Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2024, 16:10
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe
-
Size
22.4MB
-
MD5
be19817a502d58efb565f61591cd5aab
-
SHA1
2724dd77fe76d9757a41867589d538e0d553336e
-
SHA256
4fb369ab0a11c70be0d8861c2483623a1e0f91ca62445985d64b3fe6b37349a1
-
SHA512
9fafbbf5f4983b2b59b9413257b83239e329cc0d84e8ec6bce9f817eb5251352640d4aa91522d6367c60036a7bbd33bcb0e7d12c74bbb4b17aff70c0fabba4b4
-
SSDEEP
393216:Io2QxYD1/gzQnSegNPCQM2/psErTmlJhjePxnIOLDFee:R2p4zQnSxJCQHscmNePxnv8e
Malware Config
Signatures
-
An open source browser data exporter written in golang. 9 IoCs
resource yara_rule behavioral2/memory/3752-4-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-6-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-8-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-9-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-10-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-7-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-33-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-36-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata behavioral2/memory/3752-168-0x0000000000400000-0x0000000000DED000-memory.dmp family_hackbrowserdata -
HackBrowserData
An open source golang web browser extractor.
-
Executes dropped EXE 2 IoCs
pid Process 212 script_cookie_encrypted.exe 5112 rate.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 212 set thread context of 3752 212 script_cookie_encrypted.exe 85 PID 5112 set thread context of 4076 5112 rate.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 212 script_cookie_encrypted.exe Token: SeDebugPrivilege 4076 regasm.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1880 wrote to memory of 212 1880 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe 83 PID 1880 wrote to memory of 212 1880 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe 83 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 212 wrote to memory of 3752 212 script_cookie_encrypted.exe 85 PID 1880 wrote to memory of 5112 1880 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe 95 PID 1880 wrote to memory of 5112 1880 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe 95 PID 5112 wrote to memory of 4904 5112 rate.exe 96 PID 5112 wrote to memory of 4904 5112 rate.exe 96 PID 5112 wrote to memory of 4904 5112 rate.exe 96 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 4076 5112 rate.exe 97 PID 5112 wrote to memory of 512 5112 rate.exe 98 PID 5112 wrote to memory of 512 5112 rate.exe 98 PID 5112 wrote to memory of 512 5112 rate.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\script_cookie_encrypted.exeC:\Users\Admin\script_cookie_encrypted.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"3⤵PID:3752
-
-
-
C:\Users\Admin\rate.exeC:\Users\Admin\rate.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵PID:4904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵PID:512
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD59f36605efba98dab15728fe8b5538aa0
SHA16a7cff514ae159a59b70f27dde52a3a5dd01b1c8
SHA2569c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd
SHA5121893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
3.6MB
MD50c8bc5317e4b23f1e6dd3a2b7af70255
SHA149dd70a5dfb41a77806f0abb0b9f54d0cd01d652
SHA256af847306fa5457d15f4d378e2622f6ff3f92c9a093810f760bf1f3cc91aacb7f
SHA512e95a567a70df88ac1226fd4973a6103f195c38f1790750047feead51b186434d88ab5a525c77cbe509f6fa8d8c90b77fac9daf2a48d31f85db12ab1b11863878
-
Filesize
302B
MD581b496ce1578a88f74dcf1b5a09f98b5
SHA1ec5b2723bf4f88d001069fccd5300096c5955d0b
SHA2565c99c6eb19efecfdcb5da9e8e547ce78065d0de4e7dcc4b70166d03d0870b7d5
SHA512b72794dfb6955f8a2c102d072cd650617d08ca94805c791e4549ec2b326b8b896d872f848f701ebbad46342da6df051a3799af5434092b167a233a23978e580f
-
Filesize
34B
MD5d07886f7107c50304e1b9cde0793ed04
SHA141453a6e9db25a06b4ef031c12fdcee8a3818741
SHA256963b596f0385f5be1b8ad2f7e5b4ff474aeb1a1a8d17d20ff67a1cd30ca70344
SHA512a917504c89a8ec7b8fc5d89a683fce01ce45a160dbb98861cc2432c221a2f3e7aca15b7325967c171e2de2d7ce26ffa01ecef49c7b896b1a16daa5a3125eb4ca
-
Filesize
11.2MB
MD5b50c04edf22d51016e00d6f385b41cc7
SHA122295a90e102a3ffdada9f52230fb9e604bac281
SHA2562a7cae1fd866ff4f11e5c41c428b9b3c1078df3b523706d8a5145c55bd359ba9
SHA512a574405593129fd729d8bf5fdcf6813cb68870cbb1124969def626db06069ccb2e18841c73ca5f34f71d33b4edd9c1982b6282a6f3e66b645e1043eff45f1f73