Analysis
-
max time kernel
95s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2024 11:41
Behavioral task
behavioral1
Sample
2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
-
Size
5.0MB
-
MD5
dba35101a842d1729f17fd3f60e6d08b
-
SHA1
6c0e054fefd508043d1990ee23a708cb9325ea0a
-
SHA256
2ac458483057328624f97cbcbc83e79af7e5c5155f02ab537ad8fd5984eb4b99
-
SHA512
e79c3c5b26d7dca583e5c62eccbe3bbe91743c4af87f2559a1396877c933a8af3b5ad2b8da61ae3409299fde9fadcfbe31750e9e8dc252db7486728f41cdda5c
-
SSDEEP
49152:r56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6liK1uOCeXvpno:r56utgpPFotBER/mQ32lU2
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4648
Network
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request134.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
DNSs3.us-east-2.amazonaws.com2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exeRemote address:8.8.8.8:53Requests3.us-east-2.amazonaws.comIN AResponses3.us-east-2.amazonaws.comIN A52.219.88.75s3.us-east-2.amazonaws.comIN A52.219.229.153s3.us-east-2.amazonaws.comIN A52.219.177.177s3.us-east-2.amazonaws.comIN A52.219.108.193s3.us-east-2.amazonaws.comIN A52.219.108.105s3.us-east-2.amazonaws.comIN A52.219.106.193s3.us-east-2.amazonaws.comIN A16.12.64.1s3.us-east-2.amazonaws.comIN A16.12.65.81
-
Remote address:8.8.8.8:53Request75.88.219.52.in-addr.arpaIN PTRResponse75.88.219.52.in-addr.arpaIN PTRs3 us-east-2 amazonawscom
-
Remote address:8.8.8.8:53Request107.39.156.108.in-addr.arpaIN PTRResponse107.39.156.108.in-addr.arpaIN PTRserver-108-156-39-107lhr50r cloudfrontnet
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.190.18.2.in-addr.arpaIN PTRResponse73.190.18.2.in-addr.arpaIN PTRa2-18-190-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
52.219.88.75:443s3.us-east-2.amazonaws.comtls2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe1.2kB 7.8kB 15 18
-
322 B 7
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
134.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
8.8.8.8:53s3.us-east-2.amazonaws.comdns2024-09-18_dba35101a842d1729f17fd3f60e6d08b_cobalt-strike_cobaltstrike_poet-rat_snatch.exe72 B 200 B 1 1
DNS Request
s3.us-east-2.amazonaws.com
DNS Response
52.219.88.7552.219.229.15352.219.177.17752.219.108.19352.219.108.10552.219.106.19316.12.64.116.12.65.81
-
71 B 111 B 1 1
DNS Request
75.88.219.52.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
107.39.156.108.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.190.18.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa