xtremerat | 38612efa4e3b5ebc8f4f27addf29a09f22e396b5740d13756ade669d270566a7 | Triage

Submit
Reports

Overview

overview

Static

static

3

28826c6108...18.exe

windows7-x64

28826c6108...18.exe

windows10-2004-x64

Sharing

General

Target

28826c6108cf11ed6788c7da2c1b45c8_JaffaCakes118
Size

241KB
Sample

240706-ry6f3atcqd
MD5

28826c6108cf11ed6788c7da2c1b45c8
SHA1

deafc8e402fd077d2eccb3227d047ce963bf9fc6
SHA256

38612efa4e3b5ebc8f4f27addf29a09f22e396b5740d13756ade669d270566a7
SHA512

852bfb3acf9df99281ee382942c6efa9a6683dfc856ef724d7add93d31451c3da1f71ef983037d9cc061b50ae6ecb517b75b03a14e90e2ea943ebb0962ef897d
SSDEEP

6144:0wD02+t2pubXVI6x6DiAdraBCDoAc769/c:0y0r6KXVI64HraByc769k

Score

10^/10

xtremerat persistence rat spyware

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

28826c6108cf11ed6788c7da2c1b45c8_JaffaCakes118.exe

Resource

win7-20240220-en

xtremerat persistence rat spyware

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

28826c6108cf11ed6788c7da2c1b45c8_JaffaCakes118.exe

Resource

win10v2004-20240704-en

xtremerat persistence rat spyware

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

eoeox.no-ip.biz

Targets

- Target
  
  28826c6108cf11ed6788c7da2c1b45c8_JaffaCakes118
- Size
  
  241KB
- MD5
  
  28826c6108cf11ed6788c7da2c1b45c8
- SHA1
  
  deafc8e402fd077d2eccb3227d047ce963bf9fc6
- SHA256
  
  38612efa4e3b5ebc8f4f27addf29a09f22e396b5740d13756ade669d270566a7
- SHA512
  
  852bfb3acf9df99281ee382942c6efa9a6683dfc856ef724d7add93d31451c3da1f71ef983037d9cc061b50ae6ecb517b75b03a14e90e2ea943ebb0962ef897d
- SSDEEP
  
  6144:0wD02+t2pubXVI6x6DiAdraBCDoAc769/c:0y0r6KXVI64HraByc769k
Score

10^/10

xtremerat persistence rat spyware
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xtremeratpersistenceratspyware

behavioral2

xtremeratpersistenceratspyware

© 2018-2024

Terms | Privacy