General
-
Target
JaffaCakes118_1a704d92413666a465d3c63c405beb8b
-
Size
186KB
-
Sample
250112-2ze1lswmdr
-
MD5
1a704d92413666a465d3c63c405beb8b
-
SHA1
2798649c01671af2a93bd6677027040c4579a4ae
-
SHA256
2c64e8865e65ed7bc07f8e930e2b75e8ba231e125600cad27d1381a77c070f5d
-
SHA512
e605b46dad4d2a7a139496efda294338a8d8ff12f7dbd932a9640e5be8d3fe8902abaf75f684f3b94d9cb0067e509a063b89d8809bc76cdd192fed3c99a12c45
-
SSDEEP
3072:WyONZz0y6eZkGkBeLNSEl6Dmn7wzQipOvcZG:WyONZF2GMBEQuwzrp9G
Malware Config
Extracted
xtremerat
hissain11.no-ip.biz
Targets
-
-
Target
JaffaCakes118_1a704d92413666a465d3c63c405beb8b
-
Size
186KB
-
MD5
1a704d92413666a465d3c63c405beb8b
-
SHA1
2798649c01671af2a93bd6677027040c4579a4ae
-
SHA256
2c64e8865e65ed7bc07f8e930e2b75e8ba231e125600cad27d1381a77c070f5d
-
SHA512
e605b46dad4d2a7a139496efda294338a8d8ff12f7dbd932a9640e5be8d3fe8902abaf75f684f3b94d9cb0067e509a063b89d8809bc76cdd192fed3c99a12c45
-
SSDEEP
3072:WyONZz0y6eZkGkBeLNSEl6Dmn7wzQipOvcZG:WyONZF2GMBEQuwzrp9G
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1