xtremerat | 504ef733f5192ed63ab730b6895cdf25a964cee0f4308f63a6cf4d678c77676b | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...36.exe

windows7-x64

JaffaCakes...36.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_671ec688cbd6ea58c6dbc73883e3d036
Size

514KB
Sample

250102-wq5a9azqbz
MD5

671ec688cbd6ea58c6dbc73883e3d036
SHA1

0cf3e68ef37c43f96c5147908901b446f2a634bc
SHA256

504ef733f5192ed63ab730b6895cdf25a964cee0f4308f63a6cf4d678c77676b
SHA512

fbddbdf308767f6361eceb4d9e6ff9e2f7795aea6b49cc0650d90ecf47d207fbd70718e79961f086e7ff3ed1a00d6cbae861b713904466c07a32a31a80d348a3
SSDEEP

6144:gAnDEjA3sVxW6ibaBH31pBukR+amQHifGM3ufJMoVhPaXw966y0Zq:gN26ibaBH8QH2+JbV1agpI

Score

10^/10

xtremerat discovery persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_671ec688cbd6ea58c6dbc73883e3d036.exe

Resource

win7-20241010-en

xtremerat discovery persistence rat spyware

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_671ec688cbd6ea58c6dbc73883e3d036.exe

Resource

win10v2004-20241007-en

xtremerat discovery persistence rat spyware

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

gotti78.no-ip.org

Targets

- Target
  
  JaffaCakes118_671ec688cbd6ea58c6dbc73883e3d036
- Size
  
  514KB
- MD5
  
  671ec688cbd6ea58c6dbc73883e3d036
- SHA1
  
  0cf3e68ef37c43f96c5147908901b446f2a634bc
- SHA256
  
  504ef733f5192ed63ab730b6895cdf25a964cee0f4308f63a6cf4d678c77676b
- SHA512
  
  fbddbdf308767f6361eceb4d9e6ff9e2f7795aea6b49cc0650d90ecf47d207fbd70718e79961f086e7ff3ed1a00d6cbae861b713904466c07a32a31a80d348a3
- SSDEEP
  
  6144:gAnDEjA3sVxW6ibaBH31pBukR+amQHifGM3ufJMoVhPaXw966y0Zq:gN26ibaBH8QH2+JbV1agpI
Score

10^/10

xtremerat discovery persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspyware

behavioral2

xtremeratdiscoverypersistenceratspyware

© 2018-2025

Terms | Privacy