xtremerat | d3bb9f49727406153a2aac4a0cab2a809f33b30eb86654b74754e398118718c1 | Triage

Submit
Reports

Overview

overview

Static

static

3

b0d5c8abba...18.exe

windows7-x64

b0d5c8abba...18.exe

windows10-2004-x64

Sharing

General

Target

b0d5c8abbaa4625087a2a43e00a6d47a_JaffaCakes118
Size

122KB
Sample

241129-m67lwawrhl
MD5

b0d5c8abbaa4625087a2a43e00a6d47a
SHA1

c42adfb169b90be84add9387ba875ab5cbcf638d
SHA256

d3bb9f49727406153a2aac4a0cab2a809f33b30eb86654b74754e398118718c1
SHA512

44fda4b602621954ccd522f0f3df046869e8e49447ca13fe3ebc738635d713d3686fab6b68dd0719dacfbd158e3bb8a8b7f042632297e7ffedaa26eecc2eeb1c
SSDEEP

3072:kCjAjjkir/I3l/hOhc6APDhOSnqt0YMcqxShc:XqR4yxAbgmUeS

Score

10^/10

xtremerat discovery persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b0d5c8abbaa4625087a2a43e00a6d47a_JaffaCakes118.exe

Resource

win7-20241010-en

xtremerat discovery persistence rat spyware upx

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

b0d5c8abbaa4625087a2a43e00a6d47a_JaffaCakes118.exe

Resource

win10v2004-20241007-en

xtremerat discovery persistence rat spyware upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

zipitru.no-ip.org

Targets

- Target
  
  b0d5c8abbaa4625087a2a43e00a6d47a_JaffaCakes118
- Size
  
  122KB
- MD5
  
  b0d5c8abbaa4625087a2a43e00a6d47a
- SHA1
  
  c42adfb169b90be84add9387ba875ab5cbcf638d
- SHA256
  
  d3bb9f49727406153a2aac4a0cab2a809f33b30eb86654b74754e398118718c1
- SHA512
  
  44fda4b602621954ccd522f0f3df046869e8e49447ca13fe3ebc738635d713d3686fab6b68dd0719dacfbd158e3bb8a8b7f042632297e7ffedaa26eecc2eeb1c
- SSDEEP
  
  3072:kCjAjjkir/I3l/hOhc6APDhOSnqt0YMcqxShc:XqR4yxAbgmUeS
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspywareupx

behavioral2

xtremeratdiscoverypersistenceratspywareupx

© 2018-2024

Terms | Privacy