# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Aliases: proyecto, xpertrat, xrat # Reference: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Xtrat-CC/detailed-analysis.aspx cooempresas.ddns.net # Reference: https://citizenlab.ca/2015/12/packrat-report/ taskmgr.serveftp.com taskmgr.servehttp.com wjwj.no-ip.org # Reference: https://www.virustotal.com/en/file/d05b5f13bfa9082f9087dabc3c4d15471209b1dfe8b27272360558dba2c85d43/analysis/ # Reference: https://www.virustotal.com/en/file/15c4933b7b767d44c71bac0b7bf44d1bd9f3dd6bada45b35f5ebb8f22367842b/analysis/ updatechrome.duckdns.org # Reference: https://twitter.com/Racco42/status/1054463077603786753 84.38.135.152:1148 # Reference: https://www.zscaler.com/blogs/research/backdoor-xtrat-continues-evade-detection # Reference: https://www.hybrid-analysis.com/sample/e58117933d0b5312cc0f799b5f181482220f1e26f62f9eaa4f99ed50cd29b90c?environmentId=1 # Reference: https://totalhash.cymru.com/analysis/?20379ec605b8acadb2a1f4f064c6481171a4e0ce # Reference: https://report.any.run/e46cbed7747902cbf1bc0f26dbc847549d4c626facea329f3e165117ff28ed7e/548daf6b-7cea-42b8-be21-4c3c08439cae # Reference: https://urlquery.net/report/6bc41921-5f7d-48fa-8ec5-0fb500f3fa5f /123456.functions anaperez.ddns.net pruebas.bounceme.net analaloca.chickenkiller.com dolev.ddns.net uranio2.no-ip.biz morter.zapto.org # Reference: https://www.zscaler.com/blogs/research/backdoor-xtrat-continues-evade-detection suportassisten.no-ip.info laithmhrez.no-ip.info papapa-1212.zapto.org sarkawt122.no-ip.biz outlook11551.no-ip.biz cascarita1.no-ip.biz cascarita2.no-ip.biz cascarita3.no-ip.biz windows.misconfused.org uranio2.no-ip.biz fungii.no-ip.org mohammad2010.no-ip.biz updating.serveexchange.com spycronicjn.no-ip.org allmyworkers.no-ip.biz livejasminci.no-ip.biz # Reference: http://www.malwaresigs.com/2013/01/17/xtreme-rat/ mrhacking.no-ip.info almofatch.no-in.info netera.no-ip.org aln3imi00100.zapto.org hackk-hackk.no-ip.biz cinamarcina.no-ip.biz reveng1.no-ip.biz aymn161.no-ip.org amin1111.no-ip.org cagatay3162.zapto.org ers.zapto.org amgad.no-ip.biz mrxm511.no-ip.org hac.zapto.org mahmodemos.no-ip.org starnight2012.tzo.net jv123.no-ip.org kirkukboy.no-ip.biz sosososo.no-ip.biz hack4ps.no-ip.info sa123re.no-ip.org khalil02.no-ip.biz wail.no-ip.biz # Reference: https://twitter.com/Racco42/status/1132935875430670337 justgo.linkpc.net # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0314.pdf test.zzjzpt.com # Reference: https://twitter.com/killamjr/status/1145804313886941191 185.227.82.38:7797 # Reference: https://twitter.com/killamjr/status/1147002097969164288 # Reference: https://app.any.run/tasks/c4a6d4c2-09ee-442d-bb54-00402d770c94/ 91.193.75.252:119 # Reference: https://blog.talosintelligence.com/2019/07/threat-roundup-0712-0719.html (# Win.Trojan.XtremeRAT-7059357-1) dnsduck4.duckdns.org dnsduck6.duckdns.org jb2168948.ddns.net lospapa1.duckdns.org lospatios1.duckdns.org lospatios3.duckdns.org nincasu.myvnc.com # Reference: https://twitter.com/wwp96/status/1163454025477632000 # Reference: https://app.any.run/tasks/800f2255-a6af-445e-8db5-c162d95ea6cc/ 79.134.225.102:7452 austine4.duckdns.org # Reference: https://www.fortinet.com/blog/threat-research/fake-indian-income-tax-calculator-xrat-variant.html xorc-49723.portmap.host # Reference: https://twitter.com/struppigel/status/1173883825333706752 # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/ # Reference: https://documents.trendmicro.com/assets/Appendix_Spam_Campaign_Targets_Colombian_Entities_with_Custom_made_Proyecto_RAT_Uses_Email_Service_YOPmail_for_C&C.pdf # Reference: https://www.virustotal.com/gui/file/f8bf2120bdec3da240bf4a56760ee42d045e42ec4ae1d261774ff13fc2cb7cc0/detection ceosas.linkpc.net confe.linkpc.net medicosta.linkpc.net medicosco.publicvm.com perfect1.publicvm.com