MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09a4b8050e81c0d265bb05d6ef4b7155d0ffda7ebe00820aa5a1fd08c3f4a768. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Xtrat


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09a4b8050e81c0d265bb05d6ef4b7155d0ffda7ebe00820aa5a1fd08c3f4a768
SHA3-384 hash: 5f570f35d7d2f302a374f48766d120566b0cfe38869b3de6c0b7926fb067dab02788755cebc1627d58c68b1a88fd387d
SHA1 hash: b4a9c79567a508254953a024ac284c12ce57873b
MD5 hash: aa0d25108c420b68af8a98d877a10e9a
humanhash: mississippi-mississippi-rugby-arkansas
File name:09a4b8050e81c0d265bb05d6ef4b7155d0ffda7ebe00820aa5a1fd08c3f4a768
Download: download sample
Signature Xtrat
Create hunting rule
File size:66'048 bytes
First seen:2020-07-29 07:16:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e5af779e25e220726db5ac0f58158cc4 (1 x Xtrat)
ssdeep 768:x8m1Sq4NQErBsH1tzoisBKQI6dObAG/dqOXHsoAx5JXrUq/6Y7CsJbtF/zo2:Nsq+QV4rObAdNoAf5UqyYesV7o2
Threatray 23 similar samples on MalwareBazaar
TLSH 77537D2293D055B7E0212E7CED1A4139A47D3A713EB69849FEF12F0D9CB93D206C9297
Reporter JAMESWT_WT
Tags:Xtrat

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Xtreme
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34342/
Detection(s):
Win.Trojan.Keylogger-192
Create hunting rule

Win.Trojan.Xtreme-5744908-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Threat name:
Xtreme RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/401529
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Installs Xtreme RAT
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Xtreme RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253012 Sample: 8BvJDxl2UQ Startdate: 29/07/2020 Architecture: WINDOWS Score: 96 18 Malicious sample detected (through community Yara rule) 2->18 20 Yara detected Xtreme RAT 2->20 22 Machine Learning detection for sample 2->22 24 Sigma detected: Suspicious Svchost Process 2->24 7 8BvJDxl2UQ.exe 1 2 2->7         started        process3 signatures4 26 Installs Xtreme RAT 7->26 28 Contains functionality to inject threads in other processes 7->28 30 Contains functionality to inject code into remote processes 7->30 32 5 other signatures 7->32 10 svchost.exe 7->10         started        12 iexplore.exe 7->12         started        process5 process6 14 WerFault.exe 10->14         started        16 WerFault.exe 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09a4b8050e81c0d265bb05d6ef4b7155d0ffda7ebe00820aa5a1fd08c3f4a768/
Threat name:
Win32.Backdoor.XtremeRAT
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 00:07:15 UTC
File Type:
PE (Exe)
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgslqbioqhanezn3axlo6s3rkxip7wt6xyaiecvfuh6qrq7uu5ua._file
Verdict:
malicious
Similar samples:
07cd5128e0d8dba2bf9917891e8e4d3685b58a09df51101a872ebf41a7043418
Xtrat
1f2b9ed45696d387c21a1a5ac0c414949cd5357d182fa3e670d9d335abeca5e4
Xtrat
24703941ce90d377c6149626ef5d16dddd6c4f89280a0b133de94809bc540548
Xtrat
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
Xtrat
48236bb4fa38724fb0a368673e14c364fde3fa5e95ba42db44a0193ba4c13beb
Xtrat
7b3038c1373ca79b19dc5789778a1a0cf38d49a0fcda94d9288be6f648d9d269
Xtrat
8edd6dd53784f816039a5f935567cb551d0743a85713116670d2caae1d9ebd86
Xtrat
c121b14316a1f7976c4337f37c29acd3a1efeff592617736b1ae1e6d3bf04b09
Xtrat
c8b1cce5ae65d68b7ca2a419b1499d7bec6e4e3d1e04d3e3f040eeaeb6080146
Xtrat
dfa5a86c285a2fa7476d7ba6c614d0c98b8acdbf57148df4b44514c546194e32
Xtrat
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200729-r3t8er9v4n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Drops file in Windows directory
Adds Run key to start application
Modifies Installed Components in the registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09a4b8050e81c0d265bb05d6ef4b7155d0ffda7ebe00820aa5a1fd08c3f4a768

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RAT_Xtreme
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Xtreme RAT
Reference:http://malwareconfig.com/stats/Xtreme
Rule name:win_extreme_rat_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Xtrem RAT v3.5
Rule name:Xtreme_Sep17_1
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34342/

Comments