MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Xtrat


Vendor detections: 17


Intelligence 17 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4
SHA3-384 hash: 316372666e96166d635e36886f4571f9939b0eafe5d45338d5d4299587274df6763ebcf863e4bb4ef3410ce99e7794af
SHA1 hash: 9bf55144fd5833ce18495e458b591b63f705055f
MD5 hash: cb9fa230259026bba4345da60da7024a
humanhash: coffee-nebraska-enemy-enemy
File name:Server.exe
Download: download sample
Signature Xtrat
Create hunting rule
File size:26'624 bytes
First seen:2026-05-15 19:48:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 84274b3201a70dd3d5e1916ec9dae2a4 (1 x Xtrat)
ssdeep 384:xpj7eNmfp+UrM8j3Mk8mw2Qwz9cEVWNuOuuOYPq8P9iYwbzu1f6yvn+EIopr3:UmfpbM8j8wQwz9caAuxYyuiyWEv
TLSH T11DC2E1BFBB7DBAE3D0E2C5765684D0AA0F7AD3F850BE0330378961B97D940054CA1A52
TrID 38.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
37.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
9.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Anonymous
Tags:exe RAT UPX Xtrat
File size (compressed) :26'624 bytes
File size (de-compressed) :56'320 bytes
Format:win32/pe
Unpacked file: 9915ee88a1517c221bb683d8d3d1af9b48dedac246c7dbef0bce1295f3536c16

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
GB GB
Vendor Threat Intelligence
Malware configuration found for:
PEPacker XtremeRAT
Details
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/d265b98f-5725-435f-b3c7-4aa071b3af1f/
Malware family:
xtrat
Create hunting rule
ID:
1
File name:
Server.exe
Verdict:
Malicious activity
Analysis date:
2026-05-15 19:17:46 UTC
Tags:
xtrat rat upx
Link:
https://app.any.run/tasks/67546c49-0c2d-404f-abcb-905b4ccc5184

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Xtreme
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66062/
Detection(s):
Win.Trojan.XtremeRAT-9817317-0
Create hunting rule

Win.Trojan.Xtreme-5744908-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0778cd953bbcef1c908ed8
Tags:
emotet zbot
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi fingerprint keylogger keylogger overlay packed packed packed reconnaissance upx
Link:
https://www.filescan.io/uploads/6a0778c8861ee596e63780e2/reports/d1213a5b-fb19-416a-851d-38c355ee67b8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-15T16:55:00Z UTC
Last seen:
2026-05-15T17:49:00Z UTC
Hits:
~100
Detections:
Trojan.Xtrat.HTTP.C&C Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Backdoor.Win32.Androm.sb Trojan-Spy.Win32.Xegumumune.sbc HEUR:Trojan.Win32.Generic Backdoor.Win32.Xtreme.sb Backdoor.Win32.Xtreme.axdr Backdoor.Win32.Xtreme.agx Trojan-Downloader.Agent.HTTP.Download Trojan-Spy.Recam.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Xtreme.HTTP.C&C Trojan.Win32.Sasfis.cgbk Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4/results?tab=lookup
Malware family:
XtremeRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/85042b9c-0f30-40fb-a180-87ede26716f1
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/cb9fa230259026bba4345da60da7024a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4/
Verdict:
Malicious
Threat:
Family.XTREMERAT
Link:
https://tip.neiki.dev/file/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4
Threat name:
Win32.Backdoor.XtremeRAT
Create hunting rule
Status:
Malicious
First seen:
2026-05-15 19:49:36 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
34 of 36 (94.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2ueqibl2i3yoqrw3zg64tbc6anrrgxjb65spxgx6c6jyn3wtxsa._file
Verdict:
malicious
Label(s):
xtremerat
Create hunting rule
Similar samples:
error
Xtrat
Gathering data
Unpacked files
SH256 hash:
aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4
MD5 hash:
cb9fa230259026bba4345da60da7024a
SHA1 hash:
9bf55144fd5833ce18495e458b591b63f705055f
Link:
https://www.unpac.me/results/3858e41b-31ab-41de-8a09-5b7451205e32/
SH256 hash:
885b9048f7419cdd0432ae9aeac60635f729d588cf856d7bfec40646b6a4c7d1
MD5 hash:
fded9ebcf39286e82f3a7d8a4d4bf041
SHA1 hash:
55909fdb032e7907b9124e2a76aaeca188d1e152
Detections:
win_extreme_rat_w0
Create hunting rule
XtremeRat
Create hunting rule
Link:
https://www.unpac.me/results/3858e41b-31ab-41de-8a09-5b7451205e32/
Malware family:
XtremeRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aea848202bd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Xtreme RAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RAT_Xtreme
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Description:Detects Xtreme RAT
Reference:http://malwareconfig.com/stats/Xtreme
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.
Rule name:Windows_Trojan_XtremeRAT_cd5b60be
Create hunting rule
Rule name:win_extreme_rat_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Xtrem RAT v3.5
Rule name:Xtreme
Create hunting rule
Author:botherder https://github.com/botherder
Description:Xtreme RAT
Rule name:xtreme_rat
Create hunting rule
Author:Kevin Falcoz
Description:Xtreme RAT
Rule name:xtreme_rat_payload_v1
Create hunting rule
Author:RandomMalware
Rule name:Xtreme_Sep17_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research
Rule name:Xtreme_Sep17_1_RID2C05
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research
Rule name:Xtreme_Sep17_3
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research
Rule name:Xtreme_Sep17_3_RID2C07
Create hunting rule
Author:Florian Roth
Description:Detects XTREME sample analyzed in September 2017
Reference:Internal Research
Rule name:xtremrat
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Xtrem RAT v3.5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Xtrat

Executable exe aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4

(this sample)

Xtrat

Executable exe 9915ee88a1517c221bb683d8d3d1af9b48dedac246c7dbef0bce1295f3536c16

anyrun
any.run
https://any.run/report/aea848202bd237874236de4dee4c22f01b189ae90fbb27dcd7f0bc9c37769de4/67546c49-0c2d-404f-abcb-905b4ccc5184
  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/66062/
  
Dropping
SHA256 9915ee88a1517c221bb683d8d3d1af9b48dedac246c7dbef0bce1295f3536c16
  
Dropping
MD5 a9a2d1339c838be40122d0d5d41de7f8

Comments