General
-
Target
2024-07-02_a2b87e6a5c8aec79f8b654a929f8fcf5_ngrbot_poet-rat_snatch
-
Size
9.5MB
-
Sample
240702-llbg9swfjf
-
MD5
a2b87e6a5c8aec79f8b654a929f8fcf5
-
SHA1
a2ce30605679a7d71a4f2a8c23face1e03656f2a
-
SHA256
4d7bfb4f771703f084916e2b4e45d58d1b4ef09aa202bf2ae14015bb9843c521
-
SHA512
756d2f0b94514bef633453a9add5eb4e493b4c5c057e1e743979109bf76f64a010cac600b25fd8582b0e41e29274e6809c79ef6662daa3a0504cce1a2d6dec12
-
SSDEEP
98304:dszauTezYYjzQ4U+pT9Ssz/4E3MHUFce3:6pTezfznpT9SI/x3MS3
Behavioral task
behavioral1
Sample
2024-07-02_a2b87e6a5c8aec79f8b654a929f8fcf5_ngrbot_poet-rat_snatch.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-07-02_a2b87e6a5c8aec79f8b654a929f8fcf5_ngrbot_poet-rat_snatch.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1252623698922442854/ObgznnI5RtU4sKRGNHA-YO9uAJPv_fG23fCD82lWzqky7fR9_OYpCVxZwFFprN-p3XQQ
Targets
-
-
Target
2024-07-02_a2b87e6a5c8aec79f8b654a929f8fcf5_ngrbot_poet-rat_snatch
-
Size
9.5MB
-
MD5
a2b87e6a5c8aec79f8b654a929f8fcf5
-
SHA1
a2ce30605679a7d71a4f2a8c23face1e03656f2a
-
SHA256
4d7bfb4f771703f084916e2b4e45d58d1b4ef09aa202bf2ae14015bb9843c521
-
SHA512
756d2f0b94514bef633453a9add5eb4e493b4c5c057e1e743979109bf76f64a010cac600b25fd8582b0e41e29274e6809c79ef6662daa3a0504cce1a2d6dec12
-
SSDEEP
98304:dszauTezYYjzQ4U+pT9Ssz/4E3MHUFce3:6pTezfznpT9SI/x3MS3
-
Drops file in Drivers directory
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1