General
-
Target
fc053ada5723297ca0ce1be6c0c2b92fd88142b3e0129b960324f3181d3d1222N
-
Size
2.2MB
-
Sample
241109-jynl9a1cmf
-
MD5
5ddbadc6f921bba27a37344cb4592630
-
SHA1
ccb97f90cdad3d4b114b294a3d0b46912b131b1a
-
SHA256
fc053ada5723297ca0ce1be6c0c2b92fd88142b3e0129b960324f3181d3d1222
-
SHA512
5e74c48f4d6ba1f88f9bc4cca7370e537fe593b95acbb37f5c6a112d96b1f1f76d8a7c24595ccbb00f6525a9e897d14faab4b72f0a76b3d8a2261aacffcdc761
-
SSDEEP
49152:jhbmmP3okl2d47ZDmNpgkWMzvKi5TJfszSNG1f16IAE9ZqxAv6:ZmmvoN6GgkWUv15TVsONG1f1lXJv6
Malware Config
Extracted
xtremerat
no.myftp.org
Targets
-
-
Target
fc053ada5723297ca0ce1be6c0c2b92fd88142b3e0129b960324f3181d3d1222N
-
Size
2.2MB
-
MD5
5ddbadc6f921bba27a37344cb4592630
-
SHA1
ccb97f90cdad3d4b114b294a3d0b46912b131b1a
-
SHA256
fc053ada5723297ca0ce1be6c0c2b92fd88142b3e0129b960324f3181d3d1222
-
SHA512
5e74c48f4d6ba1f88f9bc4cca7370e537fe593b95acbb37f5c6a112d96b1f1f76d8a7c24595ccbb00f6525a9e897d14faab4b72f0a76b3d8a2261aacffcdc761
-
SSDEEP
49152:jhbmmP3okl2d47ZDmNpgkWMzvKi5TJfszSNG1f16IAE9ZqxAv6:ZmmvoN6GgkWUv15TVsONG1f1lXJv6
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1