Analysis
-
max time kernel
95s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 17:59 UTC
Behavioral task
behavioral1
Sample
20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exe
Resource
win10v2004-20240802-en
General
-
Target
20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exe
-
Size
5.0MB
-
MD5
e9470b336e245a3fda067ae1a3d96898
-
SHA1
a059f8efad896f14795bacce0d431c29036ae0ba
-
SHA256
37dd2dd3dd42d467222b16e498ee4f78288c475387018ec2f012edff61489935
-
SHA512
7d6b5e9658a2a3d1a61fae140ccd73aca288fc23db6438bb8ccb48fce1f4ee2ce154f8122cb3660ecfaac539730c02fe6c6b44efbd2c9dd703e89430d145f83e
-
SSDEEP
49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpnB:r56utgpPFotBER/mQ32lU/
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exe
Processes
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
DNSs3.us-east-2.amazonaws.com20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exeRemote address:8.8.8.8:53Requests3.us-east-2.amazonaws.comIN AResponses3.us-east-2.amazonaws.comIN A52.219.80.91s3.us-east-2.amazonaws.comIN A52.219.94.65s3.us-east-2.amazonaws.comIN A52.219.107.41s3.us-east-2.amazonaws.comIN A3.5.131.125s3.us-east-2.amazonaws.comIN A52.219.228.161s3.us-east-2.amazonaws.comIN A3.5.128.140s3.us-east-2.amazonaws.comIN A52.219.178.57s3.us-east-2.amazonaws.comIN A52.219.110.145
-
DNSs3.us-east-2.amazonaws.com20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exeRemote address:8.8.8.8:53Requests3.us-east-2.amazonaws.comIN A
-
DNSs3.us-east-2.amazonaws.com20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exeRemote address:8.8.8.8:53Requests3.us-east-2.amazonaws.comIN A
-
Remote address:8.8.8.8:53Request91.80.219.52.in-addr.arpaIN PTRResponse91.80.219.52.in-addr.arpaIN PTRs3 us-east-2 amazonawscom
-
Remote address:8.8.8.8:53Request91.80.219.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.39.156.108.in-addr.arpaIN PTRResponse107.39.156.108.in-addr.arpaIN PTRserver-108-156-39-107lhr50r cloudfrontnet
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request56.126.166.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
52.219.80.91:443s3.us-east-2.amazonaws.comtls20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exe1.8kB 7.9kB 20 19
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
240.221.184.93.in-addr.arpa
DNS Request
240.221.184.93.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
71.31.126.40.in-addr.arpa
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
8.8.8.8:53s3.us-east-2.amazonaws.comdns20240913e9470b336e245a3fda067ae1a3d96898cobaltstrikecobaltstrikepoetratsnatch.exe216 B 200 B 3 1
DNS Request
s3.us-east-2.amazonaws.com
DNS Request
s3.us-east-2.amazonaws.com
DNS Request
s3.us-east-2.amazonaws.com
DNS Response
52.219.80.9152.219.94.6552.219.107.413.5.131.12552.219.228.1613.5.128.14052.219.178.5752.219.110.145
-
142 B 111 B 2 1
DNS Request
91.80.219.52.in-addr.arpa
DNS Request
91.80.219.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
107.39.156.108.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
56.126.166.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa