e2f63402c74749916d8a648e1eb6f4626eecea091fbe414adf32
-
SHA512
5762c5057551367cd846e5a25c3acadad8a9331be53e7c912263e0925b29067a9ef7b80ddf1544edc36833c8382bb90c6973ee04de041cce50e9c05ceb534bc5
-
SSDEEP
3072:y/v7xIj0jsCpawDs6tIyyXpPUMbjFhx00Jw6y4ozpgaY:wdJjrpq6Cyy5cqFgqw6WNg9
Malware Config
Extracted
xtremerat
hbooob2.no-ip.biz
Targets
-
-
Target
856d1b755add5c9016d5e4af9e45277d_JaffaCakes118
-
Size
136KB
-
MD5
856d1b755add5c9016d5e4af9e45277d
-
SHA1
9379d76254ee7020733fd495cfa78971a7932826
-
SHA256
e72c74b7c2e5e2f63402c74749916d8a648e1eb6f4626eecea091fbe414adf32
-
SHA512
5762c5057551367cd846e5a25c3acadad8a9331be53e7c912263e0925b29067a9ef7b80ddf1544edc36833c8382bb90c6973ee04de041cce50e9c05ceb534bc5
-
SSDEEP
3072:y/v7xIj0jsCpawDs6tIyyXpPUMbjFhx00Jw6y4ozpgaY:wdJjrpq6Cyy5cqFgqw6WNg9
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1