xtremerat | 0025d2cfd176a329463e1fc7e95dccf9968ceb15ce182f5f4c737c121a100a20 | Triage

Submit
Reports

Overview

overview

Static

static

3

JaffaCakes...d2.exe

windows7-x64

JaffaCakes...d2.exe

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_f0a6901ad87a4a749755d5f77941a8d2
Size

434KB
Sample

250212-qp3s5ssqek
MD5

f0a6901ad87a4a749755d5f77941a8d2
SHA1

12ba6faee244bfb0e13f90db099006976eeeb775
SHA256

0025d2cfd176a329463e1fc7e95dccf9968ceb15ce182f5f4c737c121a100a20
SHA512

0db89c497d77c27976867939617b0eadb69e595495fa8b35ddaf45adefef25194bea70817897d205a56caa54f4bca49d26c306818e23ce3a3c4e1bd28d24906b
SSDEEP

6144:+1uhZU6qBAf0olQ85EQPUcAcXnIgK54IQzeeeL4/J:+1uQpGfhllW2pIgKKM4x

Score

10^/10

xtremerat discovery persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

JaffaCakes118_f0a6901ad87a4a749755d5f77941a8d2.exe

Resource

win7-20240903-en

xtremerat discovery persistence rat spyware upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

JaffaCakes118_f0a6901ad87a4a749755d5f77941a8d2.exe

Resource

win10v2004-20250207-en

xtremerat discovery persistence rat spyware upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

ayada.dyndns.biz

Targets

- Target
  
  JaffaCakes118_f0a6901ad87a4a749755d5f77941a8d2
- Size
  
  434KB
- MD5
  
  f0a6901ad87a4a749755d5f77941a8d2
- SHA1
  
  12ba6faee244bfb0e13f90db099006976eeeb775
- SHA256
  
  0025d2cfd176a329463e1fc7e95dccf9968ceb15ce182f5f4c737c121a100a20
- SHA512
  
  0db89c497d77c27976867939617b0eadb69e595495fa8b35ddaf45adefef25194bea70817897d205a56caa54f4bca49d26c306818e23ce3a3c4e1bd28d24906b
- SSDEEP
  
  6144:+1uhZU6qBAf0olQ85EQPUcAcXnIgK54IQzeeeL4/J:+1uQpGfhllW2pIgKKM4x
Score

10^/10

xtremerat discovery persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspywareupx

behavioral2

xtremeratdiscoverypersistenceratspywareupx

© 2018-2025

Terms | Privacy