MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48236bb4fa38724fb0a368673e14c364fde3fa5e95ba42db44a0193ba4c13beb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Xtrat


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48236bb4fa38724fb0a368673e14c364fde3fa5e95ba42db44a0193ba4c13beb
SHA3-384 hash: 67d95d619b3e3b6205fbb035bd8da1ac017a19ffe1bd93ec6dbef672614b16762780d55e97a6fa670f626a69a457ff4e
SHA1 hash: 253630762dd8b05d021c103600de3e578b6b7ff9
MD5 hash: b5f175e433dadf0aa860e725e97772bf
humanhash: football-monkey-aspen-kitten
File name:48236bb4fa38724fb0a368673e14c364fde3fa5e95ba42db44a0193ba4c13beb
Download: download sample
Signature Xtrat
Create hunting rule
File size:961'494 bytes
First seen:2020-06-10 12:11:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 24576:tf7wDf93eeKxs7doDnMmKkUdqeTf8X8R22pQp:tEl1zqnbKTMegMR2GQp
Threatray 44 similar samples on MalwareBazaar
TLSH 6B1523397314BEEED07D81709AD7B77F26BD8233BAE2F85724484997E4E110631A6148
Reporter JAMESWT_WT
Tags:Xtrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Win.Malware.Zusy-6622765-0
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.XtremeRAT
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 23:42:45 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
31 of 31 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jarwxnh2hbze7mfdnbtt4fgdmt66h6s6sw5efw2euamtxjgbhpvq._file
Verdict:
malicious
Similar samples:
07cd5128e0d8dba2bf9917891e8e4d3685b58a09df51101a872ebf41a7043418
Xtrat
0bda455745bf357aceefb490c19c47e70b7e65ea11fd9352200f98e795c8cbdc
Xtrat
6b9d9ef4e25d596f922c55d1f210da67cb125034d62c8e639c1f44258dfb4ede
Xtrat
7b3038c1373ca79b19dc5789778a1a0cf38d49a0fcda94d9288be6f648d9d269
Xtrat
8b9168d5ab359866b52639ef7dc5f25a8154707569bd1cb0fa9200a2293cbefe
Xtrat
9d85a0de0623aa8d4a2b1c5887cc18a77c9482115acb71a12b7a54fe186c5484
Xtrat
bea7862dffe387d422fb7f11c92989064c6b396ca9ef5687fa28262e2de83e2d
Xtrat
c121b14316a1f7976c4337f37c29acd3a1efeff592617736b1ae1e6d3bf04b09
Xtrat
c8b1cce5ae65d68b7ca2a419b1499d7bec6e4e3d1e04d3e3f040eeaeb6080146
Xtrat
dec8034e880b3ea1bdbc16f358c8fdfecf119d6159d7dcce065ecb173697dbf4
Xtrat
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion upx
Link:
https://tria.ge/reports/201109-467peqtkcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
Identifies Wine through registry keys
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Xtreme_Sep17_2
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments