General
-
Target
e2bfbbedddbcdcf5024d06535cddf686f07e333ce02f9d30bf7eb161f9795780.exe
-
Size
668KB
-
Sample
250108-vsvzxsyphj
-
MD5
ba7db8d448abf54ac01c1d21245f40f3
-
SHA1
84dbfcd6f5a77b3cf2237c8fbd2609c62200bf8b
-
SHA256
e2bfbbedddbcdcf5024d06535cddf686f07e333ce02f9d30bf7eb161f9795780
-
SHA512
5e646b4952e000c2bdc6e2c12ad6635875ba1a8fdf8eec2520a7e5411f215728ed85b6ec6d8ce3836947499f49e8bc14bc10e297ed153ed194bcb2d727de7e50
-
SSDEEP
12288:POqBSJNJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYpM:2CScE7z193Rit8UJ62BmhgoM
Malware Config
Extracted
xtremerat
gkl7.no-ip.biz
Targets
-
-
Target
e2bfbbedddbcdcf5024d06535cddf686f07e333ce02f9d30bf7eb161f9795780.exe
-
Size
668KB
-
MD5
ba7db8d448abf54ac01c1d21245f40f3
-
SHA1
84dbfcd6f5a77b3cf2237c8fbd2609c62200bf8b
-
SHA256
e2bfbbedddbcdcf5024d06535cddf686f07e333ce02f9d30bf7eb161f9795780
-
SHA512
5e646b4952e000c2bdc6e2c12ad6635875ba1a8fdf8eec2520a7e5411f215728ed85b6ec6d8ce3836947499f49e8bc14bc10e297ed153ed194bcb2d727de7e50
-
SSDEEP
12288:POqBSJNJ/+EkGz1lr3nxGteN4r3t8UOGz624SitfLmygYpM:2CScE7z193Rit8UJ62BmhgoM
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1