xtremerat | 688fd01cfe4002cfa253a19cdea3d021d2bc99b5883594e8ab77d9b0a5c817ab | Triage

Submit
Reports

Overview

overview

Static

static

5

manifest.rtf.scr

windows10-2004-x64

Sharing

General

Target

JaffaCakes118_b1c5fae1c9c9bfcbf404ee77d8b75f55
Size

436KB
Sample

250412-k49x4s1yd1
MD5

b1c5fae1c9c9bfcbf404ee77d8b75f55
SHA1

677644bf44c131211d96b317c2d156f748aa73f2
SHA256

688fd01cfe4002cfa253a19cdea3d021d2bc99b5883594e8ab77d9b0a5c817ab
SHA512

156cdaed9505900d854fbae58178d24c7c65071861346be46d7e1a17c1557b57a3d3e8e552307878dad38876492fc41ab00deabb3b14b3986271fada1a2d6b1a
SSDEEP

12288:eoLwNZ2hwIU6ki8rxLqohFPjcKcPxyRxvLCU:wNZj6z8rxLq66peFLCU

Score

10^/10

xtremerat discovery persistence rat spyware

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

manifest.rtf.scr

Resource

win10v2004-20250410-en

xtremerat discovery persistence rat spyware

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

xialscox.no-ip.org

$xialscox.no-ip.org

Targets

- Target
  
  manifest.rtf.scr
- Size
  
  907KB
- MD5
  
  71c5d618ca7c23f9a047a09ff1e85439
- SHA1
  
  94a8f295935cad0cd03017b23ce115931f7c13f6
- SHA256
  
  0e9b42ef9a5663d38c5cf3161488086a36e04834a6b231bf87486efa56081e3a
- SHA512
  
  950683cb16158c461a68cc61f890492492d9eb25a2fd4a0712ded084d1d4b98dbcef80c3de14f0670cc44fd0c68c9cf9252e752a5cbc93b7dcf22f90b141b701
- SSDEEP
  
  12288:2hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a0CI5YRBuhI0SjxXt3M1h:mRmJkcoQricOIQxiZY1ianaYCuxy1h
Score

10^/10

xtremerat discovery persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Xtremerat family
  xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xtremeratdiscoverypersistenceratspyware

© 2018-2025

Terms | Privacy