xtremerat | 72b8181a2d08aa6ff948db88de8913fe8a2606346331b98bafc690df4aa66207 | Triage

Submit
Reports

Overview

overview

Static

static

3

2a1b197690...18.exe

windows7-x64

2a1b197690...18.exe

windows10-2004-x64

Sharing

General

Target

2a1b197690954af6e421b92d29e74396_JaffaCakes118
Size

84KB
Sample

240707-2383vs1bpl
MD5

2a1b197690954af6e421b92d29e74396
SHA1

3244f321fb8cab8f3e4695a240c92f85e45acf7f
SHA256

72b8181a2d08aa6ff948db88de8913fe8a2606346331b98bafc690df4aa66207
SHA512

0be84d5f574e492ce12ffc0e1d061e2da5ff583b9afee018e6483379231f33bc8871b7d2e4390d2448d64b9eb47b5d703bd7fbfa8484df16ff1ca832da51eec7
SSDEEP

1536:erhU7XNDz5Zwk4aGHuhbpJaOBRZsf4TFlW0MSWJpWZgI:ey7dX5ZwNjuvJa+RCwTFlML+

Score

10^/10

xtremerat persistence rat spyware upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

2a1b197690954af6e421b92d29e74396_JaffaCakes118.exe

Resource

win7-20240704-en

xtremerat persistence rat spyware upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

2a1b197690954af6e421b92d29e74396_JaffaCakes118.exe

Resource

win10v2004-20240508-en

xtremerat persistence rat spyware upx

windows10-2004-x64

8 signatures

150 seconds

Malware Config

Extracted

Family

xtremerat

C2

mahdidi.zapto.org

Label123vivalgerie.no-ip.biz

Targets

- Target
  
  2a1b197690954af6e421b92d29e74396_JaffaCakes118
- Size
  
  84KB
- MD5
  
  2a1b197690954af6e421b92d29e74396
- SHA1
  
  3244f321fb8cab8f3e4695a240c92f85e45acf7f
- SHA256
  
  72b8181a2d08aa6ff948db88de8913fe8a2606346331b98bafc690df4aa66207
- SHA512
  
  0be84d5f574e492ce12ffc0e1d061e2da5ff583b9afee018e6483379231f33bc8871b7d2e4390d2448d64b9eb47b5d703bd7fbfa8484df16ff1ca832da51eec7
- SSDEEP
  
  1536:erhU7XNDz5Zwk4aGHuhbpJaOBRZsf4TFlW0MSWJpWZgI:ey7dX5ZwNjuvJa+RCwTFlML+
Score

10^/10

xtremerat persistence rat spyware upx
- Detect XtremeRAT payload
- XtremeRAT
  The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
  persistence spyware rat xtremerat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xtremeratpersistenceratspywareupx

behavioral2

xtremeratpersistenceratspywareupx

© 2018-2024

Terms | Privacy