xtremerat | d5c7d6b7907e39b9cdc074d4ce7f6a5ba275d0aeb1f16f350524f5d63c818c45 | Triage

Submit
Reports

Overview

overview

Static

static

3

279a3c39ab...18.exe

windows7-x64

279a3c39ab...18.exe

windows10-2004-x64

Sharing

General

Target

279a3c39abc126fed0b3f4a99fbe8267_JaffaCakes118
Size

1.2MB
Sample

240706-hhnfwayhpm
MD5

279a3c39abc126fed0b3f4a99fbe8267
SHA1

10ef159a408759dae475452754bf8305163751ce
SHA256

d5c7d6b7907e39b9cdc074d4ce7f6a5ba275d0aeb1f16f350524f5d63c818c45
SHA512

98d764b324cb13559e120b15d7066f72db2ddef90809e36bd1805b95bb40c2407465a6c9bbf5348e4dec6eb75fdaed175ef2d4544cfb774edca404c60cdedc60
SSDEEP

24576:xXGL++sj6vOQ5uVq1gpLiV+JvO1rPBoWK+LuuEW+97iLCkZVBpqvx:Gg6l5upLijBot+6FDJidVjex

Score

10^/10

xtremerat persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

279a3c39abc126fed0b3f4a99fbe8267_JaffaCakes118.exe

Resource

win7-20240704-en

xtremerat persistence rat spyware upx

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

279a3c39abc126fed0b3f4a99fbe8267_JaffaCakes118.exe

Resource

win10v2004-20240704-en

xtremerat persistence rat spyware upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  279a3c39abc126fed0b3f4a99fbe8267_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  279a3c39abc126fed0b3f4a99fbe8267
- SHA1
  
  10ef159a408759dae475452754bf8305163751ce
- SHA256
  
  d5c7d6b7907e39b9cdc074d4ce7f6a5ba275d0aeb1f16f350524f5d63c818c45
- SHA512
  
  98d764b324cb13559e120b15d7066f72db2ddef90809e36bd1805b95bb40c2407465a6c9bbf5348e4dec6eb75fdaed175ef2d4544cfb774edca404c60cdedc60
- SSDEEP
  
  24576:xXGL++sj6vOQ5uVq1gpLiV+JvO1rPBoWK+LuuEW+97iLCkZVBpqvx:Gg6l5upLijBot+6FDJidVjex
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xtremeratpersistenceratspywareupx

behavioral2

xtremeratpersistenceratspywareupx

© 2018-2024

Terms | Privacy