poetrat | 208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407

General

Target

3aadbf7e527fc1a050e1c97fea1cba4d.doc
Size

7.9MB
MD5

3aadbf7e527fc1a050e1c97fea1cba4d
SHA1

2cf055b3ef60582ca72e77bc4693ea306360f611
SHA256

208ec23c233580dbfc53aad5655845f7152ada56dd6a5c780d54e84a9d227407
SHA512

642fadbcb8c94858a770de4e6e419bcc6c223e92fe3294f0b56519bdd4b74cdc9918ebac83a91627de5bef4cfd42a1abde79c4bf9e2801f582e18c9fd5000976

Score

10^/10

macro trojan stealer poetrat

Malware Config

Signatures

PoetRAT
PoetRAT is remote administration tool written in python.
trojan stealer poetrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1084	1124	cmd.exe	23

Executes dropped EXE 3 IoCs

pid	Process
1036	python.exe
1852	python.exe
1584	python.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro

resource	yara_rule
behavioral1/files/0x00030000000131cf-5.dat	office_xlm_macros

Loads dropped DLL 32 IoCs

pid	Process
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1036	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1852	python.exe
1584	python.exe
1584	python.exe
1584	python.exe
1584	python.exe
1584	python.exe
1584	python.exe
1584	python.exe
1584	python.exe
1584	python.exe

JavaScript code in executable 8 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013225-38.dat	js
behavioral1/files/0x0003000000013225-39.dat	js
behavioral1/files/0x0003000000013226-59.dat	js
behavioral1/files/0x0003000000013226-60.dat	js
behavioral1/files/0x0003000000013225-71.dat	js
behavioral1/files/0x0003000000013226-82.dat	js
behavioral1/files/0x0003000000013225-88.dat	js
behavioral1/files/0x0003000000013226-95.dat	js

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1124	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 35	1036	python.exe
Token: 35	1852	python.exe
Token: 35	1584	python.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1124	WINWORD.EXE
1124	WINWORD.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1084	1124	WINWORD.EXE	25
PID 1124 wrote to memory of 1084	1124	WINWORD.EXE	25
PID 1124 wrote to memory of 1084	1124	WINWORD.EXE	25
PID 1124 wrote to memory of 1036	1124	WINWORD.EXE	30
PID 1124 wrote to memory of 1036	1124	WINWORD.EXE	30
PID 1124 wrote to memory of 1036	1124	WINWORD.EXE	30
PID 1124 wrote to memory of 1036	1124	WINWORD.EXE	30
PID 1036 wrote to memory of 1684	1036	python.exe	33
PID 1036 wrote to memory of 1684	1036	python.exe	33
PID 1036 wrote to memory of 1684	1036	python.exe	33
PID 1036 wrote to memory of 1684	1036	python.exe	33
PID 1684 wrote to memory of 1852	1684	cmd.exe	34
PID 1684 wrote to memory of 1852	1684	cmd.exe	34
PID 1684 wrote to memory of 1852	1684	cmd.exe	34
PID 1684 wrote to memory of 1852	1684	cmd.exe	34
PID 1036 wrote to memory of 1084	1036	python.exe	35
PID 1036 wrote to memory of 1084	1036	python.exe	35
PID 1036 wrote to memory of 1084	1036	python.exe	35
PID 1036 wrote to memory of 1084	1036	python.exe	35
PID 1084 wrote to memory of 1584	1084	cmd.exe	36
PID 1084 wrote to memory of 1584	1084	cmd.exe	36
PID 1084 wrote to memory of 1584	1084	cmd.exe	36
PID 1084 wrote to memory of 1584	1084	cmd.exe	36

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3aadbf7e527fc1a050e1c97fea1cba4d.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\cmd.exe
  cmd /c copy C:\Users\Admin\AppData\Local\Temp\3aadbf7e527fc1a050e1c97fea1cba4d.doc C:\Users\Public\docer.doc
  2⤵
  - Process spawned unexpected child process
  PID:1084
- C:\Users\Public\Python37\python.exe
  "C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\launcher.py"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\smile.py""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Public\Python37\python.exe
      "C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\smile.py"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\frown.py""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Public\Python37\python.exe
      "C:\Users\Public\\Python37\python.exe" "C:\Users\Public\\Python37\frown.py"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-11-0x00000000026E0000-0x00000000026E2000-memory.dmp

Filesize
8KB

Download
memory/1124-0-0x0000000008070000-0x0000000008170000-memory.dmp

Filesize
1024KB

Download
memory/1124-1-0x0000000008070000-0x0000000008170000-memory.dmp

Filesize
1024KB

Download
memory/1124-35-0x0000000009CF0000-0x0000000009CF2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing