General

  • Target

    2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch

  • Size

    8.3MB

  • Sample

    241018-bz5m6a1gnl

  • MD5

    cc3900283ad1f0510359ead309e8debf

  • SHA1

    3f01dbc84e7e8e72349076989f1494424a9d1eb5

  • SHA256

    d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe

  • SHA512

    3503ac7a0988f52b20639e59f687bd002fac53c301704407b6f4d655b3212f9e041a040f6ebe41d0b53f9dc69381a93b69be4b9349106a8adde42a2e0b46e434

  • SSDEEP

    49152:MjFPJxCznE3RyDkyDHCHx0B2ZIvTa3DhwNcg+2gRhzY5Eaa9nllkCTmrg9JWZw10:MxWz8H1ZIvIPgEaa9nTF9kl3

Malware Config

Targets

    • Target

      2024-10-18_cc3900283ad1f0510359ead309e8debf_poet-rat_snatch

    • Size

      8.3MB

    • MD5

      cc3900283ad1f0510359ead309e8debf

    • SHA1

      3f01dbc84e7e8e72349076989f1494424a9d1eb5

    • SHA256

      d7b9db3f4ed6992d352248122cbc286a32a3555648b33115f6fe8672aa7bc8fe

    • SHA512

      3503ac7a0988f52b20639e59f687bd002fac53c301704407b6f4d655b3212f9e041a040f6ebe41d0b53f9dc69381a93b69be4b9349106a8adde42a2e0b46e434

    • SSDEEP

      49152:MjFPJxCznE3RyDkyDHCHx0B2ZIvTa3DhwNcg+2gRhzY5Eaa9nllkCTmrg9JWZw10:MxWz8H1ZIvIPgEaa9nTF9kl3

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Boot or Logon Autostart Execution: Print Processors

      Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    • Drops startup file

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Modifies termsrv.dll

      Commonly used to allow simultaneous RDP sessions.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks