Malware Analysis Report

2025-01-22 19:21

Sample ID 240805-lt91sssfpk
Target 2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat
SHA256 70f0897e5f3a91055e0510276344c8d66d35c37f1f484080095c0326f45b0dea
Tags
upx 0 miner cobaltstrike xmrig backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70f0897e5f3a91055e0510276344c8d66d35c37f1f484080095c0326f45b0dea

Threat Level: Known bad

The file 2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.

Malicious Activity Summary

upx 0 miner cobaltstrike xmrig backdoor trojan

Cobaltstrike

XMRig Miner payload

Cobalt Strike reflective loader

xmrig

Xmrig family

Cobaltstrike family

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

UPX packed file

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-08-05 09:50

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike family

cobaltstrike

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Xmrig family

xmrig

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 09:50

Reported

2024-08-05 09:53

Platform

win7-20240729-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\ublngCT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\DVnfjuN.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\xbdDLwl.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\yLcNkdI.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ETgHEmM.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\jPoJdda.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\HHLIDnq.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\qwOJRod.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\bfhwNWo.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\kHINxOO.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\IfOqSNZ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\GIuFZwX.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\prgmwqV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\iJCryOU.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ixGdXAC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\KgnbiFg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\XhTqNlg.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ssMzluh.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BUjksvm.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LobARyT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\eLOTJhK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HHLIDnq.exe
PID 2716 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HHLIDnq.exe
PID 2716 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\HHLIDnq.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVnfjuN.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVnfjuN.exe
PID 2716 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\DVnfjuN.exe
PID 2716 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwOJRod.exe
PID 2716 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwOJRod.exe
PID 2716 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\qwOJRod.exe
PID 2716 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLcNkdI.exe
PID 2716 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLcNkdI.exe
PID 2716 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\yLcNkdI.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixGdXAC.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixGdXAC.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ixGdXAC.exe
PID 2716 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LobARyT.exe
PID 2716 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LobARyT.exe
PID 2716 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LobARyT.exe
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eLOTJhK.exe
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eLOTJhK.exe
PID 2716 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\eLOTJhK.exe
PID 2716 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgnbiFg.exe
PID 2716 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgnbiFg.exe
PID 2716 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KgnbiFg.exe
PID 2716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bfhwNWo.exe
PID 2716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bfhwNWo.exe
PID 2716 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\bfhwNWo.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XhTqNlg.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XhTqNlg.exe
PID 2716 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\XhTqNlg.exe
PID 2716 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHINxOO.exe
PID 2716 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHINxOO.exe
PID 2716 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\kHINxOO.exe
PID 2716 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssMzluh.exe
PID 2716 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssMzluh.exe
PID 2716 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ssMzluh.exe
PID 2716 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IfOqSNZ.exe
PID 2716 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IfOqSNZ.exe
PID 2716 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\IfOqSNZ.exe
PID 2716 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIuFZwX.exe
PID 2716 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIuFZwX.exe
PID 2716 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\GIuFZwX.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ETgHEmM.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ETgHEmM.exe
PID 2716 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ETgHEmM.exe
PID 2716 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPoJdda.exe
PID 2716 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPoJdda.exe
PID 2716 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\jPoJdda.exe
PID 2716 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbdDLwl.exe
PID 2716 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbdDLwl.exe
PID 2716 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\xbdDLwl.exe
PID 2716 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prgmwqV.exe
PID 2716 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prgmwqV.exe
PID 2716 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\prgmwqV.exe
PID 2716 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ublngCT.exe
PID 2716 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ublngCT.exe
PID 2716 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ublngCT.exe
PID 2716 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJCryOU.exe
PID 2716 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJCryOU.exe
PID 2716 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\iJCryOU.exe
PID 2716 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BUjksvm.exe
PID 2716 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BUjksvm.exe
PID 2716 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BUjksvm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\HHLIDnq.exe

C:\Windows\System\HHLIDnq.exe

C:\Windows\System\DVnfjuN.exe

C:\Windows\System\DVnfjuN.exe

C:\Windows\System\qwOJRod.exe

C:\Windows\System\qwOJRod.exe

C:\Windows\System\yLcNkdI.exe

C:\Windows\System\yLcNkdI.exe

C:\Windows\System\ixGdXAC.exe

C:\Windows\System\ixGdXAC.exe

C:\Windows\System\LobARyT.exe

C:\Windows\System\LobARyT.exe

C:\Windows\System\eLOTJhK.exe

C:\Windows\System\eLOTJhK.exe

C:\Windows\System\KgnbiFg.exe

C:\Windows\System\KgnbiFg.exe

C:\Windows\System\bfhwNWo.exe

C:\Windows\System\bfhwNWo.exe

C:\Windows\System\XhTqNlg.exe

C:\Windows\System\XhTqNlg.exe

C:\Windows\System\kHINxOO.exe

C:\Windows\System\kHINxOO.exe

C:\Windows\System\ssMzluh.exe

C:\Windows\System\ssMzluh.exe

C:\Windows\System\IfOqSNZ.exe

C:\Windows\System\IfOqSNZ.exe

C:\Windows\System\GIuFZwX.exe

C:\Windows\System\GIuFZwX.exe

C:\Windows\System\ETgHEmM.exe

C:\Windows\System\ETgHEmM.exe

C:\Windows\System\jPoJdda.exe

C:\Windows\System\jPoJdda.exe

C:\Windows\System\xbdDLwl.exe

C:\Windows\System\xbdDLwl.exe

C:\Windows\System\prgmwqV.exe

C:\Windows\System\prgmwqV.exe

C:\Windows\System\ublngCT.exe

C:\Windows\System\ublngCT.exe

C:\Windows\System\iJCryOU.exe

C:\Windows\System\iJCryOU.exe

C:\Windows\System\BUjksvm.exe

C:\Windows\System\BUjksvm.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/2716-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2716-1-0x0000000000080000-0x0000000000090000-memory.dmp

\Windows\system\HHLIDnq.exe

MD5 c6daa903e683c793a3bd60ad7398a39d
SHA1 a7536f75cda5e11a725a14a9eb6cbf5fdbf685fb
SHA256 1c37707a4c80fe112c521750f476b46d040ace735e7801daa454d7f770500158
SHA512 4dcbf5dd25e142273530a631685601dcb19cf770bc055cea93d5cb03fa0acfb6b26a6a6470f528104c4d838f7bf45e9a4147195802adf017ca8e37796e29db45

memory/1656-7-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

\Windows\system\DVnfjuN.exe

MD5 f56fe5960f44ae6a5dfec9bc838b8310
SHA1 54659c353805d43fff18515e4d0c526cd6cdc421
SHA256 1ff4d082b40163f45496541aa2678008943872c055ff79d671a27b42704a1c56
SHA512 16eda912887e77a7b7671f75d6d7589390ad0a104263e910911ef15af821151f36e58ecbc5ec6a6bc5652208faec16805c1b95973a346f2ba2f48b5a090e0fe1

memory/2716-13-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2824-14-0x000000013FC80000-0x000000013FFD1000-memory.dmp

C:\Windows\system\qwOJRod.exe

MD5 7781f8b4f116b201ef9e5935d151613f
SHA1 b3ff6d81dc9297b7ebe79c74609c4637fe78aee8
SHA256 ffc34e68bb19f3467c1294c7ee76d9b1449104fafd0ed9d5f2c717ecaba7efd7
SHA512 e703ca89cba00735edf0f2597bbf09051f99a3a6b335ef5e70cb07654d1510b598376d8c4f09a872baf7f410353f83eb48fd4ac6a2230eadab26fec78615e521

memory/2716-21-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/2684-22-0x000000013F190000-0x000000013F4E1000-memory.dmp

\Windows\system\yLcNkdI.exe

MD5 5af9411800084f8fe8ecd1b54efad35d
SHA1 49f88d68d34cda70289af9e871cb7a1e379749cb
SHA256 927dac9df45aa3f0924be386136f17fa9468d5bfdff28a9d1825cf76b13eb13a
SHA512 51266f596b578016463dd31fa4e98b59bdbdd08834b8d220765223d4eb6f14395df8e666e8046838e850088383efa5c01f0c07ec022ac5550e092069e3f0a2ca

memory/1632-29-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2716-27-0x000000013FED0000-0x0000000140221000-memory.dmp

\Windows\system\ixGdXAC.exe

MD5 00b0cf2ebc6a1b5a970cd6af29d7beb1
SHA1 fb0f15b829983d29e5f8436a0fd5edd49d7acada
SHA256 f54ad7522d1679ab5308cfa511739dd822bcfae1756d753268f07f350c4f8df3
SHA512 2d5bf12ad7cc2a9c49529528aeaf22b53047c8bb4ed34a68fe008d79e3b653f5a747eda62cd95fbd31cda2c3769f24283361521b9f61f522f288100495a620e4

memory/1884-35-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2716-34-0x0000000002360000-0x00000000026B1000-memory.dmp

\Windows\system\LobARyT.exe

MD5 7149338eec203a18b8fab0619c5ab1d6
SHA1 5fade4ad0ea0784f69088a181bf16144a1bca9f5
SHA256 15c5478f51ae203bcf83c35ffd863552d9fd8b63d24251cc8ac79dd6e3d2e8fe
SHA512 44f212d90185e110c307b4f743146c487d3d218ccac5a7db1d176137a6a6aaf7e5cb78972c1f9549ed7874d1cccec043196a107bba90a723bb1201861ff52bfd

memory/2180-41-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2716-40-0x0000000002360000-0x00000000026B1000-memory.dmp

\Windows\system\eLOTJhK.exe

MD5 edf0488debdb46e860a042060131a975
SHA1 ce03795743497a51f7176084afcc9588f122068e
SHA256 388444879a6c9e7d786589928a2231611b4676bfd781264d50550710f5b82cb6
SHA512 8e0bd69ef374c9e564acb2a1bf4a0ceab537cbc72a6113e617d38b0cfc9b6b6d1dbd788ff35e4f82429ec95411f71beb76849e62f42bfad49820b62c50ab8e8b

\Windows\system\bfhwNWo.exe

MD5 90bee557d961a63b0a74a1a7a6010fe4
SHA1 daf14ab706befc00eca319b513e8f87c0ba2ba8f
SHA256 9ddb0fa1d387c93c93bdc377b437e4d3e5616678c01d61e137e823f4951ed6f4
SHA512 cedc44fabce3ba2c3b0363284b2f714f0876402c18c610c861d8ac2e26cadf7230360db6e261ad0e416cbf6bdf7cc37fb12ee74879c844a7b012be16f7280c43

memory/2716-52-0x000000013F360000-0x000000013F6B1000-memory.dmp

\Windows\system\KgnbiFg.exe

MD5 99b6f113d4d759e96baf2fea31a2ba53
SHA1 8907966587aa0bffec13c7c11e0670faa300aba3
SHA256 88941e11a0d74c43a4c4543b05e5285e955f7cb5c905aa9dca241b03025c29f4
SHA512 10de640929577b21ee75b59215a883109ec4b146eb6ceabe67ade8536ca241d0ba56767ff4e69663c2bb35fe16f59477166e62dec7d694cd578519425bf93cfd

memory/2716-55-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/1656-65-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2748-64-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2620-62-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2720-59-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2716-57-0x000000013FB70000-0x000000013FEC1000-memory.dmp

C:\Windows\system\XhTqNlg.exe

MD5 326d14d4313b7a12d86b4c2b6a09e25d
SHA1 486d1deee30942065bea66298a34118a5c8d4ee3
SHA256 6fe6d8394d4895bd4b296350a1c5b7026da635878c37c1580b51470352f2cec0
SHA512 ce5ad9b0b27be173032ecc4d214f1eb7fec168e15923d098d8ce81f3ad1905cecdbb20fe5e3cb199f7e7e414ed28bc766970dd179ff9ac5fcafd5661ad780d02

memory/2824-69-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2716-70-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2572-71-0x000000013F890000-0x000000013FBE1000-memory.dmp

\Windows\system\kHINxOO.exe

MD5 00fe0c4cc0cee0373df95e0b790a4763
SHA1 5c9575a89731588688fdbbdd81dd73c061fab78c
SHA256 9c56c4d97012e907c76bbca37add9aae7d76e6023639e2d5a08b4ef9f60b466a
SHA512 67f412a595a2ade18f8a5768627a8f14bfc02d9fad51727aa5f7fa81d745553d95031c2ebafff2742e8c46ac1f7b4e10f46256079f0198d72503dd44d10d7609

memory/1724-82-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/1632-81-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/2716-79-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2716-76-0x000000013F190000-0x000000013F4E1000-memory.dmp

C:\Windows\system\ssMzluh.exe

MD5 dcb6d3e0d1c4feeb53663a237a6d40e3
SHA1 7976429288eaf546757b57f0cb406912ca952fcd
SHA256 326df436ad22cbe89a25fb61cbe5b1a1c6aab6fc4779faf4d1a24e574380a1dc
SHA512 c6e11e79a91dfeca6c86720f432bae31ca32867d780a6bd9dfc091cc0e6f822ffa77fe1451248a46c2bd96f6ef23493ce42e83cef20235411499bba1013c90f8

memory/2700-89-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2716-88-0x000000013F630000-0x000000013F981000-memory.dmp

memory/1884-87-0x000000013F8F0000-0x000000013FC41000-memory.dmp

\Windows\system\GIuFZwX.exe

MD5 f3287189b8877893b9d0e10407f4e33c
SHA1 693ded8b013f3256e6128f05f1d69bb583e71939
SHA256 5cc6c25005c3cabe47b2c7c630aeb036f7c688e82ff1bccf1f637b4d9ff76f1f
SHA512 97a65a2f9d4b6be7ec27b649fb6a25836be15d9d6a6308c8343e081f52bb73d48445dce9a04299212c9694222e6598bc9e3d53f459cd38e34d396bf8d60e5530

\Windows\system\IfOqSNZ.exe

MD5 701b185e37f914e4ab00a7386c1a481a
SHA1 203499a58a985c1e02eec6e1c6396188868d8f3a
SHA256 c79cf9ecde62f022571193d9c494c711fe28c1539a12bed48cfc743df0fa7fca
SHA512 8dc869b2f05d93158e8a77312f257ac10f329fd419147b2f0c55132d235dc402d1df934c5ec61676053fc2ac9b733ae3a919153b8638ed68c7905096630814e7

memory/2736-97-0x000000013F2C0000-0x000000013F611000-memory.dmp

\Windows\system\jPoJdda.exe

MD5 3bc434d1892de15c6b8c80dcebdfc851
SHA1 8aa5b6c0f3d667fca1089263c87f4bd894756432
SHA256 d1dd65bd9d7eb98e5f53671a7e2d596ca5d6b8c802b46e645c59ac0b2527622f
SHA512 8f9d997e01060686214d7d28b66a72c0bb5aaeb1bdf0ebe87e5768b4d99aa7ba4e4f45cc7243c1fe97538f449e8b20ff309bf50ab7a47d74554376d36a51d005

C:\Windows\system\iJCryOU.exe

MD5 2a50c1346df146a21c29c544cadc715b
SHA1 353f8fd285f85f932ce4095182d40daac150e298
SHA256 c3300c1c5e79c4200e0e3d4aee40dd3fea654e05ef1c889ee44abe0a0c2cfe3e
SHA512 1da42f9d1fe904a2705db87c739650e794fc311f4f3940b8b77a7abf7be606e22b40bb4a8d3c5a7f7146a6fbaa909d7def659a987d64ba7189023ecb36db9583

C:\Windows\system\xbdDLwl.exe

MD5 b8c423fb33bc358a79adc194a6528dad
SHA1 0815f99675634e0e168db00657e69c59ee72a39b
SHA256 157758372a6b07ca8391d7672f17929ceb7fd0748a2d1ceead1f5b1c7c3d5500
SHA512 bc467393605d3a3ab9e1275a55a352f215b8baf066e464501bd20fbd6eb9e56d153c6b8bd2194e91145f0cbd39e8a76aba2d83a8d1de06dd3915f680db83ce5a

C:\Windows\system\ublngCT.exe

MD5 cf8617395b7431cab9a1ade25cdde1cc
SHA1 57114f52862163495ff7a04d0baeed8fd06be0fa
SHA256 16aa5b0574aed028f4324f6456bd0361521cb30e2422fc28cf7c158473a884db
SHA512 9deb21894c4408794d982704652b7c98a8e7fc9d3a3449222d5b074a629b77e12ea117113b906befb19829f3b990105ce7a1e554b53626b1c6618d61aea7cc13

\Windows\system\BUjksvm.exe

MD5 03a0235922ac6b48b08c0fd43c964398
SHA1 be69a918dbd9efb6fd90b2ea5e94d5c064f119ad
SHA256 6a3f35db98bd66ade67bdce29a82c9c202a15ce18f5907c777700e4566d93778
SHA512 a21dd18ad79ea28b826ace6e3197d8bfd7639656ae21138e2d08cc4c48e75d688dda16dbd0ce1dfc7ff7ba7428d8d6468fa955a22db2394d64e2b0c35a06fd5c

C:\Windows\system\prgmwqV.exe

MD5 6bddf8a9ddcde528478c8c46bf0a5478
SHA1 a7ab90bb58251b0f716ad39982a15ff46eb85e09
SHA256 50cf75077c23ca8141336458652891758ba614299ef61c5d175055cbf58de149
SHA512 e6b2f38a37c958423fa6dc1fc9a4ba27e93abf6be7f7fb75f306c408bdb11c0935eee2e51157d518a117ade3ba271c0b4149a6bed5b41631d255224fee3f1d43

C:\Windows\system\ETgHEmM.exe

MD5 3a251968da691104848af69516b5b447
SHA1 fdbf238ec922260f969e54232770146fa27d6f87
SHA256 23867afc94484d15e2d63a2c27ae1b2619d215459812c2d3dfc4800d3edfb239
SHA512 0e7160942de79a71e2f83ae41aa8e1bce857a0d4de282e743cf243bc94f817159c66773f11adbb59301a8313e2048c692e154636b373a0c92de9dc841c5e43fb

memory/2716-92-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/2180-91-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/1736-102-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2716-142-0x0000000002360000-0x00000000026B1000-memory.dmp

memory/2572-144-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/2716-139-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/1736-155-0x000000013F0D0000-0x000000013F421000-memory.dmp

memory/2764-158-0x000000013FD60000-0x00000001400B1000-memory.dmp

memory/1020-161-0x000000013FB40000-0x000000013FE91000-memory.dmp

memory/2716-163-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2028-159-0x000000013F820000-0x000000013FB71000-memory.dmp

memory/2756-157-0x000000013F5C0000-0x000000013F911000-memory.dmp

memory/1440-156-0x000000013F050000-0x000000013F3A1000-memory.dmp

memory/2736-154-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/984-162-0x000000013F1F0000-0x000000013F541000-memory.dmp

memory/736-160-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

memory/2700-153-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2716-164-0x000000013FB70000-0x000000013FEC1000-memory.dmp

memory/2716-166-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1656-214-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

memory/2824-216-0x000000013FC80000-0x000000013FFD1000-memory.dmp

memory/2684-218-0x000000013F190000-0x000000013F4E1000-memory.dmp

memory/1632-220-0x000000013FED0000-0x0000000140221000-memory.dmp

memory/1884-222-0x000000013F8F0000-0x000000013FC41000-memory.dmp

memory/2180-228-0x000000013FCF0000-0x0000000140041000-memory.dmp

memory/2720-230-0x000000013F360000-0x000000013F6B1000-memory.dmp

memory/2620-232-0x000000013F380000-0x000000013F6D1000-memory.dmp

memory/2748-234-0x000000013F5E0000-0x000000013F931000-memory.dmp

memory/2572-236-0x000000013F890000-0x000000013FBE1000-memory.dmp

memory/1724-238-0x000000013FBD0000-0x000000013FF21000-memory.dmp

memory/2700-248-0x000000013F630000-0x000000013F981000-memory.dmp

memory/2736-250-0x000000013F2C0000-0x000000013F611000-memory.dmp

memory/1736-252-0x000000013F0D0000-0x000000013F421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 09:50

Reported

2024-08-05 09:53

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe"

Signatures

Cobalt Strike reflective loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\System\KWJiCSH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\UiRjRAB.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\LGCZEhD.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\gbXMqbG.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\TZUNJSP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rmtfhLQ.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\rZCflvK.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ZvhhZEu.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BXyeyIn.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\EXjclNx.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\JXwMDRH.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\arAFOuf.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\svBnoRP.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\BtlapkC.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\pabNksV.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\PEnWIVa.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\OvcoKTT.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\ASQJFLz.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\mDobSRA.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\FvwRJXc.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A
File created C:\Windows\System\YLzuPCW.exe C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4660 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXjclNx.exe
PID 4660 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\EXjclNx.exe
PID 4660 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmtfhLQ.exe
PID 4660 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rmtfhLQ.exe
PID 4660 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEnWIVa.exe
PID 4660 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\PEnWIVa.exe
PID 4660 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLzuPCW.exe
PID 4660 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\YLzuPCW.exe
PID 4660 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KWJiCSH.exe
PID 4660 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\KWJiCSH.exe
PID 4660 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXwMDRH.exe
PID 4660 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\JXwMDRH.exe
PID 4660 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiRjRAB.exe
PID 4660 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\UiRjRAB.exe
PID 4660 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZCflvK.exe
PID 4660 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\rZCflvK.exe
PID 4660 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvhhZEu.exe
PID 4660 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ZvhhZEu.exe
PID 4660 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGCZEhD.exe
PID 4660 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\LGCZEhD.exe
PID 4660 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvcoKTT.exe
PID 4660 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\OvcoKTT.exe
PID 4660 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASQJFLz.exe
PID 4660 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\ASQJFLz.exe
PID 4660 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXyeyIn.exe
PID 4660 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BXyeyIn.exe
PID 4660 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDobSRA.exe
PID 4660 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\mDobSRA.exe
PID 4660 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvwRJXc.exe
PID 4660 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\FvwRJXc.exe
PID 4660 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\arAFOuf.exe
PID 4660 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\arAFOuf.exe
PID 4660 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbXMqbG.exe
PID 4660 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\gbXMqbG.exe
PID 4660 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svBnoRP.exe
PID 4660 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\svBnoRP.exe
PID 4660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BtlapkC.exe
PID 4660 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\BtlapkC.exe
PID 4660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZUNJSP.exe
PID 4660 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\TZUNJSP.exe
PID 4660 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pabNksV.exe
PID 4660 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe C:\Windows\System\pabNksV.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-05_d55c6d7b68e031586b59c8be11fa1d93_cobalt-strike_cobaltstrike_poet-rat.exe"

C:\Windows\System\EXjclNx.exe

C:\Windows\System\EXjclNx.exe

C:\Windows\System\rmtfhLQ.exe

C:\Windows\System\rmtfhLQ.exe

C:\Windows\System\PEnWIVa.exe

C:\Windows\System\PEnWIVa.exe

C:\Windows\System\YLzuPCW.exe

C:\Windows\System\YLzuPCW.exe

C:\Windows\System\KWJiCSH.exe

C:\Windows\System\KWJiCSH.exe

C:\Windows\System\JXwMDRH.exe

C:\Windows\System\JXwMDRH.exe

C:\Windows\System\UiRjRAB.exe

C:\Windows\System\UiRjRAB.exe

C:\Windows\System\rZCflvK.exe

C:\Windows\System\rZCflvK.exe

C:\Windows\System\ZvhhZEu.exe

C:\Windows\System\ZvhhZEu.exe

C:\Windows\System\LGCZEhD.exe

C:\Windows\System\LGCZEhD.exe

C:\Windows\System\OvcoKTT.exe

C:\Windows\System\OvcoKTT.exe

C:\Windows\System\ASQJFLz.exe

C:\Windows\System\ASQJFLz.exe

C:\Windows\System\BXyeyIn.exe

C:\Windows\System\BXyeyIn.exe

C:\Windows\System\mDobSRA.exe

C:\Windows\System\mDobSRA.exe

C:\Windows\System\FvwRJXc.exe

C:\Windows\System\FvwRJXc.exe

C:\Windows\System\arAFOuf.exe

C:\Windows\System\arAFOuf.exe

C:\Windows\System\gbXMqbG.exe

C:\Windows\System\gbXMqbG.exe

C:\Windows\System\svBnoRP.exe

C:\Windows\System\svBnoRP.exe

C:\Windows\System\BtlapkC.exe

C:\Windows\System\BtlapkC.exe

C:\Windows\System\TZUNJSP.exe

C:\Windows\System\TZUNJSP.exe

C:\Windows\System\pabNksV.exe

C:\Windows\System\pabNksV.exe

Network

Country Destination Domain Proto
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.13:443 tcp
DE 3.120.209.58:8080 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 3.120.209.58:8080 tcp
DE 3.120.209.58:8080 tcp

Files

memory/4660-0-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp

memory/4660-1-0x000001E184660000-0x000001E184670000-memory.dmp

C:\Windows\System\EXjclNx.exe

MD5 de2e36914e2482521b644a31bdae1489
SHA1 b0b04e6f406d617aea04e0742c3d12e850f71933
SHA256 c06defb4f273bbaf31a63a1f8f750f0a651a9c37bc2d470eb138d896dd9c3386
SHA512 893634e59b7916fe35de47e11e0ba347b6682424a2d3006fee7e3ede63d49430356bf09d44f0665a017d7b2513cc8185be95f9e237fd2bb5f0000655cfc685d0

C:\Windows\System\PEnWIVa.exe

MD5 70f8a0544fce8ede632f0baf0c1ca6fc
SHA1 e30c1aacd12d6962827d4caeef2535f7411ebd4d
SHA256 fdec6631c7a6cce53024c9ac36110cf25152c65f803010c8a77581e4327525d3
SHA512 7e5f5459f1dc56d491a92c55e87a91d750c4f40203a84c0e28b0a7e8b93127865009a27e8d326274bfb44a847284d9cf826879146e617d9eb645c2015381569f

C:\Windows\System\rmtfhLQ.exe

MD5 94be06fbde49756ee5a067341fdb30aa
SHA1 725e091a5c3581c8c906eadebbbf1dc6d83c7277
SHA256 59efd7ce33eeafd61c6e7af49861210d5e7d69dec8cf7474b9d370001050a352
SHA512 1c8f292e5a13668fb780ecc192ab1b37ed5fe0f26d0f52e54d2e1749b7eb8b0d8b9b8217809eb32f7458be87434c14d1ca2b190a88d1d5a2ea1168f5061e1f92

C:\Windows\System\KWJiCSH.exe

MD5 70a096c6f9116e2896b2951ec4ac3dc5
SHA1 8029a63d58b7fa42dc2d90cb764734422c1db80b
SHA256 d86378d9d81f59bee743f62750b7fa7fc7266196ccff8de4d85abed3209c5753
SHA512 8678a2603638dc8286fc09193268d791a76c6699035832af76a78c0e3193a8df8c0f2d576aed926a0055a1a42f321b4b45dea60e6b571816f1c8cd25994a865f

memory/4932-31-0x00007FF6AA900000-0x00007FF6AAC51000-memory.dmp

C:\Windows\System\UiRjRAB.exe

MD5 9cb041eff19129f6f9fccfa8527a6be8
SHA1 7fc8125e499efa4af9038684449f7d79ef2fabcb
SHA256 f4cb0fd236e1dda757625243f4f516a7f43fe198cdcd43a9bc3f4ab47dbc02a3
SHA512 3a20d6b36384cff349d9bad88abd5dc665a3bc79fdb28fb79a832a4fb24d9d065db26ce5907f9e93b5614a1d8a7e1165c87c705f5212be14019b79d15a4195cf

memory/2252-60-0x00007FF6D8170000-0x00007FF6D84C1000-memory.dmp

memory/3136-63-0x00007FF643660000-0x00007FF6439B1000-memory.dmp

memory/3612-73-0x00007FF6C54A0000-0x00007FF6C57F1000-memory.dmp

C:\Windows\System\BXyeyIn.exe

MD5 1e8ee7f4a2ee7c1dc4a29476f3f8c957
SHA1 3d83c8dc352f0b387b8da0cce50604bf7c9f078c
SHA256 a3e84cc880069bda9ab5ec5a19e19b2aebe980a0401880cdeeeb4a09d9d95239
SHA512 1270c9bfdb8ae3e361441e2343caf32467fe3bb9563a3b5ebac973e0649792120776270fa070bdf28acab17cd32dd0fd3ec50487366092b37ec401c8e6aa12cc

C:\Windows\System\mDobSRA.exe

MD5 84c5555c89564c6fa5e71c819ac69d20
SHA1 a035b57e048b897dce413747b57cf8d682a1daa0
SHA256 a8a5ef7f15aa79c667c6d96598228d15898bdae759d4247a3e79937b1723eff9
SHA512 bf46f26d5b3bc0dff0698cca11fb3599a36c0df2907ccca7337450d5fc801a0fa3c0d0b04dc24c4fe1e7ec2638ce02e406fb0c9a3ee847146744c60c0a700a8e

memory/2212-86-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp

memory/3176-81-0x00007FF60A3A0000-0x00007FF60A6F1000-memory.dmp

memory/1800-80-0x00007FF6480A0000-0x00007FF6483F1000-memory.dmp

memory/2836-78-0x00007FF61B480000-0x00007FF61B7D1000-memory.dmp

memory/4484-74-0x00007FF7371C0000-0x00007FF737511000-memory.dmp

C:\Windows\System\ASQJFLz.exe

MD5 67070b6bd57f7c31ea969e96bde316ad
SHA1 d4df26f275e2c2cecc7d91f512aab760e7a7393a
SHA256 2f0529d9c66a0276d65f85cb5243c7e0e331ff61718ff4d364c7de741fc27b1e
SHA512 adf011427e3c1f897337993b37f297dd4ac80e7d3bbdfe08add4f46205a0438c097adbb624b9ad2a81a44fe9297482b9a731a2e29eb2a05a75519caacff69b1f

C:\Windows\System\OvcoKTT.exe

MD5 b7cafcc59031d97175ecde30c67a045d
SHA1 419eb550c0ff4cde8de4294d97acb5eeb66f1668
SHA256 04ee4689a91030174f8f214f86b949326c1bd7ae2c8b38fcd8c43258b9824c9a
SHA512 4ac4a993d32e9d17c565de287a38c2e6b97816068a3954addc995106545bf96ad7ef2f6ea80c2ad52eb2b7047ebbd2454d03fdada92e8043ba63ba98a6c05066

C:\Windows\System\rZCflvK.exe

MD5 a38048ff89d42c06e347a6268cf1978b
SHA1 e234a51228b801ee129f755862721e90b52006bc
SHA256 cd823646f0d3ac9d2295509f16e41614db9c353da58c26fea8e722d5a82251dc
SHA512 5ee5270d234228255172f7540625f2d5ba263b365e7bb65186df6a037c0c650e31f7aa8c6bb9a27fd94882a463d85d00498edf9d03dd4cddd54e6b386cf273dc

C:\Windows\System\LGCZEhD.exe

MD5 8cc2ec054affcc83583b4d539a95c8de
SHA1 d4d830ec7847803415f455f53b1e6170337bebfe
SHA256 cd46e9e3a0acf0068a386bc3afc40f28096c1c0794a6ca1a9432a23ff49422a3
SHA512 ad99ed85d78a78f2a9d7293575456d935d008e015eb80d370d99e6555be64470361412bfcbbaaec268162eb0d7965c2e39315cd4fe3d9ad87002c5cc255805a1

memory/2124-56-0x00007FF645D30000-0x00007FF646081000-memory.dmp

memory/1480-55-0x00007FF71C140000-0x00007FF71C491000-memory.dmp

C:\Windows\System\ZvhhZEu.exe

MD5 7f935e817bb7193be6add51d89dd74c5
SHA1 bda67f0aad9d7885b6c08e90c224d560ed345e0a
SHA256 cc3902e92addd44269ef9df6c365d0c0468b2d69f7e42f4ec030be4f8e90a847
SHA512 b7b9d94a68536bcd40b23a2f5112a921a523b793d0a93970cd9a12f8543301e63819275a396a508c1da8d8a07975f78859c56f4b335a81f12db369240c743361

memory/1908-43-0x00007FF7BB7E0000-0x00007FF7BBB31000-memory.dmp

C:\Windows\System\JXwMDRH.exe

MD5 d39889a2c5e0bf826b6f2dd70c59bf35
SHA1 0ddc62793fc5accc704c17a3632b696b5e744e16
SHA256 6156a5abb12db9f685fa74a2d1f28a7005924c83d4006fe4490d6d3c41fdba91
SHA512 a9776f6bec1e7d75ce827b3ce6124176071601afe14960fd64e7017187a65e94b6c7328a40eaf3784cb88e901be5116ab37e99b7e6c97df5a46889aa9c6cc62c

C:\Windows\System\YLzuPCW.exe

MD5 dc79b9a0a6045b104643c13aef9ceddf
SHA1 345afb663a23e66ebb0c471b89555cdfc487c2e9
SHA256 1a3b3004c9a9269f814334ad724c21d6455e527fed1cddebcc37964050bf32fe
SHA512 7203a3716fcd036654b95041bc70c64456d10841eb9bde6747db27c07097e3c690953512b4f717d16c8c7f115a8aa0f549ca7c1eafea55bf33755171a0ba8928

memory/4424-27-0x00007FF6C84F0000-0x00007FF6C8841000-memory.dmp

memory/4900-10-0x00007FF668C20000-0x00007FF668F71000-memory.dmp

C:\Windows\System\FvwRJXc.exe

MD5 10d36be05939a769d19e84ecb9546583
SHA1 dc38287bc045c539484b1f66262ed686008096e6
SHA256 979cc29ca2989eebbba3919465828ce2786802479469cfdbf0cf2ca47ed51043
SHA512 fd3e3898d0f0b6b2d7eefb65f026e4bf2f9e0e0e27c4caedbf80b03ea378b3373b63893584312e940855f3780bf3c1341893daf03f25a9a8d91c90672a851ff7

memory/4336-100-0x00007FF6B1140000-0x00007FF6B1491000-memory.dmp

C:\Windows\System\gbXMqbG.exe

MD5 9d6041085733833b7d42d9681a672c5f
SHA1 0f1a044bb817a617f1728c14c6cd0f78e8c63e7b
SHA256 6623c15a6725acfb4d115b372772774479d5d93b559ef84f88192293079a7d8d
SHA512 b1b266fa419aed6ffceae5644ac331c4322f2b90ca55456c62b5539099d47a09ae1455d85709e0ec1236085b1b03da8f5e64268013a2c8f362bfcf10a470e70b

memory/2972-98-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp

C:\Windows\System\arAFOuf.exe

MD5 df885e3b9c68277db5f2d2bba5675fbe
SHA1 7afcafa053f469ac469e2172361334647fb630b8
SHA256 723175e8f7489e67858144b8628a5b92c045ab53a98b4cc84871f4927b6d31ef
SHA512 d994f4af1c294a915f9979f8bb35ba2fec573fddab6c95f0dbcbbc200324fa6c298e15698aa92d9a68c2de96d51c5f8b16e456cbc3cf8e6569a0ab0e9753de58

C:\Windows\System\svBnoRP.exe

MD5 4da20d8b22c3f9408ecba47ec0b067a2
SHA1 8c9b83c5a3edc69f7db589865212cccc898a6989
SHA256 13f7f0e69c067ba1d3d92bc7984cb1a60dc368d73cb10972e86814073f4a6a2c
SHA512 080969eb2d18b45a03458ecd7efbf092cdb804cb690a511a2a4f6d7ed020ec3d108f6c5bfbb8d9df911603f46ca9cf2a3e12c43cb54808e6392a559f79b80f24

C:\Windows\System\BtlapkC.exe

MD5 54b275bd2024fa910d6e48b188729b88
SHA1 1474291a8b6cfb6e477f4acb7f48a6d3a3fa69c4
SHA256 d726e28cc4253e7adcf0db17a39440b6b470d26f438812dc6529e32299f6e3a9
SHA512 ae97aec1d9bf71e61358d5d872300937f17f7a598a1af7a0e4bdd7127306d80682ab060f23f425655ca072d633237a96abef4e559e06dda49c57e8049fb891a2

memory/2680-119-0x00007FF7BBBC0000-0x00007FF7BBF11000-memory.dmp

memory/2616-124-0x00007FF7AA680000-0x00007FF7AA9D1000-memory.dmp

memory/1544-125-0x00007FF7F5570000-0x00007FF7F58C1000-memory.dmp

C:\Windows\System\pabNksV.exe

MD5 2f4d371c95cd4c460a9394b572822a43
SHA1 51d209142fafc1fb3722b60409becaaef4aa107c
SHA256 b46825f0dcfda26cd0e08eaa2fb8bc7519e48857aa8631617cf8af1abaffbba7
SHA512 e2e2ce340d975ca669e5fd81b1bef6bbccae82e33ec4ebaed442f12f1774e01c3b01170ff7413ba9ba460ac2f159948376a1ead4f0339918c694acff4d21cac9

memory/4900-126-0x00007FF668C20000-0x00007FF668F71000-memory.dmp

C:\Windows\System\TZUNJSP.exe

MD5 fc71fc5c2a500cd82f0f79c3fa2dc432
SHA1 7b4d78743b285b6d2f299005d4de16b3501367ca
SHA256 ac9f3eda97498c2cd2dbc66601ea1e68395a5ccab52de8f9c56ee76342d43588
SHA512 cb43caa5d958b02aa3f8d1f0e235dbd57238d7bec0c81825d6143d122b79feb9336da4c4553ba16da377056d9de6ffb543b7d3e24d1a4012318b85cf41eb664d

memory/4660-122-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp

memory/1140-113-0x00007FF6BCF50000-0x00007FF6BD2A1000-memory.dmp

memory/536-107-0x00007FF60A010000-0x00007FF60A361000-memory.dmp

memory/1480-130-0x00007FF71C140000-0x00007FF71C491000-memory.dmp

memory/2252-131-0x00007FF6D8170000-0x00007FF6D84C1000-memory.dmp

memory/4660-132-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp

memory/4932-147-0x00007FF6AA900000-0x00007FF6AAC51000-memory.dmp

memory/3176-145-0x00007FF60A3A0000-0x00007FF60A6F1000-memory.dmp

memory/3136-144-0x00007FF643660000-0x00007FF6439B1000-memory.dmp

memory/2124-142-0x00007FF645D30000-0x00007FF646081000-memory.dmp

memory/1140-151-0x00007FF6BCF50000-0x00007FF6BD2A1000-memory.dmp

memory/2616-153-0x00007FF7AA680000-0x00007FF7AA9D1000-memory.dmp

memory/1544-154-0x00007FF7F5570000-0x00007FF7F58C1000-memory.dmp

memory/4660-155-0x00007FF732BF0000-0x00007FF732F41000-memory.dmp

memory/4900-213-0x00007FF668C20000-0x00007FF668F71000-memory.dmp

memory/4424-215-0x00007FF6C84F0000-0x00007FF6C8841000-memory.dmp

memory/1908-217-0x00007FF7BB7E0000-0x00007FF7BBB31000-memory.dmp

memory/4932-219-0x00007FF6AA900000-0x00007FF6AAC51000-memory.dmp

memory/3612-221-0x00007FF6C54A0000-0x00007FF6C57F1000-memory.dmp

memory/1480-224-0x00007FF71C140000-0x00007FF71C491000-memory.dmp

memory/2836-225-0x00007FF61B480000-0x00007FF61B7D1000-memory.dmp

memory/4484-227-0x00007FF7371C0000-0x00007FF737511000-memory.dmp

memory/2124-229-0x00007FF645D30000-0x00007FF646081000-memory.dmp

memory/1800-238-0x00007FF6480A0000-0x00007FF6483F1000-memory.dmp

memory/2252-239-0x00007FF6D8170000-0x00007FF6D84C1000-memory.dmp

memory/3136-236-0x00007FF643660000-0x00007FF6439B1000-memory.dmp

memory/3176-234-0x00007FF60A3A0000-0x00007FF60A6F1000-memory.dmp

memory/2212-232-0x00007FF6B6FB0000-0x00007FF6B7301000-memory.dmp

memory/2972-245-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp

memory/4336-247-0x00007FF6B1140000-0x00007FF6B1491000-memory.dmp

memory/536-249-0x00007FF60A010000-0x00007FF60A361000-memory.dmp

memory/1140-251-0x00007FF6BCF50000-0x00007FF6BD2A1000-memory.dmp

memory/2680-253-0x00007FF7BBBC0000-0x00007FF7BBF11000-memory.dmp

memory/2616-255-0x00007FF7AA680000-0x00007FF7AA9D1000-memory.dmp

memory/1544-257-0x00007FF7F5570000-0x00007FF7F58C1000-memory.dmp