MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d85a0de0623aa8d4a2b1c5887cc18a77c9482115acb71a12b7a54fe186c5484. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Xtrat


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d85a0de0623aa8d4a2b1c5887cc18a77c9482115acb71a12b7a54fe186c5484
SHA3-384 hash: 986bba7682f562e48d1ad5e5bcee02f3dacff0359ce3a0c09abb411c02216ee972cc89bd2576c9c5ffcaf84b3f9ae4db
SHA1 hash: 92314c284582aa657fa8c7cf0c90a0e658069a10
MD5 hash: a3a32fd6f454764eaf03dc072873512c
humanhash: indigo-speaker-edward-hotel
File name:9d85a0de0623aa8d4a2b1c5887cc18a77c9482115acb71a12b7a54fe186c5484
Download: download sample
Signature Xtrat
Create hunting rule
File size:968'854 bytes
First seen:2020-06-10 12:14:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 24576:tf7wDf93eeKxs7doDnMmKkUdqeTf8X8R22pQl:tEl1zqnbKTMegMR2GQl
Threatray 43 similar samples on MalwareBazaar
TLSH 792523393314BFEED03E81719AD7B77F26BD8232BAE3F89734085997E4A1106315A158
Reporter JAMESWT_WT
Tags:Xtrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Win.Malware.Zusy-6622765-0
Create hunting rule

Gathering data
Threat name:
Win32.Backdoor.XtremeRAT
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 23:32:50 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=twc2bxqgeovi2srldrmiptayu56jjaqrllfxdijlpjkp4gdmksca._file
Verdict:
malicious
Similar samples:
07cd5128e0d8dba2bf9917891e8e4d3685b58a09df51101a872ebf41a7043418
Xtrat
0bda455745bf357aceefb490c19c47e70b7e65ea11fd9352200f98e795c8cbdc
Xtrat
6b9d9ef4e25d596f922c55d1f210da67cb125034d62c8e639c1f44258dfb4ede
Xtrat
6e2cbc6512ffadca97e3562f2947114569f70b9620a69aa8662001b266e1b4ba
Xtrat
7b3038c1373ca79b19dc5789778a1a0cf38d49a0fcda94d9288be6f648d9d269
Xtrat
8b9168d5ab359866b52639ef7dc5f25a8154707569bd1cb0fa9200a2293cbefe
Xtrat
bea7862dffe387d422fb7f11c92989064c6b396ca9ef5687fa28262e2de83e2d
Xtrat
c121b14316a1f7976c4337f37c29acd3a1efeff592617736b1ae1e6d3bf04b09
Xtrat
c8b1cce5ae65d68b7ca2a419b1499d7bec6e4e3d1e04d3e3f040eeaeb6080146
Xtrat
dec8034e880b3ea1bdbc16f358c8fdfecf119d6159d7dcce065ecb173697dbf4
Xtrat
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion upx
Link:
https://tria.ge/reports/201109-dsp1s9ak7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
Identifies Wine through registry keys
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Xtreme_Sep17_2
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments