General
-
Target
JaffaCakes118_19c6137aa628f7609a4872806b56d8d3
-
Size
260KB
-
Sample
250123-wlrjlazkbq
-
MD5
19c6137aa628f7609a4872806b56d8d3
-
SHA1
33894ab48b82e08944b40d4a283d86ad518a2075
-
SHA256
ba1fd444c412ae02cce7d8b24e98123fe9f602c16a782b6abdee618132d0ae01
-
SHA512
f297c5d9ba3c9c791755ed5c2efecf119bd4935d74a472aeb81951ca36bd2898e176b007723e53dd33aa08ee85a2948bd24b49d183719f6f9b542d980cc87ec4
-
SSDEEP
3072:ydFZqXvnQfnWONHaXLb4zY230aL8Inluf/YpFtpmm+z5/r2pDhyCsSLQjfhZPiFY:V4kSY29iOMLYUeA9hBRS6VOKXMh2H
Malware Config
Extracted
xtremerat
hacked1.no-ip.biz
䖹ᙑ䟚hacked1.no-ip.biz
Targets
-
-
Target
JaffaCakes118_19c6137aa628f7609a4872806b56d8d3
-
Size
260KB
-
MD5
19c6137aa628f7609a4872806b56d8d3
-
SHA1
33894ab48b82e08944b40d4a283d86ad518a2075
-
SHA256
ba1fd444c412ae02cce7d8b24e98123fe9f602c16a782b6abdee618132d0ae01
-
SHA512
f297c5d9ba3c9c791755ed5c2efecf119bd4935d74a472aeb81951ca36bd2898e176b007723e53dd33aa08ee85a2948bd24b49d183719f6f9b542d980cc87ec4
-
SSDEEP
3072:ydFZqXvnQfnWONHaXLb4zY230aL8Inluf/YpFtpmm+z5/r2pDhyCsSLQjfhZPiFY:V4kSY29iOMLYUeA9hBRS6VOKXMh2H
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Xtremerat family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1