General
-
Target
2024-10-31_3c63dc24eec32fe787898551850df862_ngrbot_poet-rat_snatch
-
Size
13.2MB
-
Sample
241031-by4dpswfrm
-
MD5
3c63dc24eec32fe787898551850df862
-
SHA1
523d109a08ef82af19c7f2fa93c01eb5256567cb
-
SHA256
a9a9468f2d949063acf5e93119bed5f745251a6b728562898272d96b4a71dfce
-
SHA512
206e55af53b3225f50b5126beb16d6cb8fb3cdc070c3faa327e8a847c8a31eb7e70a385bbc17d4bd7ef662aadbf84557fe69cf02458ca10df2b4624cd9ed43de
-
SSDEEP
98304:fzcipEzJu9K+58iXqB/5YsmZlT2HQs8EWVxSxmwwU1Ld8Rw1mSb:f9kJu9KVHST2HPWVxuoA8y1mS
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-31_3c63dc24eec32fe787898551850df862_ngrbot_poet-rat_snatch.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-31_3c63dc24eec32fe787898551850df862_ngrbot_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
2024-10-31_3c63dc24eec32fe787898551850df862_ngrbot_poet-rat_snatch
-
Size
13.2MB
-
MD5
3c63dc24eec32fe787898551850df862
-
SHA1
523d109a08ef82af19c7f2fa93c01eb5256567cb
-
SHA256
a9a9468f2d949063acf5e93119bed5f745251a6b728562898272d96b4a71dfce
-
SHA512
206e55af53b3225f50b5126beb16d6cb8fb3cdc070c3faa327e8a847c8a31eb7e70a385bbc17d4bd7ef662aadbf84557fe69cf02458ca10df2b4624cd9ed43de
-
SSDEEP
98304:fzcipEzJu9K+58iXqB/5YsmZlT2HQs8EWVxSxmwwU1Ld8Rw1mSb:f9kJu9KVHST2HPWVxuoA8y1mS
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2