73a1b78d317dc0493ac9905bad9ef2d3adbda67edd11ed3ca949a1dc22a5388f

Resubmissions

12/10/2024, 17:59

12/10/2024, 17:58

max time kernel
33s
max time network
45s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12/10/2024, 17:58

Target

XFatRat.exe
Size

298KB
MD5

a98364f608685510930bb484ce9ec05a
SHA1

543b8dd7f00db460ee7b3c676e84d67ee92a8317
SHA256

73a1b78d317dc0493ac9905bad9ef2d3adbda67edd11ed3ca949a1dc22a5388f
SHA512

48bb950750a015c16cdd829e144644b14485aad0ed0093420f7e7db0af8255845f0c6a5521a4c81ca60d7f2a62dd39167d22c5ebb30597983961de3cfb4fe614
SSDEEP

6144:ak4RCA2oweUQSrhOnZbZpnlc4OwKUahNVnQbvvJJbb1DObAaGxFW:akECA2TISrhOnZbPy4OrUaqvJJ1aGx

Score

6^/10

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	XFatRat.exe

C:\Users\Admin\AppData\Local\Temp\XFatRat.exe
"C:\Users\Admin\AppData\Local\Temp\XFatRat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4400

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4700

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f3fbbe1e-2387-4639-b4a9-403a60588b49.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/4780-0-0x00007FFEF38D3000-0x00007FFEF38D5000-memory.dmp

Filesize
8KB

Download
memory/4780-1-0x0000000000A50000-0x0000000000AA2000-memory.dmp

Filesize
328KB

Download
memory/4780-2-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

Filesize
10.8MB

Download
memory/4780-3-0x00007FFEF38D0000-0x00007FFEF4392000-memory.dmp

Filesize
10.8MB

Download