General
-
Target
2024-09-28_f5cf021c76c2b7ad3d683e7d7839dc9f_poet-rat_snatch
-
Size
5.0MB
-
Sample
240928-vz54gaxdrl
-
MD5
f5cf021c76c2b7ad3d683e7d7839dc9f
-
SHA1
58f4b330be8f657a9759e9a88ef57d952a71b654
-
SHA256
f1de63e36ed1999a8c95f09b6af2c1eac37d0edcbb08de5af98d8abd60b82cb3
-
SHA512
33d4b6270cecf93153027ba4202ec9ab064464aa4e9532bb17e3a97be1fed4e997a4a4003761ce5132925ff8e44584472c814ad547d86a781da50ab5ab1d5c28
-
SSDEEP
49152:tgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZH:q4e4uPpVm6gTVGIO7DfE6+eS
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-28_f5cf021c76c2b7ad3d683e7d7839dc9f_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-28_f5cf021c76c2b7ad3d683e7d7839dc9f_poet-rat_snatch.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
meshagent
2
TacticalRMM
http://mesh.pivstandart.ru:443/agent.ashx
-
mesh_id
0xE6A0EB7B491100BB804B64CF8283276367BD72249E44AE0A25268C87A85263196C658FECAE53830097A4B3ED4BBAED4D
-
server_id
F98163BFE1DA56903B3FBD7DEAB19FE5E52B82260F71E5B2821181C8052F42B8DABF19E3D1452693B2F7FDFF1A3EEBB3
-
wss
wss://mesh.pivstandart.ru:443/agent.ashx
Targets
-
-
Target
2024-09-28_f5cf021c76c2b7ad3d683e7d7839dc9f_poet-rat_snatch
-
Size
5.0MB
-
MD5
f5cf021c76c2b7ad3d683e7d7839dc9f
-
SHA1
58f4b330be8f657a9759e9a88ef57d952a71b654
-
SHA256
f1de63e36ed1999a8c95f09b6af2c1eac37d0edcbb08de5af98d8abd60b82cb3
-
SHA512
33d4b6270cecf93153027ba4202ec9ab064464aa4e9532bb17e3a97be1fed4e997a4a4003761ce5132925ff8e44584472c814ad547d86a781da50ab5ab1d5c28
-
SSDEEP
49152:tgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZH:q4e4uPpVm6gTVGIO7DfE6+eS
-
Detects MeshAgent payload
-
Blocklisted process makes network request
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1