Analysis Overview
SHA256
4fb369ab0a11c70be0d8861c2483623a1e0f91ca62445985d64b3fe6b37349a1
Threat Level: Known bad
The file 2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch was found to be: Known bad.
Malicious Activity Summary
HackBrowserData
An open source browser data exporter written in golang.
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-23 16:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-23 16:10
Reported
2024-09-23 16:12
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-23 16:10
Reported
2024-09-23 16:12
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
An open source browser data exporter written in golang.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
HackBrowserData
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\script_cookie_encrypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\rate.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 212 set thread context of 3752 | N/A | C:\Users\Admin\script_cookie_encrypted.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe |
| PID 5112 set thread context of 4076 | N/A | C:\Users\Admin\rate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\script_cookie_encrypted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_be19817a502d58efb565f61591cd5aab_cobalt-strike_poet-rat_snatch.exe"
C:\Users\Admin\script_cookie_encrypted.exe
C:\Users\Admin\script_cookie_encrypted.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
C:\Users\Admin\rate.exe
C:\Users\Admin\rate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 52.252.190.167:56001 | tcp | |
| US | 8.8.8.8:53 | 167.190.252.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\script_cookie_encrypted.exe
| MD5 | b50c04edf22d51016e00d6f385b41cc7 |
| SHA1 | 22295a90e102a3ffdada9f52230fb9e604bac281 |
| SHA256 | 2a7cae1fd866ff4f11e5c41c428b9b3c1078df3b523706d8a5145c55bd359ba9 |
| SHA512 | a574405593129fd729d8bf5fdcf6813cb68870cbb1124969def626db06069ccb2e18841c73ca5f34f71d33b4edd9c1982b6282a6f3e66b645e1043eff45f1f73 |
memory/3752-4-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3752-6-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3752-8-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3752-9-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3752-10-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3752-7-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3752-33-0x0000000000400000-0x0000000000DED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/3752-36-0x0000000000400000-0x0000000000DED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.5
| MD5 | 9f36605efba98dab15728fe8b5538aa0 |
| SHA1 | 6a7cff514ae159a59b70f27dde52a3a5dd01b1c8 |
| SHA256 | 9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd |
| SHA512 | 1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c |
memory/3752-168-0x0000000000400000-0x0000000000DED000-memory.dmp
C:\Users\Admin\results\chrome_default_extension.csv
| MD5 | 81b496ce1578a88f74dcf1b5a09f98b5 |
| SHA1 | ec5b2723bf4f88d001069fccd5300096c5955d0b |
| SHA256 | 5c99c6eb19efecfdcb5da9e8e547ce78065d0de4e7dcc4b70166d03d0870b7d5 |
| SHA512 | b72794dfb6955f8a2c102d072cd650617d08ca94805c791e4549ec2b326b8b896d872f848f701ebbad46342da6df051a3799af5434092b167a233a23978e580f |
C:\Users\Admin\results\chrome_default_sessionstorage.csv
| MD5 | d07886f7107c50304e1b9cde0793ed04 |
| SHA1 | 41453a6e9db25a06b4ef031c12fdcee8a3818741 |
| SHA256 | 963b596f0385f5be1b8ad2f7e5b4ff474aeb1a1a8d17d20ff67a1cd30ca70344 |
| SHA512 | a917504c89a8ec7b8fc5d89a683fce01ce45a160dbb98861cc2432c221a2f3e7aca15b7325967c171e2de2d7ce26ffa01ecef49c7b896b1a16daa5a3125eb4ca |
C:\Users\Admin\rate.exe
| MD5 | 0c8bc5317e4b23f1e6dd3a2b7af70255 |
| SHA1 | 49dd70a5dfb41a77806f0abb0b9f54d0cd01d652 |
| SHA256 | af847306fa5457d15f4d378e2622f6ff3f92c9a093810f760bf1f3cc91aacb7f |
| SHA512 | e95a567a70df88ac1226fd4973a6103f195c38f1790750047feead51b186434d88ab5a525c77cbe509f6fa8d8c90b77fac9daf2a48d31f85db12ab1b11863878 |
memory/5112-186-0x00007FFF28693000-0x00007FFF28695000-memory.dmp
memory/5112-185-0x0000017A66870000-0x0000017A66878000-memory.dmp
memory/5112-187-0x0000017A69040000-0x0000017A690F0000-memory.dmp
memory/4076-188-0x0000000000400000-0x000000000045C000-memory.dmp
memory/4076-189-0x0000000005010000-0x00000000050CA000-memory.dmp
memory/4076-190-0x0000000005180000-0x00000000051E6000-memory.dmp
memory/4076-191-0x00000000062B0000-0x000000000639A000-memory.dmp