Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2024, 22:00
Static task
static1
Behavioral task
behavioral1
Sample
202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe
Resource
win10v2004-20240802-en
General
-
Target
202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe
-
Size
22.4MB
-
MD5
7cbe4acc2760708e7190b160585eee77
-
SHA1
01e7fece2462724c7ce6d5a9152500a09dfcd667
-
SHA256
1402b75764fd726cf62364af9d6bf9449e3415682e8d0ecbc017deb8b23808a9
-
SHA512
c5495047b8fc4d4c81323f63a4e8feca77090f1fcb4ecbc53496c1fd609a3676fd339e9147647ce75d9e3640f3c285cb19f0988d08486077020765872e5c9200
-
SSDEEP
393216:692DO8D1/gzQnSegNPCQM2/psErTmlJhjePxnIGuYebQZ:G2D4zQnSxJCQHscmNePxnlDebQ
Malware Config
Signatures
-
An open source browser data exporter written in golang. 9 IoCs
resource yara_rule behavioral2/memory/3456-5-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-12-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-13-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-14-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-16-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-15-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-38-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-41-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3456-155-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata -
HackBrowserData
An open source golang web browser extractor.
-
Executes dropped EXE 2 IoCs
pid Process 4784 script_cookie_encrypted.exe 624 rate.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4784 set thread context of 3456 4784 script_cookie_encrypted.exe 85 PID 624 set thread context of 3668 624 rate.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvcs.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4784 script_cookie_encrypted.exe Token: SeDebugPrivilege 3668 regsvcs.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1036 wrote to memory of 4784 1036 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe 83 PID 1036 wrote to memory of 4784 1036 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe 83 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 4784 wrote to memory of 3456 4784 script_cookie_encrypted.exe 85 PID 1036 wrote to memory of 624 1036 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe 87 PID 1036 wrote to memory of 624 1036 202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe 87 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3668 624 rate.exe 92 PID 624 wrote to memory of 3828 624 rate.exe 93 PID 624 wrote to memory of 3828 624 rate.exe 93 PID 624 wrote to memory of 3828 624 rate.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe"C:\Users\Admin\AppData\Local\Temp\202409237cbe4acc2760708e7190b160585eee77cobaltstrikepoetratsnatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\script_cookie_encrypted.exeC:\Users\Admin\script_cookie_encrypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"3⤵PID:3456
-
-
-
C:\Users\Admin\rate.exeC:\Users\Admin\rate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵PID:3828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
3.6MB
MD50c8bc5317e4b23f1e6dd3a2b7af70255
SHA149dd70a5dfb41a77806f0abb0b9f54d0cd01d652
SHA256af847306fa5457d15f4d378e2622f6ff3f92c9a093810f760bf1f3cc91aacb7f
SHA512e95a567a70df88ac1226fd4973a6103f195c38f1790750047feead51b186434d88ab5a525c77cbe509f6fa8d8c90b77fac9daf2a48d31f85db12ab1b11863878
-
Filesize
11.2MB
MD5b50c04edf22d51016e00d6f385b41cc7
SHA122295a90e102a3ffdada9f52230fb9e604bac281
SHA2562a7cae1fd866ff4f11e5c41c428b9b3c1078df3b523706d8a5145c55bd359ba9
SHA512a574405593129fd729d8bf5fdcf6813cb68870cbb1124969def626db06069ccb2e18841c73ca5f34f71d33b4edd9c1982b6282a6f3e66b645e1043eff45f1f73