xtremerat | 4fba0fc853adba3582d93668c1b2c3ad866a6f3e71a8b21959ab3ea0a6b25754 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...4c.exe

windows7-x64

7

JaffaCakes...4c.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c
Size

316KB
Sample

250211-3ng69svkbq
MD5

eb31879ac63a3dc0144f9dc39249604c
SHA1

55a18ae6ecfe0712c28358cd1e0da4f73f5e4b70
SHA256

4fba0fc853adba3582d93668c1b2c3ad866a6f3e71a8b21959ab3ea0a6b25754
SHA512

586976b740370348dc6fc7543a300505d672e14e3b01ec84f91cfe9aab377841e4ae50350c88e07ab27a3bd0fa355c5ecdd5df7bf7e1e79508594c52c7e34c5a
SSDEEP

6144:8/0uozFBzSG3w8biEJxIB/YrEamFTJZhLPdVEveT4Kpa7:8JoFBzxw0ijSEldZxdWve0ea7

Score

10^/10

xtremerat discovery persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe

Resource

win7-20250207-en

discovery persistence upx

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c.exe

Resource

win10v2004-20250207-en

xtremerat discovery persistence rat spyware upx

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

elamr.no-ip.org

Targets

- Target
  
  JaffaCakes118_eb31879ac63a3dc0144f9dc39249604c
- Size
  
  316KB
- MD5
  
  eb31879ac63a3dc0144f9dc39249604c
- SHA1
  
  55a18ae6ecfe0712c28358cd1e0da4f73f5e4b70
- SHA256
  
  4fba0fc853adba3582d93668c1b2c3ad866a6f3e71a8b21959ab3ea0a6b25754
- SHA512
  
  586976b740370348dc6fc7543a300505d672e14e3b01ec84f91cfe9aab377841e4ae50350c88e07ab27a3bd0fa355c5ecdd5df7bf7e1e79508594c52c7e34c5a
- SSDEEP
  
  6144:8/0uozFBzSG3w8biEJxIB/YrEamFTJZhLPdVEveT4Kpa7:8JoFBzxw0ijSEldZxdWve0ea7
Score

10^/10

discovery persistence upx xtremerat rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceupx

behavioral2

xtremeratdiscoverypersistenceratspywareupx

© 2018-2025

Terms | Privacy