General

  • Target

    2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch

  • Size

    9.1MB

  • Sample

    241003-l2v7lszepd

  • MD5

    7d31b20c88ee1938102f889b63f4105b

  • SHA1

    1bbad6d8ee432927a6ae5e300a9d5a70bbe03fad

  • SHA256

    f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f

  • SHA512

    d854b299772ab46cd677e6814a84711e8c2e447963e61a31cfe188995c7fd84f756ab0fec0b298e314a7f139e790c56bd5418a98737c84978cbc530e4c457789

  • SSDEEP

    98304:GHxMZDJ1TRpxYVX9u2IazANfQhZytTD5iqE:sxEvYjVzANIhwN

Malware Config

Targets

    • Target

      2024-10-03_7d31b20c88ee1938102f889b63f4105b_poet-rat_snatch

    • Size

      9.1MB

    • MD5

      7d31b20c88ee1938102f889b63f4105b

    • SHA1

      1bbad6d8ee432927a6ae5e300a9d5a70bbe03fad

    • SHA256

      f007f850a708b041bf4b8d6d97c59a004b57232d3642d9292cb349abb183dc5f

    • SHA512

      d854b299772ab46cd677e6814a84711e8c2e447963e61a31cfe188995c7fd84f756ab0fec0b298e314a7f139e790c56bd5418a98737c84978cbc530e4c457789

    • SSDEEP

      98304:GHxMZDJ1TRpxYVX9u2IazANfQhZytTD5iqE:sxEvYjVzANIhwN

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

    • Glupteba payload

    • Windows security bypass

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks