Analysis

  • max time kernel
    95s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-09-2024 11:41

General

  • Target

    2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    dba35101a842d1729f17fd3f60e6d08b

  • SHA1

    6c0e054fefd508043d1990ee23a708cb9325ea0a

  • SHA256

    2ac458483057328624f97cbcbc83e79af7e5c5155f02ab537ad8fd5984eb4b99

  • SHA512

    e79c3c5b26d7dca583e5c62eccbe3bbe91743c4af87f2559a1396877c933a8af3b5ad2b8da61ae3409299fde9fadcfbe31750e9e8dc252db7486728f41cdda5c

  • SSDEEP

    49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpno:r56utgpPFotBER/mQ32lU2

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4648

Network

  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    s3.us-east-2.amazonaws.com
    2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    Remote address:
    8.8.8.8:53
    Request
    s3.us-east-2.amazonaws.com
    IN A
    Response
    s3.us-east-2.amazonaws.com
    IN A
    52.219.88.75
    s3.us-east-2.amazonaws.com
    IN A
    52.219.229.153
    s3.us-east-2.amazonaws.com
    IN A
    52.219.177.177
    s3.us-east-2.amazonaws.com
    IN A
    52.219.108.193
    s3.us-east-2.amazonaws.com
    IN A
    52.219.108.105
    s3.us-east-2.amazonaws.com
    IN A
    52.219.106.193
    s3.us-east-2.amazonaws.com
    IN A
    16.12.64.1
    s3.us-east-2.amazonaws.com
    IN A
    16.12.65.81
  • flag-us
    DNS
    75.88.219.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.88.219.52.in-addr.arpa
    IN PTR
    Response
    75.88.219.52.in-addr.arpa
    IN PTR
    s3 us-east-2 amazonawscom
  • flag-us
    DNS
    107.39.156.108.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.39.156.108.in-addr.arpa
    IN PTR
    Response
    107.39.156.108.in-addr.arpa
    IN PTR
    server-108-156-39-107lhr50r cloudfrontnet
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 52.219.88.75:443
    s3.us-east-2.amazonaws.com
    tls
    2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    1.2kB
    7.8kB
    15
    18
  • 52.111.229.43:443
    322 B
    7
  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    s3.us-east-2.amazonaws.com
    dns
    2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
    72 B
    200 B
    1
    1

    DNS Request

    s3.us-east-2.amazonaws.com

    DNS Response

    52.219.88.75
    52.219.229.153
    52.219.177.177
    52.219.108.193
    52.219.108.105
    52.219.106.193
    16.12.64.1
    16.12.65.81

  • 8.8.8.8:53
    75.88.219.52.in-addr.arpa
    dns
    71 B
    111 B
    1
    1

    DNS Request

    75.88.219.52.in-addr.arpa

  • 8.8.8.8:53
    107.39.156.108.in-addr.arpa
    dns
    73 B
    131 B
    1
    1

    DNS Request

    107.39.156.108.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.