xtremerat | 758210b041abec8256d65dbf7e223222bcff6f848299425ead942ae4d0eb7e20 | Triage

Submit
Reports

Overview

overview

Static

static

f18b9e3bb5...18.exe

windows7-x64

f18b9e3bb5...18.exe

windows10-2004-x64

Sharing

General

Target

f18b9e3bb58a0262e9620e8aa1d78f18_JaffaCakes118
Size

206KB
Sample

241215-ba58ds1mcm
MD5

f18b9e3bb58a0262e9620e8aa1d78f18
SHA1

4d9606a8cf0d40d56306453d481029acba358517
SHA256

758210b041abec8256d65dbf7e223222bcff6f848299425ead942ae4d0eb7e20
SHA512

c74315c3b155911530fa2ee1433bf393617d087c19ecbb398978fd38462e5830cd1b244e2f4606721ffb454d9693300900f36c43a158a5a1932d68a9a3d51656
SSDEEP

3072:Ndz60Ru+9vLZCnbPeGG1u4nDvhoZK4LpepIjpB:Ng0/tV0bPeGenjhM7jb

Score

10^/10

xtremerat discovery persistence rat spyware upx

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

f18b9e3bb58a0262e9620e8aa1d78f18_JaffaCakes118.exe

Resource

win7-20240903-en

xtremerat discovery persistence rat spyware upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

f18b9e3bb58a0262e9620e8aa1d78f18_JaffaCakes118.exe

Resource

win10v2004-20241007-en

xtremerat discovery persistence rat spyware upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

gamelistview.no-ip.org

Targets

- Target
  
  f18b9e3bb58a0262e9620e8aa1d78f18_JaffaCakes118
- Size
  
  206KB
- MD5
  
  f18b9e3bb58a0262e9620e8aa1d78f18
- SHA1
  
  4d9606a8cf0d40d56306453d481029acba358517
- SHA256
  
  758210b041abec8256d65dbf7e223222bcff6f848299425ead942ae4d0eb7e20
- SHA512
  
  c74315c3b155911530fa2ee1433bf393617d087c19ecbb398978fd38462e5830cd1b244e2f4606721ffb454d9693300900f36c43a158a5a1932d68a9a3d51656
- SSDEEP
  
  3072:Ndz60Ru+9vLZCnbPeGG1u4nDvhoZK4LpepIjpB:Ng0/tV0bPeGenjhM7jb
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspywareupx

behavioral2

xtremeratdiscoverypersistenceratspywareupx

© 2018-2025

Terms | Privacy