xtremerat | 8404c0bbedfd037d0a9587ae53e14610451dcf3dd8aaad0319347018a736bfd1 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...3f.exe

windows7-x64

JaffaCakes...3f.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_0201068d419420a99c289f33877a243f
Size

830KB
Sample

250121-evh55swlem
MD5

0201068d419420a99c289f33877a243f
SHA1

a2e32a2e97652728ab2add67f3f407ed79bffd7b
SHA256

8404c0bbedfd037d0a9587ae53e14610451dcf3dd8aaad0319347018a736bfd1
SHA512

9e9b316238d379b63e92f38d820a4c6f86f324400b189f5684a814a59a5bbf6bcd23e2f4fe6f921818ae9fbedf522fb72c02369d4d7f75ff66d6a400138a2458
SSDEEP

12288:v0sGCE4zBreayZpL3LaMv89OWOLVVF3B4oLPmolWNotd4/TAU/xoqLPay1odbm5n:RGsBrYZ5r5VT+ogHNfLPjQbm5Xaz0Ld

Score

10^/10

xtremerat bootkit defense_evasion discovery persistence rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_0201068d419420a99c289f33877a243f.exe

Resource

win7-20240903-en

xtremerat bootkit defense_evasion discovery persistence rat spyware trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_0201068d419420a99c289f33877a243f.exe

Resource

win10v2004-20241007-en

xtremerat bootkit defense_evasion discovery persistence rat spyware

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

michexx.no-ip.org

Targets

- Target
  
  JaffaCakes118_0201068d419420a99c289f33877a243f
- Size
  
  830KB
- MD5
  
  0201068d419420a99c289f33877a243f
- SHA1
  
  a2e32a2e97652728ab2add67f3f407ed79bffd7b
- SHA256
  
  8404c0bbedfd037d0a9587ae53e14610451dcf3dd8aaad0319347018a736bfd1
- SHA512
  
  9e9b316238d379b63e92f38d820a4c6f86f324400b189f5684a814a59a5bbf6bcd23e2f4fe6f921818ae9fbedf522fb72c02369d4d7f75ff66d6a400138a2458
- SSDEEP
  
  12288:v0sGCE4zBreayZpL3LaMv89OWOLVVF3B4oLPmolWNotd4/TAU/xoqLPay1odbm5n:RGsBrYZ5r5VT+ogHNfLPjQbm5Xaz0Ld
Score

10^/10

xtremerat bootkit defense_evasion discovery persistence rat spyware trojan
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  defense_evasion
- Checks whether UAC is enabled
  defense_evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratbootkitdefense_evasiondiscoverypersistenceratspywaretrojan

behavioral2

xtremeratbootkitdefense_evasiondiscoverypersistenceratspyware

© 2018-2025

Terms | Privacy