xtremerat | a056f867a236bbaff94e7da81355ac0725aefb5a41376f42ce06eb938af6211b | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...3d.exe

windows7-x64

JaffaCakes...3d.exe

windows10-2004-x64

Resubmissions

12-01-2025 15:48

250112-s8223aykfx 10

12-01-2025 15:35

250112-s1cgfaxqhx 10

Sharing

General

Target

JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d
Size

171KB
Sample

250112-s1cgfaxqhx
MD5

1227b76e0d09be1a3189f997f0096e3d
SHA1

d1fa42ace2868175e1d7f8d026caab4e8c09bfb1
SHA256

a056f867a236bbaff94e7da81355ac0725aefb5a41376f42ce06eb938af6211b
SHA512

08ad3059abf619b7175c65644b8adc5c1ce00a4800b703b9d9bbe52032d3a756c1abe9f35f1c533c820c9ab61a41962b6128b9edcdd0d9dd2e424dea10357b19
SSDEEP

3072:lxexkMNY+4n8iVMMS73Gso2APwDsvZMQ0rX8Zv:D6k/+4nNv9vIDZf41

Score

10^/10

xtremerat discovery persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe

Resource

win7-20240903-en

xtremerat discovery persistence rat spyware upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d.exe

Resource

win10v2004-20241007-en

xtremerat discovery persistence rat spyware upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  JaffaCakes118_1227b76e0d09be1a3189f997f0096e3d
- Size
  
  171KB
- MD5
  
  1227b76e0d09be1a3189f997f0096e3d
- SHA1
  
  d1fa42ace2868175e1d7f8d026caab4e8c09bfb1
- SHA256
  
  a056f867a236bbaff94e7da81355ac0725aefb5a41376f42ce06eb938af6211b
- SHA512
  
  08ad3059abf619b7175c65644b8adc5c1ce00a4800b703b9d9bbe52032d3a756c1abe9f35f1c533c820c9ab61a41962b6128b9edcdd0d9dd2e424dea10357b19
- SSDEEP
  
  3072:lxexkMNY+4n8iVMMS73Gso2APwDsvZMQ0rX8Zv:D6k/+4nNv9vIDZf41
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspywareupx

behavioral2

xtremeratdiscoverypersistenceratspywareupx

© 2018-2025

Terms | Privacy