xtremerat | 89eb6d8b59331ae386fb085a32b3e2c05b0b0741f0478d0c9ecab1cd21d2d960 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...03.exe

windows7-x64

JaffaCakes...03.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_b3c7298bcfd539b7e74a169e55017803
Size

125KB
Sample

250207-gq7n2s1pbt
MD5

b3c7298bcfd539b7e74a169e55017803
SHA1

eafbb294d99ad22e712b0dd10e1214d4dc980653
SHA256

89eb6d8b59331ae386fb085a32b3e2c05b0b0741f0478d0c9ecab1cd21d2d960
SHA512

438d27299f900dd46ccb394c24b78a63813cded59cda9370e7b9dc3da86afc3506f0a47cf960836fc26e0f1c2bc829cd517249cc326133480631527e9a3bf2e5
SSDEEP

3072:36tbksgGH7NFlG/FRJ1g/+AN+vZuXcsUvE0bf:qtbkmHDliFRrg/2xuXcjxf

Score

10^/10

xtremerat discovery persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_b3c7298bcfd539b7e74a169e55017803.exe

Resource

win7-20240729-en

xtremerat discovery persistence rat spyware

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_b3c7298bcfd539b7e74a169e55017803.exe

Resource

win10v2004-20250129-en

xtremerat discovery persistence rat spyware

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

vvnv12.no-ip.biz

Targets

- Target
  
  JaffaCakes118_b3c7298bcfd539b7e74a169e55017803
- Size
  
  125KB
- MD5
  
  b3c7298bcfd539b7e74a169e55017803
- SHA1
  
  eafbb294d99ad22e712b0dd10e1214d4dc980653
- SHA256
  
  89eb6d8b59331ae386fb085a32b3e2c05b0b0741f0478d0c9ecab1cd21d2d960
- SHA512
  
  438d27299f900dd46ccb394c24b78a63813cded59cda9370e7b9dc3da86afc3506f0a47cf960836fc26e0f1c2bc829cd517249cc326133480631527e9a3bf2e5
- SSDEEP
  
  3072:36tbksgGH7NFlG/FRJ1g/+AN+vZuXcsUvE0bf:qtbkmHDliFRrg/2xuXcjxf
Score

10^/10

xtremerat discovery persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspyware

behavioral2

xtremeratdiscoverypersistenceratspyware

© 2018-2025

Terms | Privacy