Malware Analysis Report

2025-01-18 04:12

Sample ID 241120-2eyxzsvang
Target test.exe
SHA256 5436bad558c5bf3cb413020100e8426c0e07a45ecf34d679a753e168fd46d9fc
Tags
eaglerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5436bad558c5bf3cb413020100e8426c0e07a45ecf34d679a753e168fd46d9fc

Threat Level: Known bad

The file test.exe was found to be: Known bad.

Malicious Activity Summary

eaglerat rat

EagleRat

Eaglerat family

Drops startup file

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 22:30

Signatures

Eaglerat family

eaglerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 22:30

Reported

2024-11-20 22:31

Platform

win11-20241007-en

Max time kernel

51s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

EagleRat

rat eaglerat

Eaglerat family

eaglerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\test.exe.lnk C:\Users\Admin\AppData\Local\Temp\test.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

Network

Country Destination Domain Proto
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:7788 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:7788 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:7788 tcp
GB 88.221.134.3:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
GB 95.101.143.210:443 r.bing.com tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:7788 tcp
GB 88.221.135.25:443 www.bing.com tcp
N/A 127.0.0.1:9875 tcp
US 13.107.246.64:443 afdxtest.z01.azurefd.net tcp
N/A 127.0.0.1:6969 tcp
ZA 102.133.96.237:443 c6c233f39eb88b1855e9e5fc3aedf096.azr.footprintdns.com tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:7788 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:7788 tcp
N/A 127.0.0.1:9875 tcp
N/A 127.0.0.1:6969 tcp

Files

memory/5532-0-0x00007FF912A73000-0x00007FF912A75000-memory.dmp

memory/5532-1-0x00000000007B0000-0x00000000007C4000-memory.dmp

memory/5532-2-0x00000000015E0000-0x00000000015F2000-memory.dmp

memory/5532-3-0x0000000001620000-0x000000000163A000-memory.dmp

memory/5532-6-0x000000001C300000-0x000000001C376000-memory.dmp

memory/5532-7-0x00007FF912A70000-0x00007FF913532000-memory.dmp

memory/5532-8-0x000000001D5D0000-0x000000001D5EE000-memory.dmp

memory/5532-12-0x00007FF912A73000-0x00007FF912A75000-memory.dmp

memory/5532-13-0x00007FF912A70000-0x00007FF913532000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 71a6b59e08e25451e52675c842fae23c
SHA1 565a97673954a9209c7a05fba20b89d10b88025f
SHA256 5b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6
SHA512 5cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\25b0891a-af20-40cb-a4b7-2cc8d72bc3e0.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3